[iot-wg] "The Internet of Threats: Fighting FUD with MUD"
- Previous message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
- Next message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jacques Latour
Jacques.Latour at cira.ca
Mon Oct 22 09:54:48 CEST 2018
Hi, I just joined this group. Today's and tomorrow's smart television are more a full blown computer with screen and keyboard, and it difficult to pin down exactly what the device should be doing in a MUD profile. It's not a real IoT device. A MUD profile for a thermostat or video camera or a real IoT device will be useful. The prototype has shown for far it's functionally possible to make MUD work. Jack >-----Original Message----- >From: iot-wg <iot-wg-bounces at ripe.net> On Behalf Of Jelte Jansen >Sent: October 22, 2018 12:29 AM >To: Jim Reid <jim at rfc1035.com>; Peter Steinhäuser <ps at embedd.com> >Cc: RIPE IoT WG List <iot-wg at ripe.net> >Subject: Re: [iot-wg] "The Internet of Threats: Fighting FUD with MUD" > > > >On 10/21/18 2:33 PM, Jim Reid wrote: >>> MUD files can help to identify what’s a devices purpose and >>> monitoring if the device is doing what it’s supposed to do. I agree >>> that we should not have much hope that the device makers will do their job. >> >> Indeed. However at least MUD files should (in principle anyway) give people an >idea of what their latest IoT toy will do once it’s plugged in. Though just saying it >phones home to google/Amazon/Facebook every so often isn’t much help if you >don’t know what it's sending and receiving. Or why it’s doing that. >> > >Or, as it was in the case of Samsung Television voice control data, whether the >data that is ostensibly sent for a reasonable purpose is passed on to third parties >by the service anyway. No amount of technical measures will protect against >that. But at least then it will be the services' responsibility. > >> MUD files are a small step in the right direction. Hopefully we’ll one day see >this information printed on the IoT device itself and the box it comes in. >> > >I have started to wonder whether this won't be the other way around. As in, >whether device manufacturers might be forced to disclose what their devices >will be doing on the internet (similar to how they should disclose what power >they safely operate at), and that MUD (or MUD-like) profiles will be derived from >that. > >> BTW, Jelte spoke about the SPIN project at the WG meeting in Marseille. It was >a revelation to see how much data was being sent outside his home network >from its IoT devices. [And on a related note, why does my DVD player call the >mothership and what data are being exchanged?] Michael’s idea of an IoT >firewall would mean we can see what’s going on. This sort of thing will be >essential if the concept of informed consent means anything. >> > >Peter and I have been in contact after that presentation :) > >Anyway, the move to everything being encrypted, while protecting against >eavesdroppers, will certainly not help protect against what our devices are >sending out. At most to whom initially (but now I am repeating myself). But that >is already very revealing; I have done a few presentations about SPIN where we >connected an audience member's phone to the system, and every single time >something interesting has popped up so far. > >The biggest 'whoa what the' moment you can get, by the way, if you can show >an Amazon Echo owner that Amazon stores -and you can play back- all the audio >commands they have ever given those things. > >Jelte > >_______________________________________________ >iot-wg mailing list >iot-wg at ripe.net >https://lists.ripe.net/mailman/listinfo/iot-wg
- Previous message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
- Next message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ iot-wg Archives ]