Systematic Risk Assessment Analysis for Smart Wearable Devices

doi:10.3969/j.issn.1671-1122.2024.10.014

Abstract

Abstract:

Existing smart wearable devices generally have more vulnerable points and need to scientifically determine the risks they face through risk assessment. The current security risk assessment methods for smart wearable devices are mostly based on fragmented vulnerability points, without fully considering the systematic characteristics of the application scenarios of wearable devices, and are unable to assess the security risks as a whole. Therefore, the article proposed a risk assessment method for wearable devices based on a layered attack path diagram, which categorized the vulnerabilities of wearable devices according to their vulnerabilities’ location in the system, drew a multi-layer vulnerability relationship diagram, added direct threats and data asset targets facing the system to the diagram, and merged and calculated the attack paths from the direct threats, external vulnerability layer, indirect threats, to internal vulnerability layer attack target attack path for risk assessment. The proposed method takes the characteristics of system architecture into full consideration in the risk assessment process, which makes it easier and more accurate to assess the risk, and helps to find the bottlenecks of system security and evaluate the effectiveness of countermeasures.

Key words: risk assessment analysis, vulnerable point, smart wearables

CLC Number:

TP309

ZHAO Ge, ZHENG Yang, TAO Zelin. Systematic Risk Assessment Analysis for Smart Wearable Devices[J]. Netinfo Security, 2024, 24(10): 1595-1603.

Figures/Tables 9

References 20

[1]	ZHOU Min. Research on Personal Information Protection and Evaluation Model of Wearable Devices[D]. Nanjing: Southeast University, 2022.
	周敏. 可穿戴设备个人信息保护与评价模型研究[D]. 南京: 东南大学, 2022.
[2]	NI Xueli, WANG Qun, LIANG Guangjun. Research on Security and Privacy Threats of Smart Wearable Devices[J]. Netinfo Security, 2022, 22(10): 98-107.
	倪雪莉, 王群, 梁广俊. 智能穿戴设备的安全与隐私威胁研究[J]. 信息网络安全, 2022, 22(10): 98-107.
[3]	WU Jiacheng, YU Xiao. A Review of Research on Cybersecurity Risk Assessment Methods[J]. Electronic Science and Technology, 2024, 37(3): 10-17.
	吴嘉诚, 余晓. 网络安全风险评估方法研究综述[J]. 电子科技, 2024, 37(3):10-17.
[4]	ZHANG Yan, LI Jiatong, SONG Xiaoyi, et al. Survey of IoT Device Security Detection[J]. Journal of Computer Research and Development, 2023, 60(10): 2271-2290.
	张妍, 黎家通, 宋小祎, 等. 物联网设备安全检测综述[J]. 计算机研究与发展, 2023, 60(10):2271-2290.
[5]	WANG Jinfang, GUO Yuanbo. Network Security Risk Assessment of Cyber Physical System Based on Attack Graph[J]. Science Technology and Engineering, 2023, 23(28): 12175-12181.
	王金芳, 郭渊博. 基于攻击图的物理信息系统网络安全风险评估[J]. 科学技术与工程, 2023, 23(28):12175-12181.
[6]	LIAO Xiaoqian, HUANG Zhenyong, JIN Mei, et al. Secure Backup and Recovery Methods and Systems for User Data in Wearable Smart Hardware: China, CN105760257A[P]. 2016-07-13.
	廖小谦, 黄真勇, 金梅, 等. 可穿戴智能硬件中用户数据的安全备份、恢复方法及系统:中国,CN105760257A[P]. 2016-07-13.
[7]	ZHANG Huanguo. Information Security Engineer Course[M]. Beijing: Tsinghua University Press, 2016.
	张焕国. 信息安全工程师教程[M]. 北京: 清华大学出版社, 2016.
[8]	GB/T 20278-2022 Information Security Technology-Security Technical Requirements and Testing Assessment Approaches for Network Vulnerability Scanners[S]. Beijing: Standards Press of China, 2022.
	GB/T 20278-2022信息安全技术网络脆弱性扫描产品安全技术要求和测试评价方法[S]. 北京: 中国标准出版社, 2022.
[9]	GB/T28448-2019 Information Security Technology-Evaluation Requirement for Classified Protection of Cybersecurity[S]. Beijing: Standards Press of China, 2019.
	GB/T28448-2019信息安全技术网络安全等级保护测评要求[S]. 北京: 中国标准出版社, 2019.
[10]	XINHUA News Agency. Data Security Law of the People’s Republic of China[N]. People’s Daily, 2021-06-19 (7).
	新华社. 中华人民共和国数据安全法[N]. 人民日报, 2021-06-19(7).
[11]	LOI F, SIVANATHAN A, GHARAKHEILI H H, et al. Systematically Evaluating Security and Privacy for Consumer IoT Devices[C]// ACM. Proceedings of the 2017 Workshop on Internet of Things Security and Privacy. New York: ACM, 2017: 1-6.
[12]	GEORGE G, THAMPI S M. A Graph-Based Security Framework for Securing Industrial IoT Networks from Vulnerability Exploitations[J]. IEEE Access, 2018, 6: 43586-43601.
[13]	WANG Huan, CHEN Zhanfang, ZHAO Jianping, et al. A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow[J]. IEEE Access, 2018, 6: 8599-8609.
[14]	ZHAO Jian, WANG Rui, LI Zhengmin, et al. Security Threats and Risk Assessment of IoT System[J]. Journal of Beijing Uuiversity of Posts & Telecom, 2017, 40(s1): 135-139.
[15]	LIU Shengwa, GAO Xiang, WANG Min. Application of Attack Graph Method Based on Bayesian Network in Network Security Assessment[J]. Modern Electronics Technique, 2013, 36(9): 84-87.
	刘胜娃, 高翔, 王敏. 基于贝叶斯网络的攻击图方法在网络安全评估中的应用[J]. 现代电子技术, 2013, 36(9):84-87.
[16]	YANG Hongyu, YUAN Haihang, ZHANG Liang. Host Security Assessment Method Based on Attack Graph[J]. Journal on Communications, 2022, 43(2): 89-99. doi: 10.11959/j.issn.1000-436x.2022030
	杨宏宇, 袁海航, 张良. 基于攻击图的主机安全评估方法[J]. 通信学报, 2022, 43(2):89-99. doi: 10.11959/j.issn.1000-436x.2022030
[17]	YAN Jishan. Analysis on Network Security Risk Assessment Based on Attack Graph Behavior Pattern[J]. Microcontrollers & Embedded Systems, 2018, 18(10): 1-3.
	严纪珊. 基于攻击图行为模式分析的网络安全风险评估[J]. 单片机与嵌入式系统应用, 2018, 18(10):1-3.
[18]	QIU Yue. Security Analysis for the Information of Wearable Devices[J]. Netinfo Security, 2016, 16(9): 79-83.
	裘玥. 智能可穿戴设备信息安全分析[J]. 信息网络安全, 2016, 16(9):79-83.
[19]	SENEVIRATNE S, HU Yining, NGUYENET Tham, et al. A Survey of Wearable Devices and Challenges[J]. IEEE Communications Surveys & Tutorials, 2017, 19(4): 2573-2620.
[20]	TSENG T W, WU C T, LAI Feipei. Threat Analysis for Wearable Health Devices and Environment Monitoring Internet of Things Integration System[J]. IEEE Access, 2019, 7: 144983-144994.

