The ERMO framework [9] describes cybersecurity in terms of risk for biodigital systems and points to a lifecycle approach for cyber risk management. Since biodigital systems encompass both life sciences and cybersecurity, risk analysis through this framework includes digital, hardware, and biological assets. Risk in the ERMO process includes two main goals: prioritizing risks through analysis, protecting and evolving the organization, and providing a semi-quantitative way to score both risk and reward. It also provides an initial identification of key exposure variables and loss drivers for biodigital systems. The ERMO Framework’s methodology consists of eight steps. Steps 1 and 2 prioritize risks, including cyberbio assets, operations, and liabilities. Step 3 identifies the causes of loss or risk that impact Steps 1 and 2. Step 4 is the consequences of the impacted risks. Step 5 includes controls to minimize loss frequency and/or severity. Steps 6 and 7 assess the damage to components, such as cyberbio systems, subsystems. Step 8 includes implementing and monitoring risk controls and risk financing plans and programs. Based on the proposed methodology, key exposures, exposure variables, and sources of loss can be identified and developed into a risk registry. However, the ERMO model is too broad to categorize the tactics and techniques used against cyber threats properly. Since the threat model does not classify detailed attack tactics and techniques, in-depth cyber-attack analysis is difficult. The study did not include specific attack tactics and techniques to classify. In addition, the proposed framework does not have a validation process, and thus its reliability is low.

The MITRE ATT&CK Framework [10] is a security framework developed by MITRE Corporation that categorizes information about different attack techniques. The attacker’s behavior is categorized into different tactics and techniques based on actual cyber-attack cases. This framework is used to analyze attack patterns and derive attack behaviors to improve the ability to detect advanced attacks. The MITRE ATT&CK database contains useful information on threat modeling languages, such as assets (e.g., computers, services, internal and external networks), attack phases (e.g., spearphishing attachments, user execution), and threat modeling languages. The data can be used to develop various threat models and methodologies. Some frameworks, such as Enterprise and ICS, are appropriate for different network environments. However, the MITER ATT&CK Framework does not specialize in IoWT. Because IoWT devices operate in a unique environment due to limitations such as low processing power and bandwidth, applying all attack techniques proposed in existing IT and ICS frameworks is difficult.

CMTMF [11] is a threat modeling framework for mobile systems created by the CONCORDIA project to highlight the importance of cyber threat intelligence techniques. This study focusing on threats to the mobile network itself, the entry points for carrying out attacks were analyzed as follows: the mobile device, the SIM Card, the mobile app, the gNodeB, the IPUPS, the SEPP, and the Network Exposure Function (NEF)-CAPIF. It was developed to address the difficulties in applying existing threat modeling frameworks such as MITRE ATT&CK and Bhadra framework to mobile networks. CMTMF is compatible with sub-frameworks of MITRE ATT&CK, such as MITRE ATT&CK for Enterprise, Mobile, and ICS. CMTMF is divided into 105 attack behaviors and 14 tactic categories, but unlike MITRE ATT&CK, there are no unique tactics. Instead, the attacks are characterized by the use of multiple devices on a mobile network and the repetitive nature of the attacks, so the attacks are documented in a step-by-step loop. However, it does not consider the wearable environment. IoWT devices perform special network communications such as BLE, NFC, and Zigbee and operate in the unique environment of wearables. This indicates that existing IT and ICS target threat analysis techniques cannot be applied accurately.

