Amanda Gowland has produced an excellent set of draft minutes from the WG session at the last RIPE meeting. Many thanks to her. Please speak up on the list if there are any errors or omissions. IoT WG RIPE 77 Thursday, 18 October 2018, 16:00 - 17:30 Scribe: Mirjam Kühne Agenda: 1. Administrivia Jim Reid opened the second official meeting of this group as a RIPE Working Group. 2. RIPE NCC Update (Marco Hogewoning) The presentation is available at: https://ripe77.ripe.net/archives/video/2307 Jim Reid asked how the community could help to fill the empty spaces currently in the directive. Marco said he didn't know at that point. He recommended to work with the local regulators. Pete Koch, DENIC, mentioned that there were large concerns about open source products. He wondered if there was awareness about that or special ideas for treating open source products. Marco responded that the document seemed to be fine with open source software, but manufacturers needed to stay within their limits. However, there were exemptions for amateur radio operators. Brian Nisbet, HEAnet, said that some of those pieces that were currently missing were things that should be there right now, for instance network abuse. He wondered why they were waiting for later. Marco explained that the directive was indeed very generic. It suggestd to stick within the particular regulatory framework, but it leaves details open to the regulator. Christian Bretterhofer, Andritz, suggested having discussion about why and what devices actually needed to be connected to the Internet. Marco explained that there was indeed an ongoing discussion about possibly slowing down innovation and making more conscious decisions about connecting or not connecting devices. Florian Streibelt, Max Planck, clarified that the exemptions were only for ham radio operations. 3. The Internet of Threats: Fighting FUD with MUD (Michael Richardson, Sandelman Software Works) The presentation is available at: https://ripe77.ripe.net/archives/video/2309 Artem Gavrichenkov asked who was going to implement this. Michael explained that they believed it should in the interest of the ccTLDs. It was necessary to make that investment. They would also present this at the ICANN meeting to encourage ccTLDs to implement this. Artem noticed that the presentation only covered smart homes, noting that that’s only a small fraction. He wondered why, for instance, industrial devices were not included. Michael explained that the protocols they were proposing to apply in the home were variations of some of the IETF protocols that were being developed for specifically securing industrial devices. Artem said he was afraid that smart home vendors weren't going to implement this because they would lose money. Michael explained that this was one of the reason they were building a firewall around them. Jelte Jansen, SIDN, made the audience aware of the SPIN project at SIDN and that there were quite a number of similarities to the presented solution. He suggested to possibly standardise the way MUD files were spread. Michael responded that the initial thought was to add a trust anchor and that they were going to get a curated database with changes that came from the community. Jelte suggested to think about a more general solution. Robert Kisteleki, RIPE NCC, applauded Michael and others for this exciting work. He asked what role machine learning could play, adding that this was the best remote presentation he'd seen. 4. Police Perspective on IoT, Challenges and Strategy (Jaap van Oss, Manon den Dunnen, Politie Nederland) The presentation is available at: https://ripe77.ripe.net/archives/video/2311 Jim said he hoped this was a start of an ongoing dialogue. Artem asked what data source the speakers were using for making the statement that the majority of DDoS attacks come from IoT devices. Jaap van Oss responded that this was based on his general knowledge in investigating these kinds of crimes. 5. Security Problems in IoT (Thomas Stols, Computest) The presentation is available at: https://ripe77.ripe.net/archives/video/2313 Jan Zorz, ISOC, asked if an IoT device had the 'smart' at the core, was connected to the Internet and could be controlled from the cloud. He wondered whether it was a security risk. Thomas responded that this was not necessarily the case if the cloud was properly secured. But yes, it could definitely be a risk. Brian Nisbet was shocked to hear that a hackers' organisation was shorting the stock of a company just because they have no bounty programme. Tomas said he agreed, but from a legal perspective this was a grey area. Manon asked if Thomas thought that sharing biometrical identity was the way to go. Thomas said it could possibly be used as an additional security mechanism. Manon said she was concerned about this, because it’s giving away the closest thing to our identity and sharing them on the Internet. Thomas responded that it was definitely improving security compared to passwords. Peter Steinhäuser, enbeDD, clarified that the facial recognition of Apple was actually not going to the cloud, but it stayed on the device. Neofytos Kountardas, Greek Cybercrime Unit, added that the European Commission was looking at the option to add cybersecurity certificates for devices. Thomas welcomed this initiative by governmental institutions. 6. The Internet-of-Insecure-Things: Causes, Trends and Responses (Arman Noroozian, TU Delft) The presentation is available at: https://ripe77.ripe.net/archives/video/2317 Jim thanked the speaker for this fantastic work and said he would like to see more of this kind of work. Jelte said he was surprised to see that doing nothing is better than informing your customers by email. Arman clarified that people just tended to ignore these kinds of informational emails. Purely sending abuse emails didn't seem to work. 7. AOB Jim said he would like to close the discussion on the WG chair selection process on the mailing list shortly after this meeting. He hoped to have a co-chair for RIPE 78.