Skip to content
/ ITM3 Public

IoT Meter 3, created to gain better insight on quality of cybersecurity in network-connected devices

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Zokol/ITM3

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Test_process.md
Test_process.md
 
 

Repository files navigation

ITM3

IoT Meter 3 promises give insight on quality of cybersecurity in network-connected consumer devices.

Measured factors are based on evaluating the practical risks of the device in common household-environment.

Test process documentation

Factors:

ITM3 is based in three measurement factors:

  • Privacy (What level of access attacker needs to gain personal information of the user?)
  • Communication (What is the strength of technical security and size of attack surface?)
  • Device (How easy it is to gain direct access to the device?)

Protection of privacy:

What level of access attacker needs to gain personal information of the user?

  • Level 0:
    • Accessing private information requires access to public network (e.g. port scanning, fingerprinting)
    • Device sends private information unencrypted in the network
  • Level 1:
    • Accessing private information requires access to 3rd party database (e.g. shares usage data to marketing companies)
    • Device sends private information to 3rd party database (e.g. Facebook or Google Tag Manager)
  • Level 2:
    • Accessing private information requires access to manufacturer-managed systems (e.g. dedicated/self-hosted data processing services)
    • Data sent only to self-hosted backend (e.g. dedicated / cloud-hosted platform operated by the manufacturer; Google Firebase, AWS, etc...)
  • Level 3:
    • Accessing private information requires local access to the device (e.g. device does not send any data to Internet)
    • Device has no logging to backend
    • Device requires no registration or login to manufacturer platform

Protection of communication:

What is the strength of technical security and size of attack surface?

  • Level 0:
    • Communicates without encryption
    • HTTP
  • Level 1:
    • Communicates using known-vulnerable encryption schemes
    • Uses ciphersuites determined weak by ciphersuite.info, for example CBC-mode used with AES
    • HTTPS with SSL or TLS1.0
  • Level 2:
    • Communicates using good encryption schemes
    • Uses ciphersuites determined good by ciphersuite.info
    • TLS1.2 or TLS1.3
  • Level 3:
    • Communicates using PQC encryption schemes
    • Uses ciphersuites determined recommended by ciphersuite.info
    • Data sent to manufacturer systems is encrypted with keys that reside on the device in a secure enclave
    • AES256 and SHA-2 with TLS1.3

Protection of device:

How easy it is to gain direct access to the device?

  • Level 0:
    • Vulnerable to mass-scanning via Internet
    • Has open ports
    • Nessus scan reveals high-risk issues
  • Level 1:
    • Vulnerable to customized attacks via Internet
    • Has open ports
    • Nessus scan reveals medium-risk issues
  • Level 2:
    • Vulnerable to customized attacks via local network
    • Communicates only to local network devices (e.g. smartphone)
    • Connects to Internet only temporarily
    • Nessus scan reveals low-risk issues
  • Level 3:
    • Vulnerable to physical attack via physical access to device
    • No network communication

About

IoT Meter 3, created to gain better insight on quality of cybersecurity in network-connected devices

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published