MWBDs [32] are miniaturized mobile healthcare devices used in healthcare services such as telemedicine and have limited resources (size, power, processing, and storage). Due to these characteristics, they pose security risks to the privacy of users while collecting and transmitting patients’ sensitive personal information. Therefore, this study proposed a methodology to counter cyberattacks on MWBDs. In MWBD, threat modeling, assets, vulnerabilities, threats, attacks, risk classification, and risk assessment are performed. First, assemble a team to perform threat modeling. The threat modeling team should include at least one member from each engineering group involved in hardware, radio links, and software to ensure a solid understanding of the underlying technology. Next, the security assumptions and constraints against which the threat modeling is performed to capture information at the appropriate level of abstraction are identified. The operating environment is analyzed during this process, and security domains/perimeters/use cases are defined. Later, attackers are defined, followed by a systematic analysis of security threats. Finally, once the risks to the system are defined, risk management is performed to assess, monitor, and respond to the risks. This study validated the proposed MWBD threat modeling by conducting a case study on MWBD devices with the following characteristics: Injectable, Ingestible, Implantable, and Wearable. However, this threat modeling methodology is too broad a concept for detailed threat analysis. The proposed threat model did not provide detailed information about attack tactics and techniques to classify cyberattacks in detail. For example, no specific classification has been performed on attacks that occurred during the BLE pairing process between a wireless implantable neural interface system on a chip (SoC) and an external terminal.

The Bhadra framework [33] is a threat modeling framework that classifies publicly known security threats to mobile networks into nine tactical and 55 technical categories. It focuses on 2G, 3G, and 4G technologies based on 3GPP standards. The BHADRA framework identifies a wide range of potential attackers by modeling even attacks that have not been observed in practice. The threat modeling methodology consists of three phases, and the attack lifecycle proceeds in the following order: attack mounting, attack execution, and attack consequences. Attack mounting is when an attacker finds a target’s weaknesses, gains initial access to the target, and establishes a persistent presence. Attack execution is where the attacker exploits vulnerabilities in the system to extend control from initial access to the target. Attack results are when the attacker achieves their tactical objectives, primarily related to information gathering and other attack impacts. However, the proposed Bhadra framework has limitations when applied to IoWT. For example, Attack Progression’s SS7-based techniques include protocols such as the Signaling Connection Control Part (SCCP) and Transaction Capabilities Application Part (TCAP). Security threats cannot be identified since IoWT devices do not support these protocols.

The BLE Threat Model [8] represents a comprehensive categorization of security and privacy threats to the BLE protocol, which is based on communicating with low-power, computationally limited sensors and IoT devices rather than regular Bluetooth. First, we categorize the security threats into eight categories based on the attacker’s approach and the severity of the attack. Attacks that perform similar attack techniques are combined into one category. The security threats are classified as follows: Passive Eavesdropping, which occur due to the simplified and predictable design of BLE channel hopping; Active Eavesdropping, where an attacker positions itself in the BLE communication path to steal information; and Device Cloning, where an attacker causes damage by pretending to be a trusted device of the target, cryptographic vulnerability, which exploits cryptographic weaknesses and flaws in the BLE protocol; DoS, which occurs at the physical and network layers to prevent the intended user from using system resources; Distortion, which attacks the services of a BLE device by exploiting vulnerabilities in BLE protocol services and BLE data packets; and Surveillance, which is used to identify BLE devices. However, since the BLE threat model targets only a single protocol, it is unsuitable for security threats to various protocols used in IoWT. Many communication protocols are used between wearable devices and mobile devices, such as NFC, Zigbee, Wi-Fi Direct, and NB-IoT. Therefore, it must be possible to target multiple protocols.

The WSHD Threat Model [12] examines exploitable aspects of wearable smart health devices, such as sensors connected to the Internet, to monitor the wearer’s health and exchange data. The proposed threat model represents the companion apps, cloud, and communication protocols of the WSHD system. The threat model targets the following two communication sections, which include security threats that may occur in communications established in the WSHD system: WSHD device-companion app and companion app-cloud. This study selected Garmin Connect, Polar Beat, Mysugr, and Finger Oximeter-SpO2 companion apps to verify the proposed threat model and analyze their vulnerabilities. The programs and tools used are Wireshark, BLECryptracer, and Logcat. The security threats identified include network packet sniffing, traffic capture and manipulation, data collection using valid APIs, and encryption vulnerabilities. However, a formalization process was not performed on the attack tactics and techniques used in security threats. If there is no formalization process for attacks, the scope and characteristics of security threats cannot be properly defined, which reduces the accuracy of attack identification.

