IoT Working Group Minutes - RIPE 77

18 October 2018, 16:00-17:30
Chair: Jim Reid
Scribe: Mirjam Kühne
Status: Draft

1. Administrivia

Jim Reid opened the second official meeting of this group as a RIPE Working Group.

2. RIPE NCC Report

Marco Hogewoning, RIPE NCC

The presentation is available at:
https://ripe77.ripe.net/archives/video/2307

Jim Reid asked how the community could help to fill the empty spacescurrently in the directive.

Marco said he didn't know at that point. He recommended to work with the local regulators.

Peter Koch, DENIC, mentioned that there were large concerns about open sourceproducts. He wondered if there was awareness about that or special ideas for treating open source products.

Marco responded that the document seemed to be fine with open source software, but manufacturers needed to stay within their limits. However, there were exemptions for amateur radio operators.

Brian Nisbet, HEAnet, said that some of those pieces that were currently missing were things that should be there right now, for instance network abuse. He wondered why they were waiting for later.

Marco explained that the directive was indeed very generic. It suggested to stick within the particular regulatory framework, but it leaves details open to the regulator.

Christian Bretterhofer, Andritz, suggested having discussion about why and what devices actually needed to be connected to the Internet.

Marco explained that there was indeed an ongoing discussion about possibly slowing down innovation and making more conscious decisions about connecting or not connecting devices.

Florian Streibelt, Max Planck, clarified that the exemptions were only for ham radio operations.

3. The Internet of Threats: Fighting FUD with MUD

Michael Richardson, Sandelman Software Works

The presentation is available at:
https://ripe77.ripe.net/archives/video/2309

Artem Gavrichenkov asked who was going to implement this.

Michael explained that they believed it should in the interest of theccTLDs. It was necessary to make that investment. They would also present this at the ICANN meeting to encourage ccTLDs to implement this.

Artem noticed that the presentation only covered smart homes, noting that that’sonly a small fraction. He wondered why, for instance, industrial devices were not included.

Michael explained that the protocols they were proposing to apply in the home were variations of some of the IETF protocols that were being developed for specifically securing industrial devices.

Artem said he was afraid that smart home vendors weren't going to implement this because they would lose money.

Michael explained that this was one of the reason they were building a firewall around them.

Jelte Jansen, SIDN, made the audience aware of the SPIN project at SIDN and that there were quite a number of similarities to the presented solution. He suggested to possibly standardise the way MUD files were spread.

Michael responded that the initial thought was to add a trust anchor and that they were going to get a curated database with changes that came from the community.

Jelte suggested to think about a more general solution.

Robert Kisteleki, RIPE NCC, applauded Michael and others for this exciting work. Heasked what role machine learning could play, adding that this was the best remote presentation he'd seen.

4. Police Perspective on IoT, Challenges and Strategy

Jaap van Oss and Manon den Dunnen, Politie Nederland

The presentation is available at:
https://ripe77.ripe.net/archives/video/2311
 
Jim said he hoped this was a start of an ongoing dialogue.

Artem asked what data source the speakers were using for making the statement that the majority of DDoS attacks come from IoT devices.

Jaap van Oss responded that this was based on his general knowledge in investigating these kinds of crimes.

5. Security Problems in IoT

Thomas Stols, Computest

The presentation is available at:
https://ripe77.ripe.net/archives/video/2313
 
Jan Zorz, ISOC, asked if an IoT device had the 'smart' at the core, was connected to the Internet and could be controlled from the cloud. He wondered whether it was a security risk.

Thomas responded that this was not necessarily the case if the cloud wasproperly secured. But yes, it could definitely be a risk.

Brian Nisbet was shocked to hear that a hackers' organisation was shorting the stock of a company just because they have no bounty program.

Tomas said he agreed, but from a legal perspective this was a grey area.

Manon asked if Thomas thought that sharing biometrical identity was the way to go.

Thomas said it could possibly be used as an additional security mechanism.

Manon said she was concerned about this, because it’s giving away the closest thing to our identity and sharing them on the Internet.

Thomas responded that it was definitely improving security compared to passwords.

Peter Steinhäuser, enbeDD, clarified that the facial recognition of Apple was actually not going to the cloud, but it stayed on the device.

Neofytos Kountardas, Greek Cybercrime Unit, added that the European Commission was looking at the option to add cybersecurity certificates for devices.

Thomas welcomed this initiative by governmental institutions.

6. The Internet-of-Insecure-Things: Causes, Trends and Responses

Arman Noroozian, TU Delft

The presentation is available at:
https://ripe77.ripe.net/archives/video/2317
 
Jim thanked the speaker for this fantastic work and said he would like to see more of this kind of work.

Jelte said he was surprised to see that doing nothing is better than informing your customers by email.

Arman clarified that people just tended to ignore these kinds ofinformational emails. Purely sending abuse emails didn't seem to work.

7. AOB

Jim said he would like to close the discussion on the WG chair selection process on the mailing list shortly after this meeting. He hoped to have a co-chair for RIPE 78.

 

While much of the work of this working group takes place on a dedicated mailing list, the RIPE IoT Working Group gathers at RIPE Meetings.

The RIPE NCC, as secretariat for the RIPE community minutes these meetings which are usually made available shortly after a meeting ends.

If you have comments on the content of the minutes, please contact the working group chairs. If you have comment on the content, please contact the .