Dear all, Here's the agenda for the IoT working group session at RIPE 79 in Rotterdam. For the last two talks, there is no description, since they are self-explanatory. We're meeting on Thursday 17th October from 11:00 to 12:30. ==== 1. Administrivia 5 minutes 2. The security lifecycle of an IoT device by Michael Richardson (Sandelman Software Works) and Eliot Lear (CISCO) 50 minutes Description : The RFC8520 Manufacturer Usage Description (MUD) is a tool to describe the limited access that a single function device such as an Internet of Things device might need. The automatic enforcement of access control lists is a serious boon to security of residents and enterprises alike. While enterprises that set up firewalls typically have an idea of how they would respond to an incident,the same is not true for residential situations. The impact of a "Boy who Cries Situation" where an IoT firewall sends inappropriate warnings, the end result is that the firewall is turned off, is a situation worth avoiding through further automation of the security warning process. This talk proposes to standardize a series of processes and protocols for the quarantine and re-storartion of a device. 3. Databox as a Platform for Monitoring IoT Devices at the Edge by Anna Maria Mandalari (Imperial College) 15 minutes Description : The Internet of Things (IoT) is now a reality and many challenging issues still need to be addressed. One of this is to guarantee trust, privacy, and security. Privacy has become particularly pertinent after the initiative of the European Commission (EC) about the General Data Protection Regulation (GDPR). Since it has been demonstrated that ensuring privacy relying on the cloud creates risks of privacy violation, we propose to work at the edge. We first build an open access and flexible hardware platform for measurements and custom experimentation on IoT environment. The platform is composed by 87 IoT devices distributed in different locations and backend servers for collecting data. The platform allows to monitor and control the measurement process, and most important ensuring repeatability on the measurements and controlling context information. Through a total of 34,586 rigorous automated and manual controlled experiments, we characterize information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device). We highlight regional differences between these results, potentially due to different privacy regulations in the US and UK. Finally, we develop a Databox app for privacy analysis, a user-side application running locally allowing to monitor the IoT devices, interact with them, understand their operation and look for anomalies. Results will help companies to not accumulate personal data except what they actually require, in order to comply with the GDPR and give control back to the user. 4. Update on the IoT Hackathon Rotterdam 2019 by Constanze Dietrich (Lexta Consultants Group) 15 minutes 5. Best Current Operational Practice (BCOP) document in RIPE scope for proactively mitigating IoT attacks by Jim Reid (RIPE IoT WG Co-chair) If time permits X. AOB ==== -- The RIPE IoT Working Group Chairs Jim and Sandoche