The MEDICALHARM [13] is a threat modeling methodology tailored to identify threats in MMD systems. The proposed methodology combines security threats and risk analysis. The primary security threats are security and privacy threats and include Modification breach, Exposure of sensitive or personal data, Denial of service, Impact of threat, Component threat, Access breach, Likelihood of threat, Harm to the patient, Assumptions and constraints about the system, Relevant in-depth threat, Monitoring and logging. The risk analysis adopts the semi-quantitative analysis recommended by the National Institute of Standards and Technology (NIST). This study uses CVSS scores to assess the risk of all identified vulnerabilities, combined with qualitative likelihood and impact measures. However, the proposed threat modeling has few distinguishable attack tactics and techniques, totaling 11. In addition, the selected security threats are not at the same level, so the scope of analysis is different. For example, Denial of service is included in the attack technique, but the Component threat is included in the attack tactic. Therefore, the number of attack tactics and techniques that can actually be classified is smaller.

Section 4.1 describes the IWTW cyber threat analysis framework. IoWT attack cases, IoWT security threats, and attack tactics and techniques were derived from a variety of literature, including technical reports, white papers, studies, and academic publications. The methodology is divided into three phases. Fig. 2 shows an overview of the IWTW framework development methodology.

Step 1 Analysis: Analyze the attack cases and derive the attack process performed against IoWT devices.

Step 2 Standardization: Standardize attack tactics and techniques derived from the analysis of attack cases and potential security threats.

Step 3 Compilation: Combining the security threats formalized in the previous step to propose an IWTW framework.

The proposed methodology is divided into two areas: Clustering and Development. First, the Clustering area stores data derived from the analysis of attack cases targeting IoWT and potential security threats that may occur in IoWT. The clustering area requires continuous updates in response to new cyber-attacks. In addition, it consists of two parts: Analysis and Standardization. First, the Analysis part includes IoWT Attack Cases, which analyzes attack cases that can occur against IoWT, and IoWT Security Threat, which analyzes potential security threats that can occur in IoWT. IoWT Attack Cases is based on actual attacks against IoWT and analyzes the attack process and security threats. IoWT Security Threat is not derived from the attack cases that were previously analyzed, but it analyzes the security threats that can be caused by potential attackers targeting IoWT. The Standardization part performs the process of standardizing the attack categories, attack tactics, and attack techniques derived from the Analysis part.

The equation for the proposed methodology is as follows: The set of security threats derived through IoWT Attack Case and IoWT Security Threat are X and Y. IoWT attack data is collected as much as i. Z means set in which duplicates of the derived security threats have been removed. The set Z is defined as follows: Z=⋃i=1n(Xi∪Yi). Attack categories are defined as follows: Launch on Attack, Expand Attack, and Attack Result are expressed as a1,a2,a3. The elements zk of set Z can be classified into ai. The relationship between zk and ai is defined as follows: ∀zk∈Z,∃ai∈{a1,a2,a3}:zk∈ai. Attack tactics classified within attack category ai are b1 to bn. Attack Techniques classified within attack tactics bj are c1 to cn. ai contains attack tactics bj, and bj contains attack techniques ck. The relational expressions for ai, bj, and ck are defined as follows: ∀ai∃b1,…,bn⊆ai:∀bj,∃c1,…,cn⊆bj

In the development area, a cyber threat analysis framework for IoWT is developed based on threat analysis data from the clustering area. By combining the standardized attack categories, attack tactics, and attack techniques, the IWTW framework is finally developed.

Section 4.2 reviews IoWT attack cases and analyzes potential IoWT security threats.

In this session, we will formalize the attack tactics and techniques derived from our analysis of attack cases and potential security threats against IoWT devices in Section 3.2. Attack categories represent the initiation, progression, and consequence phases of an attack. Attack tactics represent the attacker’s behavior in accordance with the attack goal. Attack techniques represent how the attacker achieves the attack tactic against the goal, and there are various attack techniques for each attack tactic. This study referenced the MITRE ATT&CK Framework to formalize attack tactics and attack techniques but did not include them in the formalization process if they are not applicable or not applicable to IoWT devices.

