Threat modeling using STRIDE and LINDDUN for IoT attack surfaces
Threat modeling using STRIDE and LINDDUN for IoT attack surfaces is the structured process of identifying, categorizing, and prioritizing potential security and privacy threats to an Internet of Things system by applying the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance) frameworks to its unique data flows, components, and trust boundaries.
This skill is highly valued because it proactively shifts security left in the IoT product lifecycle, preventing costly redesigns and breaches by identifying vulnerabilities before deployment. It directly impacts business outcomes by reducing liability, ensuring regulatory compliance (e.g., GDPR for data privacy via LINDDUN), and protecting brand reputation against IoT-specific attack vectors.
1Careers
1Categories
9.2 Avg Demand
15%
Avg AI Risk
How to Learn Threat modeling using STRIDE and LINDDUN for IoT attack surfaces
1. Master the foundational IoT architecture: Understand device, firmware, communication protocols (MQTT, CoAP, BLE), cloud APIs, and mobile app components. 2. Memorize the core threat categories of both STRIDE (security) and LINDDUN (privacy) and what each category encompasses. 3. Practice drawing Data Flow Diagrams (DFDs) for simple IoT systems, identifying processes, data stores, data flows, and trust boundaries.
Move from theory to practice by applying the frameworks to a real-world product, such as a smart thermostat. Map each STRIDE threat to specific components (e.g., spoofing on the device authentication module) and each LINDDUN threat to data flows (e.g., linkability between usage data and user identity). Avoid the common mistake of treating the frameworks as separate checklists; instead, integrate them to see where security and privacy concerns intersect.
Master the skill at an architect level by developing a customized threat library specific to your organization's IoT product line and integrating threat modeling into the CI/CD pipeline. Lead threat modeling sessions for complex, multi-protocol systems (e.g., industrial IoT) and mentor junior engineers on deriving actionable security requirements from the models. Align threat modeling outputs with business risk registers and executive reporting.
Practice Projects
Beginner
Project
Threat Model a Basic Wi-Fi Smart Plug
Scenario
You are given a simple Wi-Fi smart plug with a mobile app for control and a cloud service for scheduling. The goal is to identify the most critical security and privacy flaws.
How to Execute
1. Draw a high-level DFD with four main components: User's Mobile App, Cloud API, Home Wi-Fi Router, and the Smart Plug Device. 2. For each data flow (e.g., App to Cloud API), apply the STRIDE mnemonic. Identify that the 'App to Cloud' flow is susceptible to spoofing (weak auth) and information disclosure (unencrypted commands). 3. For the same flows, apply LINDDUN. Identify that 'Plug to Cloud' telemetry data (energy usage) creates linkability and identifiability threats if tied to a specific user. 4. Prioritize the top 3 threats based on impact and likelihood.
Intermediate
Case Study/Exercise
Threat Modeling a Connected Medical Wearable
Scenario
You are the security lead for a wearable glucose monitor that transmits sensitive patient data via Bluetooth Low Energy to a phone, then to a hospital cloud portal for clinician review.
How to Execute
1. Create a detailed DFD, explicitly defining trust boundaries between the wearable, patient's phone, and hospital network. 2. Conduct a structured brainstorming session: For each STRIDE category, brainstorm specific attacks (e.g., Tampering with BLE packets to alter glucose readings). 3. For LINDDUN, focus on data flows involving Protected Health Information (PHI). Identify threats like 'Non-compliance' if data is stored without consent and 'Unawareness' if the patient isn't told what data is collected. 4. Document mitigation strategies for each threat, such as end-to-end encryption (addressing Information Disclosure) and privacy-by-design prompts in the app (addressing Unawareness).
Advanced
Project
Enterprise-Wide IoT Threat Model Synthesis
Scenario
You are the Chief Security Architect for a company with a portfolio of 50+ IoT products (smart locks, cameras, sensors). The board demands a unified risk view.
How to Execute
1. Develop a custom, company-specific threat taxonomy by abstracting common threats from individual product models (e.g., 'Firmware Update Hijack' is a common Tampering threat). 2. Create a threat modeling playbook that standardizes DFD creation and STRIDE/LINDDUN analysis across all product teams. 3. Integrate threat modeling outputs into the risk management platform, mapping each identified threat to a business risk score (financial impact, reputational damage). 4. Present to leadership using a heat map that shows threat concentration across the product portfolio, linking technical findings to strategic business risks.
Tools & Frameworks
Diagramming & Collaboration Tools
Microsoft Threat Modeling ToolOWASP Threat DragonLucidchartMiro
Used to create and collaborate on Data Flow Diagrams (DFDs), which are the foundational artifact for applying STRIDE/LINDDUN. The MS Threat Modeling Tool automatically applies STRIDE templates to DFD elements.
Threat Frameworks & Libraries
STRIDELINDDUNMITRE ATT&CK for IoTOWASP IoT Attack Surface Areas
STRIDE and LINDDUN are the core analytical frameworks. ATT&CK for IoT provides a knowledge base of real-world adversary tactics to enrich threat identification. OWASP IoT guidelines help define the attack surface.
Risk Assessment & Prioritization
DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)CVSS (Common Vulnerability Scoring System)FAIR (Factor Analysis of Information Risk)
DREAD is a qualitative model to score threats identified via STRIDE. CVSS is used for scoring specific vulnerabilities. FAIR is an advanced framework for quantifying risk in financial terms for business communication.
Interview Questions
Answer Strategy
The interviewer is testing your systematic approach and ability to integrate both frameworks. Start by describing how you'd draw the DFD, identifying key components (sensor, hub, cloud, mobile app) and trust boundaries. Then, explain applying STRIDE to each data flow and component (e.g., Elevation of Privilege on the hub, Information Disclosure on Zigbee traffic). Immediately follow by applying LINDDUN to the data flows, particularly focusing on sensor data that could reveal building occupancy (linkability, identifiability). Conclude by mentioning how you'd prioritize findings and work with engineers to implement mitigations like network segmentation and data anonymization.
Answer Strategy
This behavioral question tests your depth of analysis and influence. Use the STAR method (Situation, Task, Action, Result). Describe the specific IoT system, your threat modeling session, and the precise threat (e.g., a LINDDUN 'Unawareness' threat where users weren't informed about always-on microphones). Highlight your action: how you documented it, prioritized it using DREAD, and communicated the risk to product management. The result should be a concrete change, such as adding a physical mute indicator or a privacy setting.
Careers That Require Threat modeling using STRIDE and LINDDUN for IoT attack surfaces