# Network Camera Thread Model and Security Analysis: **Protection Profile** ^PSA^ ^Aspect^
>This document lists the assets or data that need proteciton in a system and threads that are considered in a scope.
### :memo: The Arm Platform Security Architecture (PSA) instructions:
* Security should always start with Analysis
* Greatest need for device manufacturer is to have reference Thread Model and Security Analysis(TMSA) for their product.
* Arm has created a series of reference TMSAs (otherwise known as English Language Protection Profiles) for IoT products, to show a best-practice approach that remains accessible by non-security experts.
* It hope that manufacturer find these documents useful as a starting point for creating a TMSA for their ouw IoT device.
# Introduction:-
## Target of Evalutation (TOE)
1. The TOE of this Protection Profile (PP) is a network-connected camera, such as used in homes and offices, with some processing capabilities to connect autonomously to a network. It may also include some local analysis of the pictures.
2. The TOE is a platform composed of a hardware device and a firmware implementing the network camera functionalities. The firmware itself may include a generic purpose operating system.
### TOE Usage and Major Security Features
1. Stram live video in a compressed form.
2. Personal Use, general purpose. Event detection and privacy protections are essential, but limited by cost constraints.
3. Enterprise use, general perpose. Protected environment, event detection and video flow intefreity are essential, but risks are limited.
4. Enterprise use, High security. same feature are essential, but the level of security assurance must be significantly higher.
5. The video stream and access to management and administration interfaces, network cameras include at least the follwoing security Fetures:
> * User and Admin authentication.
> * Authorization.
> * Network Authenticaiton.
> * Encryption of video stream.
> * Secure communication.
> * Log of Security events.
> * Software Update.
### Required non-Target of Evaluation Hardware/Software/Firmware
The TOE is embedded in a hardware device (the camera) that includes hardware that is not part of the TOE but that is used by the TOE, such as the sensor, the network interface or other hardware. Security functionalities shall not depend on that hardware. The Security Target (ST) writer shall make explicit which hardware is part of the TOE and which is not.
## Target of Evaluation (TOE) Description
*Figure1: Network Camera TOE*
### Target of Evaluation (TOE) Features
#### Hardware
Typicall compossed of a SoC with hardware video encoders, flash memory, network controller and the camera itself that may also include infrared LEDs, motors for PTZ. The SoC may support One-Time-Programmables (OTPs) to store sensitive data, such as camera ID or secrets.
#### Firmware
Typicalled compossed of a boot-loader, which is the first peice of code called by the ROM and an OS. Applications may include motion sensor, a video uploader, web server. Firmware is Usually stored on a flash memory to support upgrade.
### Target of Evaluation (TOE) Operational Environment
It is composed of the place that camera is used and the network the camera is connected to.
### Target of Evaluation (TOE) Life Cycle
| Phase | Actors |
| -------- | -------- |
| 1 & 2: Firmware / Software / Hardware design | The network camera software developer is in charge of software development and testing. The device manufacturer may design additional software that will be linked with the network camera in phase 4. The network camera hardware designer is in charge of designing (part of) the processor(s) where the network camera software runs and designing (part of) the hardware security resources used by the network camera. The silicon vendor designs the ROM code and the secure portion of the network camera chipset. |
| 3: Silicon/chip manufacturing | The silicon vendor produces the chipset for the network camera device.|
| 4: Software manufacturing | The device manufacturer is responsible for the integration, validation, and preparation of the software to load in the product that will include the network camera. |
|5: Device manufacturing | The device manufacturer is responsible for the device assembly and initialization and any other operation on the device before delivery to the end user.|
| 6: Operational phase | The end user gets a device ready for use. The end-user personalizes TOE and network credentials prior use. The network camera may be updated if it has not been designed to be immutable.|
|7: End-usage termination | The end user terminates their relationship to allow device resale by performing a factory reset of the network camera.|
> The TOE delivery point may occur at the end of phases 3, 4 or 5.
# Security Problem Definition
:accept:
> Threat = T.
Assumptions = A.
Organisational Security Policy = P.
Objective for the Target of Evaluation (TOE) = OT.
Objective for the Environment = OE.
## Assets
### Target of Evalutation Security Functionality (TSF) Data
#### Camera ID
A unique ID to identify the device on a network, such as a MAC address. :paperclip: Intergrity
#### Firmware
The Camera's Firmware. :paperclip: Intergrity, Authenticity
#### Firmware Certificater
The cryptographic certificate used to authenticate firmware and firmware updates. :paperclip: Integrity
#### Logs
The event logs, that can be used to detect suspicious activities. :paperclip: Integrity
### User Data
#### Video Stream
The video stream produced by the camera sent over the network. :paperclip: Integrity, Confidentiality
#### Configuration
The camera’s dynamic configuration, including network configuration such as the name of a Wireless Local Area Network (WLAN), or IP and Domain Name System (DNS) addresses and camera settings such as pan, tilt, and zoom, the events to be detected and notified. :paperclip: Integrity
#### Credentials
The authentication credentials, used for local and remote authentication, such as:
* Network credentials, to authenticate if needed on the network, for instance a Wi-Fi pre-shared key or a 802.1x certificate, to be protected in integrity and confidentiality.