Fig. 3 shows the IWTW framework developed by combining the 3 Attack Categories, 18 Attack Tactics, and 68 Attack Techniques for the attack flows derived from Sections 4.2 and 4.3. The attack categories are organized as follows: Launch on Attack, Expand Attack, Attack Result. Launch on Attack indicates a security threat that may occur in the early stages of an attack. Therefore, the subsections are organized as follows: Reconnaissance, Resource Development, and Initial Access. Expand Attack refers to expanding the attack process to the attacker’s intended target. Accordingly, the subsections are organized as follows: Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control. Attack Result indicates the damage caused by the attack and its impact. Therefore, the subsections are organized as follows: Exfiltration, Impact, Wearable IoT Service, Wearable IoT Device, Protocol Exploitation, and Effect. IoWT attack techniques included in each subsection were derived and mapped to attack tactics through the following process: 1. Analyze attack cases targeting IoWT assets. 2. Categorize IoWT by asset type, attack process, and security threat. 3. Classify potential security threats that may occur targeting IoWT. 4. Analyze and standardize the main functions that constitute security threats.

Figs. 4–6 show the IWTW framework’s attack categories: Launch on Attack, Expand Attack, Attack Result, and Components.

Launch on Attack is a category of security threats and attacks that can occur at the beginning of an attack in the IWTW framework. Its attack tactics are Reconnaissance, Resource Development, and Initial Access. The Launch on Attack category has 10 attack techniques, including the information and tools used to carry out the attack, and represents the attack vector for initial access.

Expand Attack is a category of attacks that extends the attack process to the attacker’s intended target after initial access in the IWTW framework. It consists of the following attack tactics: Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, and Command and Control. There is a total of 33 attack tactics that fall under the Expand Attack category. They perform tasks to achieve the attack goal, such as remotely executing malicious actions against IoWT devices or gaining high privileges and persisting in the system based on them, avoiding attack detection, or communicating with and controlling systems inside the network, collecting key data within the IoWT device, or obtaining information.

Attack Result is a category of attack that achieves the attacker’s intended goal in the IWTW framework. It is composed of the following attack tactics: Exfiltration, Impact, Wearable IoT Service, Wearable IoT Device, Protocol Exploitation, and Effect. There is a total of 25 attack tactics in the Attack Result attack category, which compromise the availability and integrity of services and data in IoWT devices.

The IWTW framework is highly reliable because it only includes attack techniques that can be performed against IoWT devices. The addition of new attack tactics allows for more detailed cybersecurity threat analysis.

Fig. 7 illustrates how the MiBand 2 smart band attack case is applied to the IWTW framework. Exploitation of Wireless Device Configuration: Filtered and analyzed BLE communication wireless network traffic to analyze source and destination addresses. Active Scanning: Discovered wearable devices through the discovery capabilities of BLE sniffers. Obtain Capabilities: Uses the application and hardware sniffers required for the attack. Masquerading: Display a user authentication screen with fake commands. Passive Sniffing: Sniffs the MiBand 2’s packets through the SmartRF Sniffer. Data from Local System: Using BLETestTool to collect sports and heart rate data from MiBand 2. Capture Bluetooth Traffic: Capture BLE communication packets. Adversary-in-the-Middle: Intercept sensitive data between wearable device communications. Replay Attack: vibrates the MiBand 2 with a fake notification. Communication via Bluetooth: Communicates with the attacker based on Bluetooth. Transfer Data: Leaks collected data to the attacker’s device. Inhibit System Recovery: Prevents phone and text services from functioning normally through fake notifications. Fitness: Fitness data related to exercise is leaked. Infotainment: Vulnerabilities in smart bands are exploited. Accessory: A wearable device in a wearable form. BLE: An attack that exploits a vulnerability in BLE communication. IoWT Device Damage: The MiBand was physically damaged by the constant vibration caused by the fake notifications.

