AVSS

Target:

This case study evaluates the security of fingerprint and facial recognition technology on a smartphone.

Identified Target: Specific smartphone model and its biometric authentication technology were identified.
Modeled Threat: A threat model was built based on the smartphone's operating environment.
Analyzed Attack Surface: Key attack surfaces were determined, including data collection, processing, storage, permission control, and authentication effectiveness.
Utilized DAF: Relevant test cases and attack methods were retrieved from the DAF for evaluation.
Tested Adversary: Simulated attacks were conducted to assess the effectiveness of the smartphone's defense mechanisms against identified vulnerabilities.
Assessed Risk: Security risks for high-value data (e.g., fingerprints) were evaluated from a business perspective.
Reported Scorecard: Quantitative scores from the evaluation were presented on reports to provide insights into the security posture of the smartphone compared to industry standards.

Quantitative evaluation of the smartphone's security mechanisms for biometric authentication.
Identification of potential vulnerabilities, including previously unknown 0-day vulnerabilities.
Comparison with industry best practices to identify improvement areas.

This case study evaluates the security of a cross-border payment system used by banks and merchants in multiple countries.

Identified Attack Surfaces: Evaluation personnel identified different attack surfaces faced by the business system, based on information system security research;
Tested Vulnerabilities: Security researchers attempted to obtain defects or gathered information using attack surfaces;
Conducted Simulated Attacks: Verified the business system from multiple attack surfaces via the Internet, suggesting that a fairly strong security was in place, and various typical network attack methods failed to breach the business system's control;
Verified Security: Evaluation personnel verified that security risks still existed in the office business system by leveraging various vulnerability combinations within the office network;
Assessed Results and Made Recommendations: Evaluator conducted comprehensive evaluations of the TOE based on the then-current settings of the business and provided suggestions for improvement in the next phase.

Identification of vulnerabilities and potential attack paths within the payment system.
Recommendations for system upgrades and security improvements.
Improved security posture to prevent financial losses and protect sensitive data.

This case study evaluates the security of a remotely controlled IoT device used in unmanned scenarios

Evaluated Scope: The evaluation focused on device operations, cloud communication channels, and image transmission security.
Analyzed Attack Surface: Potential attack surfaces were identified, including cloud vulnerabilities, device system vulnerabilities, and service vulnerabilities.
Utilized DAF: Relevant verification items and test cases were chosen from the DAF for evaluation.
Tested Security: Identified vulnerabilities were exploited through simulations to assess the device's defense mechanisms.
Analyzed Business Impact: Security risks were evaluated based on real-world usage scenarios.
Developed Security Indicator: Security design principles and test indicators were established for future product iterations.

Identification of potential attack surfaces and vulnerabilities in the IoT device.
Evaluation of the device's resistance against various attacks.
Development of security guidelines to improve future product models.