* Device authentication credentials to authenticate on remote servers, to be protected in integrity and confidentiality.
* Server authentication data, such as public key certificates, to be protected in integrity.
* Session keys, used after establishment of a trusted communication channel with servers, to be protected in integrity and confidentiality.
* Administration and user credentials, to authenticate to the services provided by the network camera, either for administration or for regular use, to be protected in integrity and confidentiality.
* User biometric patterns to be used in face recognition or similar algorithms, to be protected in integrity.
:paperclip: Integrity & confidentiality
### Others
#### Computing Power
The processing capabilities of the TOE, as provided by its central and possibly graphic processing units.
#### Network Bandwidth
The network resources used by the TOE to exchange data. As the TOE processes video, the volume of exchanged data may be significant.
#### Storage Space
The mass storage space used by the TOE to store data. As the TOE processes video, the volume of stored data may be significant.
## Threats
An attacker is a threat agent (a person or a process acting on his/her behalf) trying to undermine the TOE security policy defined by the current Security Target (ST). The attacker especially tries to change properties of the assets defined in above section.
### T.IMPERSONATION
* An attacker impersonates a legitimate user on the camera, either a regular user that can access the video stream or an admin user.
* The user credentials may be obtained through default admin passwords, interception, for instance in insecure communication links, or exposed through data disclosure.
* The attacker may then access video stream, modify configuration or try to modify firmware.
* Assets threatened directly: Credentials
* Assets threatened indirectly: Video Stream, Configuration.
### T.MITM
* An attacker performs a Man-In-The-Middle attack or impersonates a server the camera connects to, for instance to upload the video stream or the event logs.
* The attacker may rely on insecure communication links or prior modification of the server credentials on the camera through insecure configuration.
* The attacker may then access and modify Video Stream, Logs, Credentials, Configuration data.
* Assets threatened directly: Credentials (Server), Logs, Video Stream, Configuration
### T.FIRMWARE_ABUSE
* An attacker installs a flawed version of the firmware and obtains partial or total control of the camera. The firmware may have been modified prior to the attack to include a malware or consist of an outdated version of the original firmware.
* The attacker may for instance modify on the device the value of the firmware certificate used to authenticate the installed firmware or firmware updates.
* Such an attack can allow for elevation of privileges, where a regular user gains access to admin privileges.
* This attack can also be used to take control over the TOE resources, for instance to carry a denial-of-service attack on other network devices, to store illegal files or to mine cryptocurrencies.
* Assets threatened directly: Firmware, Firmware Certificate, Computing Power, Network Bandwidth, Storage Space.
* Assets threatened indirectly: All.
### T.TAMPER
* An attacker tampers with the camera and tries to access or modify the media on which assets are stored.
* This includes basic Printed Circuit Board (PCB) attacks, after opening the camera case, such as eavesdropping buses, desoldering memory chips, use of debug interfaces.
* Assets threatened directly: All.
## Organisational Security Policies
### P.CREDENTIALS_MANAGEMENT
* The Admin shall change the default passwords of the TOE, if any, prior the operational usage of the TOE.
* Additionally, the Admin and the User shall ensure confidentiality of their passwords
## Assumptions
### A.TRUSTED_ADMIN
Admin of the TOE are assumed to follow and apply administrative guidance in a trusted manner.
# Security Objectives
## Security Objectives & Requirement for the Target of Evaluation (TOE)
### OT.ACCESS_CONTROL
The TOE shall authenticate User before granting access to the Video Stream. The TOE shall authenticate Admin before granting access the camera configuration and logs and before performing firmware update.
### OT.SECURE_STORAGE
The TOE shall protect integrity and confidentiality of Credentials when stored, and protect integrity of Firmware Certificate, Configuration and Logs when stored.
### OT.FIRMWARE_AUTHENTICITY
The TOE shall authenticate and verify integrity of firmware image during boot and of new firmware versions prior upgrade. The TOE shall also reject attempts of firmware downgrade.
### OT.COMMUNICATION
The TOE shall be able to authenticate remote servers where Video Stream and Logs are uploaded and provide integrity and confidentiality protection for export outside of the TOE.
### OT.AUDIT
The TOE shall maintain log of all significant events and allow access and analysis of these logs to authorized users only.
### OT.SECURE_STATE
The TOE shall maintain a secure state even in case of failures, for instance failure of verification of firmware integrity.
## Security Objectives for the Operational Environment (OE.)
### OE.CREDENTIALS_MANAGEMENT
Identical to P.CREDENTIALS_MANAGEMENT
### OE.TRUSTED_ADMIN
The Admin of the TOE is not careless, wilfully negligent or hostile.
## Security Objectives Rationale
The following figure provides an overview for security objectives coverage (TOE and its environment) and also gives an evidence for sufficiency and necessity of the defined objectives. It shows that all threats and Organizational Security Policies (OSPs) are addressed by the security objectives and it also shows that all assumptions are addressed by the security objectives for the TOE operational environment.
Figure2: Security Objectives Rationale
Sign in with Wallet
Connect another wallet