How to correctly classify a threats related to Tampering in STRIDE

Question

I'm trying to apply STRIDE to secure my architecture.

      xxx
        xxx
          xxx
┌──────────┐xx                     ┌──────────┐
│ node     ├─xx──────signals───────► hub      │
│          │  x                    │          │
└───▲──────┘ xx                    └──────────┘
    │        x
    │      xx                      ┌──────────┐
    │     xx                       │ config   │
    └────xx──────config┼files──────┤ centre   │
       xxx                         └──────────┘
     xxx
    xx
Internet
 xxx
 x

There is a config centre component that stores config files that are sent to IoT nodes to configure signals they send back to the hub. The risk I'm identifying is that Tampering with config centre holding these files could cause incorrect configs to be sent to the nodes, or the file being sent to the incorrect node than which it was intended. My struggle is that tampering in this case can lead to Information Disclosure from the nodes because the config could be modified to send more signals than permitted for a node.

So,

• Am I correct to classify this as a Tampering threat on Config Centre?
• Do I also need to capture the Information Disclosure vulnerability somewhere?
• Generally how to handle such interdependent vulnerabilities in STRIDE?

Answer 1

STRIDE is a poor taxonomy and an excellent mnemonic. Once you've found the threat, using STRIDE to "categorize" it frequently leads to the dillema you're in. You've found 2 threats, note them and deal with them.

So q1: Sure. Q2: Add it to your list. Q3: Don't ask too much of STRIDE, use it to find the various ways things can go wrong.

As an aside, your diagram could probably use an explicit trust boundary.