Skip to main content

IoT Working Group Minutes RIPE 92

Date: Thursday, 21 May, 14:00 ‐ 15:30 (UTC +0100)

Co-Chairs: Peter Steinhäuser, Anna Maria Mandalari

Scribe: Alun Davies

Status: Draft

View the stenography transcript

View the chat logs

A. Introduction & Housekeeping

Peter Steinhaeuser

View the presentation

Peter Steinhaeuser opened the IoT Working Group session, reviewed the agenda, and noted that his term as co-chair would conclude at RIPE 92. He also asked attendees to review the published RIPE 91 minutes, reminded participants of the RIPE Code of Conduct, and outlined procedures for in-person and remote participation before introducing the first speaker.

B. IoT DNS Security and Privacy Guidelines Update

Jim Mozley (Infoblox, University College London and Inria)

View the presentation

Jim provided an update on the IETF draft IoT DNS Security and Privacy Guidelines, which was developed in response to research into the DNS behaviour of IoT devices. He presented findings from the research, including examples of devices overriding network-provided DNS settings and implementing DNS protocols incorrectly, and outlined the draft's recommendations for improving security and privacy. The draft covers topics including standards compliance, encrypted DNS, DNSSEC, and the publication of management domains used by IoT devices, and is intended to serve as best current practice guidance for manufacturers, network operators and regulators.

Jim Reid (RTFM llp) questioned how realistic it would be to expect resource-constrained IoT devices to support DNSSEC validation and encrypted DNS protocols, particularly given the limitations of device hardware and the DNS capabilities typically available in residential networks.

Jim Mozley agreed that there are practical constraints and trade-offs, but argued that the draft should set a high bar for security and privacy. He noted that devices could rely on validation performed by a trusted resolver and that manufacturers should make conscious decisions when choosing not to implement specific recommendations.

Greg Choules (ISC) asked whether manufacturers of low-cost consumer devices would be willing to absorb the costs associated with implementing these features. Jim replied that many IoT devices already perform computationally intensive tasks and suggested that certification schemes and industry standards could help drive adoption of improved DNS security practices.

Alistair Woodman (NetDEF) noted that European regulatory initiatives such as the Cyber Resilience Act could provide a mechanism for incorporating such recommendations into future standards and requirements for connected devices.

There were no further questions.

C. Designing IoT Honeypots: Lessons from Seven Years of Architectural Challenges

Robert Thomas (Global Cyber Alliance)

View the presentation

Robert presented lessons learned from seven years of developing ProxyPot, a honeypot designed to capture and analyse attacks targeting IoT devices. He described the challenges of supporting multiple protocols within a single platform, scaling globally distributed deployments, maintaining realistic service emulation, and collecting high-fidelity attack data. Drawing on operational experience, he highlighted the importance of automation, observability and protocol-specific behaviour in building effective IoT honeypots capable of capturing meaningful threat activity across a diverse attack surface.

Warren Kumari (Google) asked how ProxyPot handles authentication for services such as SSH, Telnet and FTP, and whether it accepts arbitrary usernames and passwords. Robert replied that the project uses a number of different approaches and experiments with authentication behaviour. He noted that ProxyPot can be configured to accept specific credentials and, in some cases, adapts its responses based on previous interactions with the same attacker.

Victoria Risk (ISC) questioned whether maintaining realistic protocol and device emulation was sustainable given the diversity of IoT devices and the pace of software updates. She suggested that using instrumented real devices might provide a more scalable way to capture meaningful attack activity. Robert agreed that accurately emulating shell environments is particularly challenging and noted that the project is continuing to explore different approaches to balancing realism and operational practicality.

Lutz Donnerhacke (IKS Service GmbH) described using honeypots internally to intercept and suppress unwanted traffic generated by IoT devices and suggested further discussion on the topic.

Lukas Rose (HHU Düsseldorf University) asked whether ProxyPot could be deployed within internal networks to help identify malicious activity originating from inside an organisation. Robert replied that this was a common request and said that while ProxyPot is not open source, the possibility of broader deployments could be discussed further.

In response to a remote question from Michael Richardson (Sandelman Software Works Inc) about SSH authentication behaviour, Robert explained that ProxyPot supports both password-based authentication and SSH keys, and that the project continues to experiment with different authentication models to better understand attacker behaviour.

A final comment from Leslie Daigle (Global Cyber Alliance) highlighted the distinction between collecting generic attack traffic at scale and building highly tailored deception environments that mimic specific IoT devices and services.

There were no further questions.

D. Traffic-Level In-Depth Profiling of Smart Home Events, Devices, and Cross-Device Interactions

François De Keersmaeker (UCLouvain)

View the presentation

François presented research on profiling the network behaviour of smart home devices to improve their security. He described limitations of the IETF Manufacturer Usage Description (MUD) standard, particularly its inability to express dependencies between traffic patterns generated by interactions between devices, and proposed an extended profile format and enforcement framework to address these limitations. He also presented an automated methodology for generating device traffic profiles that uncovers communication patterns not normally observed under standard network conditions, and suggested that such profiling could be used to assess device robustness and inform future consumer-facing security and resilience labels.

Lukas Rose (HHU Düsseldorf University) asked whether the generated firewall profiles could be published and made available for users to deploy on platforms such as OpenWrt. François replied that all of the research outputs are open source and publicly available. He noted, however, that profiles incorporating device interactions are often specific to a particular smart home deployment, making them less straightforward to distribute and reuse than standard MUD profiles.

Lukas also asked about the use of open source smart home platforms that replace vendor-controlled cloud services. François noted that platforms such as Home Assistant can help keep communications local, but that many popular commercial ecosystems continue to rely heavily on cloud-based communication.

Greg Choules (ISC) asked whether the research had examined commercially available systems for potentially unnecessary or unexpected network communications and whether manufacturers had been contacted about any findings. François replied that this was outside the scope of the work, which focused on traffic profiling and security enforcement rather than identifying information leakage or protocol weaknesses, although he noted that such topics are actively studied by other researchers.

Wael Mahlous (UCL) asked how profile-based security systems can remain effective when device behaviour changes following firmware updates. François acknowledged that this is a challenge and explained that he had encountered cases where firewall rules had to be updated manually. He suggested that periodic auditing and automated profile updates would be necessary to keep such systems aligned with evolving device behaviour.

Peter Steinhauser noted that profiles incorporating device interactions are inherently tied to a specific smart home deployment rather than being generic profiles for a device model. François agreed, explaining that this dependency arises directly from the interaction patterns between devices.

There were no further questions.

E. State of Device Identities

Michael Richardson, Sandelman Software Works Inc

View the presentation

Michael provided an update on the Device Identity Forum, an initiative launched by the IoT Security Foundation to improve understanding and communication around device identities and related security technologies. He described the group's ongoing work to develop common terminology, visual representations and guidance documents that can be used by manufacturers, operators and other stakeholders. He also outlined progress made over the past year, invited broader participation in the forum, and highlighted the need for contributions from both technical and communications professionals.

There were no questions.

F. Co-Chair Selection & Closing

Anna Maria Mandalori and Peter Steinhaeuser

View the presentation

Anna thanked Peter for his work as IoT Working Group co-chair, noting that his term had come to an end. Anna also announced that Ramona Marfievici had received support from the mailing list and the room to become a co-chair of the working group. Anna noted Ramona's experience in IoT, including her work as Principal IoT Engineer at Digital Catapult, and said she would be a valuable addition to the group.

The chairs thanked the speakers and participants, reminded attendees to rate the talks and to vote in the RIPE NCC elections before voting closed, and then closed the session.