Feedback on section 3.2 Threat Model

[simoneonofri]

During a discussion on Threat Modelling, where it was appreciated that we had public Threat Models, I received this feedback from Loren Kohnfelder.

I am just quoting it here, hoping that it will be useful:

3.2.1 WoT Primary Stakeholders: System User should include excessive bandwidth consumption, as well as device being bricked by OEM such as a bad update Denial of Service threats.
3.2.2 Assets: System Provider Data says Others: no access, but I would think System User needs readonly access to configuration data.
3.2.3 Adversaries: Disappointed to see the Careless OEM threat out of scope because today I think this is the biggest problem with connected devices. Also Careless System Provider. It seems that more transparent devices (see 3.2.2 comment) could help System Users see what's going on.

[mmccool]

Thanks, that is useful feedback! Regarding "Careless OEM" - there's also the "Malicious OEM"... we will have to think about what we can do here. But you're right, more transparency would help.

[mmccool]

Speaking of OEMs: https://foundation.mozilla.org/en/privacynotincluded/categories/smart-home/