Zhang et al. [145] used the CC2540 USB, TI SmartRF, and BLETestTool to remotely sniff and analyze traffic on the MiBand 2 wearable smartband. Fig. 8 shows an overview of the attack process for MiBand 2. The CC2540 USB dongle is used as a hardware sniffer, TI SmartRF Packet Sniffer is a software application that sniffs BLE communication packets between the smartphone and the wearable device, and BLETestTool is an attack tool that runs on an Android smartphone to test attacks against the wearable device. First, the hardware sniffer, smartphone, and smart wristband are placed close to Bluetooth discovery so the smartphone can discover the MiBand 2 via Bluetooth. Then, turn on the TI SmartRF Packet Sniffer on your PC and launch the MiBand 2’s official support application on your Android phone. The packets are sniffed once connected to the MiBand 2 through the application, and the information is displayed on the TI SmartRF Packet Sniffer. All sniffed packets are stored in hexadecimal, and the commands in the packets are analyzed by converting them to decimal, ASCII code, Unicode, or UTF-8 code. After running BLETestTool on an Android smartphone and using it to connect to the MiBand 2, send some commands recorded using BLETestTool to the MiBand 2 and fake commands written by the attacker to bypass the authentication process. Once the authentication process is complete, the attacker uses BLETestTool to perform attacks such as getting sports and heart rate data or vibrating this MiBand 2 with fake notifications.

Fig. 9 illustrates how the Smartwatch/band based on BLE 4.0 and 4.2 attack case is applied to the IWTW framework. Exploitation of Wireless Device Configuration: Filtered and analyzed BLE communication wireless network traffic to analyze source and destination addresses. Active Scanning: Scanned for wearable devices through a BLE sniffer. Obtain Capabilities: the HCI snoop log is the tool used in the attack. The Native API enables packet capture from Ubertooth devices. Weaken Encryption: Weaknesses in the data encryption mechanism result in plaintext transmission. Unsecured Credentials: Uses the user’s digital signature. System Information Discovery: Identifies devices through packet analysis. Passive Sniffing: Sniffs packets from the wearable device through an Adafruit sniffer. Use Alternate Authentication Material: Use a spoofed digital signature to maintain connectivity between devices. Data from Local System: Perform follow-up attacks based on sender and receiver MAC addresses and identifying devices derived through WireShark. Capture Bluetooth Traffic: Captures BLE communication packets. Adversary-in-the-Middle: Intercept sensitive information such as sender and receiver static MAC addresses and communication messages between wearable device communications. Communication via Bluetooth: Communicates with the attacker based on Bluetooth. Transfer Data collects data information about the wearer’s movements and habits. Fitness: Fitness data related to the wearer’s movements is compromised. Infotainment: A vulnerability in the smartwatch or band has been exploited. Accessory: A wearable device in a wearable form. BLE: The attack exploits a vulnerability in BLE communication.

Cusack et al. [146] used BLE sniffers to capture and analyze communication packets from Fitbit Charge HR/Surge, Samsung Gear 3, Xiaomi Amazifit smartwatches, and smartbands using BLE 4.0 and 4.2 to extract sensitive information. Fig. 10 shows an overview of the attack process for Fitbit Charge HR/Surge, Samsung Gear 3, and Xiaomi Amazifit attack process. First, use Ubertooth, the HCI snoop log, and the Adafruit sniffer tool to dump the pairing-related packets of the wearable devices into pcapng and pcap files. The dumped files are analyzed using Wireshark to check whether the data is text-encrypted and to collect essential information such as digital signatures, device identification, mapping of the wearer’s movements and habits, and device logs. As a result, sensitive information, such as static MAC addresses of the sender and receiver, and communications messages, were sent in plain text, and message logs (Email, SMS, and Facebook) were checked. The vulnerability allows for blueprinting attacks against each wearable device. Analysis showed that all wearable devices had credential data that provided access.

