Previously on topic: we've agreed (haven't we?) that MUD is notcurrently targeting industrial IoT and connected health. So, smart
homes.
(By the way, it is more proper to directly specify the issue you're
handling before proposing a solution. As MUD doesn't solve the
security problem of IoT in general, let's then call it a solution for
smart homes, but not a solution for IoT.)
The issue with smart homes, wearables etc. is that a contemporary
commodity IoT device is not connected to the Internet in order to
really provide a service to the customer. Instead, it collects,
processes and sends data and telemetry which is precious for its
vendor, which said vendor would then be able to sell.
- https://www.theverge.com/2017/7/24/16021610/irobot-roomba-homa-map-data-sale
- https://www.warc.com/newsandopinion/news/general_motors_generates_new_radio_advertising_insights/41073
- et cetera.
Expecting a vendor to cut their own cables themselves is a strange
move, isn't it. Hence, "default policy is no access" stuff isn't just
going to fly.
The question here to me seems what we want to achieve. I’m totally on
your page in terms of data collection and privacy. But that’s to a large part
the end users choice - even if I have to admit most of them simply don’t care,
just look at the amount of data people share via facebook: Happy social
engineering!
My concern is more the integrity of the network infrastructure and how to
reduce the impact of hacked IoT devices used by DDOS attacks.
MUD files can help to identify what’s a devices purpose and monitoring if
the device is doing what it’s supposed to do. I agree that we should not
have much hope that the device makers will do their job but I’m sure a
community fueld MUD proxy could play a role here.
d) Also, if said data is worth selling, setting up a firewall won't
help because an IoT device will then use whatever radio technology
built-in to connect to the Internet without your nice firewall. The
only outcome would be an increased manufacturing cost because of
additional radio module (and yes, it's the customer who's gonna pay
for this). Sorry guys. Nothing personal, it's just business.
e) You cannot possibly set a firewall between the Internet and
wearables, SmartTV, cars, etc.
That’s totally true in terms of privacy and data mining, but here - as said -
it’s the customer’s choice (given all the cons we all know). In therms of
preventing IoT devices being abused for DDOS firewalling can help.
What’s not been adressed so far is the fact that a hacked IoT device could
be used to hack other IoT device in an end user’s network. That can not
be prevented by firewalling in most cases but there are a few things that
can be done (separate network segments for differnet IoT device classes,
isolation for wirelessly connected devices, UPnP control etc.).
The SPIN project
and the activities of the IETF home network working group presented in
Michael’s talk on Thursday follow similar approaches and I think we should
work into that direction.
Regards,
Peter
Peter Steinhäuser, CEO
embeDD GmbH · Alter Postplatz 2 · 6370 Stans · Switzerland
Phone: +41 (41) 784 95 85 · Fax: +41 (41) 784 95 64
embeDD GmbH · Alter Postplatz 2 · 6370 Stans · Switzerland
Phone: +41 (41) 784 95 85 · Fax: +41 (41) 784 95 64