脆弱性分类	脆弱点	检测项	检测结果
边界防御	边界保护/用户账号	—	—
边界防御	口令策略/鉴别机制	—	—
网络通信	网络结构设计	—	—
	网络设备安全配置	联网环境检测	低危
	网络安全	HTTPS未校验服务器证书漏洞	中危
	外部访问控制	访问境外服务器危险	高危
	协议安全	中间人攻击风险	高危
物理安全	外围接口安全/设备管理	—	—
物理安全	设备保护	SD卡数据泄露风险	中危
系统防御	系统管理	恶意可执行程序管理漏洞	中危
	资源共享/补丁安装	—	—
	访问控制	资源文件泄露风险	中危
	系统配置	测试信息残留风险	低危
	系统软件安全	敏感函数检测	中危
	组件安全	WebView组件远程代码执行漏洞	高危
数据保护	数据完整性	—	—
数据保护	密码保护	AES/DES加密算法不安全使用风险	高危
应用防御	应用完整性	WebView组件忽略SSL证书验证错误漏洞	低危
	内部访问控制	证书明文存储风险	高危
	应用自身安全	敏感函数检测	中危
	应用安装升级	资源文件包含APK检测	低危
安全审计	审计机制/审计存储/ 事件审计	—	—
安全审计	审计访问控制	日志函数泄露风险	高危

脆弱性分类	脆弱点	检测项	检测结果
数据保护	数据完整性	无特别保护手段	高危
	密码保护	RSA加密算法不安全使用风险	高危
	密码保护	随机数算法不安全	低危
应用防御	应用完整性	WebView组件忽略SSL证书验证错误漏洞	低危

脆弱性分类	脆弱点	检测项	检测结果
数据保护	数据完整性	无特别保护手段	高危
	数据访问控制	Internet敏感数据泄露风险	低危
		getDir数据全局可读写漏洞	中危
		应用数据任意备份风险	中危
		数据存储位置风险	高危
应用防御	应用完整性	WebView组件忽略SSL证书验证错误漏洞	低危

脆弱性分类	脆弱点	测评方法	评估结果
边界防御	边界保护/用户账号	估算	中危
边界防御	口令策略/鉴别机制	估算	高危
网络通信	网络结构设计	估算	中危
	网络设备安全配置	实测	低危
	网络安全/外部访问控制	实测合并	高危
	协议安全	实测	高危
物理安全	外围接口安全/设备管理	估算	中危
物理安全	设备保护	实测	中危
系统防御	系统管理	实测合并	中危
	资源共享/补丁安装	估算	高危
	访问控制	实测合并	中危
	系统配置	实测合并	低危
	系统软件安全/组件安全	实测合并	高危
数据保护	数据完整性	估算	高危
数据保护	密码保护/数据访问控制	实测合并	高危
应用防御	应用完整性	实测	低危
	内部访问控制	实测合并	高危
	应用自身安全/应用安装升级	实测合并	中危
安全审计	审计机制/审计存储	估算	高危
	审计访问控制	实测	高危
	审计日志	估算	中危