Fig. 11 illustrates how the Honor Band 5 and Honor watch ES smart watch attack case is applied to the IWTW framework. Exploitation of Wireless Device Configuration: Filtered and analyzed BLE communication wireless network traffic. Active Scanning: Discovered wearable devices through the BLE sniffer’s discovery capabilities. Obtain Capabilities: The Nordic Semiconductor nRF52 DK Sniffer tool was used in the attack. Weaken Authentication: No encryption during the pairing process. System Information Discovery: Identifies devices by deriving plain text data through packet analysis. Passive Sniffing: Sniffing packets through a BLE sniffer. Data from Local System: The attacker used Wireshark to collect plain text data about personal information from a series of Honor devices. Capture Bluetooth Traffic: Capture BLE communication packets. Adversary-in-the-Middle: Intercept sensitive information such as physical activity data, synchronization, connection, and reconnection data between wearable device communications. Communication via Bluetooth: Communicates with an attacker based on Bluetooth. Transfer Data: Collect sensitive personal information. Infotainment: Vulnerabilities in the smartwatch/band are exploited. Accessory: A wearable device that can be worn. BLE: An attack that exploits a vulnerability in BLE communication.

Fuster et al. [70] used the Nordic Semiconductor nRF52 DK Sniffer to capture and analyze communication packets from various wearable smartwatches/bands to derive privacy and security vulnerabilities. In Case Study 3, They focus on the Honor Band 5 and Honor Watch ES devices. Fig. 12 shows an overview of the attack process for Honor Band 5 and Honor Watch ES attack process. First, capture BLE communication between wearable and mobile devices using the Nordic Semiconductor nRF52 DK tool and then analyze it using WireShark. BLE communication is performed via pairing, and physical activity data, synchronization, connection, and reconnection data are collected and analyzed. Honor device series require a separate Huawei ID and Huawei Health service to use. The devices use unencrypted pairing methods and communication, which expose personal data in plain text. In addition, wearable devices can be identified by using static MAC addresses.

Fig. 13 illustrates how the Senbono CF-58 smart watch attack case is applied to the IWTW framework. Exploitation of Wireless Device Configuration: Filtered and analyzed BLE communication wireless network traffic. Active Scanning: Discovered wearable devices through the BLE sniffer’s discovery capabilities. Obtain Capabilities: The BetterCap Sniffer tool was used in the attack. Command and Scripting Interpreter: Gather details using the BLE.enum command. Weaken Encryption: No encryption during network connection. System Information Discovery: Identifies devices by deriving plain text data through packet analysis. Passive Sniffing: Sniffing packets through the BetterCap sniffer. Data from Local System: The attacker used Wireshark to collect plain text data about personal information from the Senbono CF-58 devices. Capture Bluetooth Traffic: Capture BLE communication packets. Adversary-in-the-Middle: Intercept sensitive information such as physical activity data, synchronization, connection, and reconnection data between wearable device communications. Communication via Bluetooth: Communicates with an attacker based on Bluetooth. Data Manipulation: Change data by modifying the descriptor of the UUID. Infotainment: Vulnerabilities in the smartwatch/band are exploited. Accessory: A wearable device that can be worn. BLE: An attack that exploits a vulnerability in BLE communication.

Khan et al. [147] used BetterCap Sniffer to capture smartwatch communication packets and GattTool to establish and control connections between BLE gadgets. In Case Study 4, They focus on Senbono CF-58 devices. Fig. 14 shows an overview of the attack process for the Senbono CF-58 devices attack process. First, install the BetterCap BLE scanning tool on your Kali Linux machine and enable the Bluetooth service. After identifying the BLE device through BetterCap, find the Senbono CF-58 device in the list of scanned BLE devices and record its MAC address. Afterward, the Mac address is collected, and the BLE.enum command collects detailed information. After completing attack reconnaissance, check the data packets through Wireshark. Send a ping to the BLE gadget to capture packets and analyze the gadget’s UUID descriptor model. Check what type of data the gadget’s UUID descriptor corresponds to. Connect your CF58 smartwatch and Kali Linux machine using GATTTOOL. Also, access the terminal and check all UUIDs associated with the device. Afterward, used Wireshark to cross-reference the previously identified UUIDs to identify specific UUIDs to target. Finally, the data on the smartwatch is altered by modifying the value of the target UUID.