IoT Working Group Minutes RIPE 91
Date: Thursday, 23 October 2025 14:00 ‐ 15:30 (UTC +3)
Co-Chairs: Peter Steinhäuser, Anna Maria Mandalari
Scribe: Alun Davies
Status: Draft
View the stenography transcripts
A. Introduction & Housekeeping [5 min]
Peter Steinhaeuser
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/XV3MBK/#video
Peter (joining remotely) opened the IoT WG with welcomes, quick housekeeping (approved minutes, CoC, participation via mic/Meetecho), and introducing a packed agenda.
B. Cyberattack Observation Using IoT Honeypots at Yokohama National University [20 min]
Takayuki Sasaki
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/QBTJJJ/#video
Takayuki presented on X-POT, an adaptive HTTP honeypot that emulates IoT WebUIs to capture attacks and uses a rule-based plus LLM pipeline to tag, classify, and surface new exploits and targets. Long-term operation let the team track exploit lifecycles, spot zero-days (including against industrial/IoT systems), and release a public dataset to support collaborative research.
Anna Mandalari asked how this infrastructure might be used by the RIPE community and whether there might be any issues with data sharing for collaboration. Takayuki responded that he and his colleagues would be happy to share their data with the community including the honeypot observation data.
C. IPv6’s Unintended Fingerprints: Extracting Insights from EUI-64 [20 min]
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/YARYXG/#video
Bart Batenburg
Bart showed how EUI-64 leaves stable, MAC-derived fingerprints that enable tracking, then mapped its use across an IoT lab, a university network, and SURF. By extracting MACs and clustering patterns (e.g., sequential vendor ranges), he showed how this can speed discovery of similar devices—underscoring the case for privacy-preserving, randomised IIDs.
Anna Mandarlari asked whether Bart had reached out to TP Link. Bart answered that he hasn't yet but he would pass on the suggestion to his colleagues. Peter Steinhauser added that that would indeed be interesting because TP Link was recently in the press again and we should maybe be taking a closer look at their devices.
Anna then asked, of the billions of IoT devices, what percentage can be identified as IoT device by looking at the Mac address. Bart noted that he did have some numbers for the total size of the networks in his thesis, but did not remember the answer right now. They agreed to look into that later.
There were no further questions.
D. Beyond the Hype: Investigating Matter Standard’s Security and Privacy [30 min]
Andrew Losty
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/E3DKS7/#video
Andrew outlined Matter’s architecture - IPv6/Thread transport, cert-based onboarding, and the CSA’s DCL-driven trust fabric - plus how governance and certification shape participation. Lab checks found practical gaps: some devices still succumbed to basic DoS, multicast adverts exposed detailed device metadata, and the OTA update mechanism appears underused.
Niall O'Reilly (RIPE Vice-Chair), speaking as a former PhD student, noted that it's great that this kind of thesis is being produced, but it's disappointing that big companies don't understand the need for transparency and the importance of sharing information for better security.
Peter Steinhauser asked whether Andrew was aware of any activity from the regulators who enforce regular updates, e.g. in connection with unknown CVEs. Andrew answered that regulatory pressure for timely updates is real, and vendors do ship major and minor releases for security fixes—but it’s hard to verify in practice. Non-Matter stacks often expose a manual “update” trigger and clearer telemetry, while Matter devices typically don’t, making it difficult to prompt or observe updates. His team is expanding the lab and using CHIP/Matter dev tools to probe devices, but strong auth/encryption and the lack of a reliable update trigger leave a visibility gap on whether fixes (including for unknown CVEs) actually reach devices.
There were no further questions.
E. The Cyber Resilience Act: Current Status and Next Steps [10 min]
Anna Maria Mandalari
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/QEPU3K/#video
Anna updated the room on CRA standards work for IoT - 19 draft standards that are due out for public consultation, and urged the RIPE community to contribute operational input so requirements reflect real-world practice. Early lab checks show why: many devices break “local connectivity” expectations, several are vulnerable to TLS interception, and objective, traffic-based compliance metrics are still needed.
Eric van Uden (AVM GmbH for ICT) flagged scale as a core issue. Many products will fall under “important products,” and routers alone make the timeline unrealistic. Anna agreed: of the 19 drafts, roughly half are only about 50% complete, so publication by month’s end is uncertain; she added that limited manufacturer participation is a problem and urged vendors to engage now rather than complain later.
Ulrich Wisser (ICANN) urged using open, multi-stakeholder processes—like the IETF’s - so anyone can participate regardless of budget, noting ETSI falls short here. Anna agreed, saying that she’s raised this with ETSI, flagged some upcoming open meetings, and is working to map relevant IETF work into the ETSI/CRA standards—inviting ideas from the community.
There were no further questions.
F. Closing [5 min]
Peter Steinhaeuser
The presentation is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/44/TEQUHG/#video
Peter noted that his term as a working group co‑chair will end by the next meeting of RIPE 92. The Chair selection process will start ahead of the next meeting and there will be announcements via the mailing list. Peter and Anna thanked the speakers and ended the session.