Meeting Report
An Overview
A number of different aspects relating to IoT were discussed over the course of the day. Issues at the level of manufacturers, vendors and customers were generally thought to be the result of several factors – a race to be first to market coupled with low margins, as well as a lack of understanding or experience dealing with security and privacy considerations. There is also a tragedy of the commons issue – with negative externalities affecting a wider group than simply the manufacturers or users of compromised IoT devices.
A key discussion point was whether providers have an ethical obligation to protect users. A presentation by Enno Rey from ENRW introduced the idea of using CPE as a shield to protect customers' devices at home. He noted that, by default, many ports are open that people will never need or use – so providers should consider closing some of these (e.g. Telnet). This approach would have prevented the Mirai attack. It was noted, however, that providers should be wary of creating an “assisted Internet experience” that disempowers users in the name of protecting them. It was added that manufacturers had a responsibility for devices that couldn't be addressed by blocking ports.
With many IoT problems seemingly the result of distorted market incentives, the question of regulation was discussed at several points throughout the day. On this, attendees were somewhat divided. In some respects it was seen as inevitable, ultimately a public safety issue akin to fire-safety standards (particularly with connected cars or health devices). However, regulation would be of varying effectiveness and would take time to be developed – the question was what the RIPE community could do in the meantime. Additionally, there were negative aspects to regulation – increased compliance costs would disproportionately affect small players or low-margin products, and would restrict permissionless innovation. Similarly, the group discussed the idea of a “trusted IoT label” – this was generally seen as a good idea, but involved many of the same concerns.
It was noted that there was a distinction between responsible manufacturers and retailers who would pay attention to standards and invest in security, and others who simply wanted to move product and wouldn't engage with these efforts. Another concern was the fact that people weren't aware of what was going out on their network. One attendee discussed being surprised by how much outbound traffic his connected TV was generating. As people's connections grow faster over time, this raises concerns about greater DDoS attack volumes and attacks against the DNS.
While there was plenty of discussion of the problems posed by the IoT, there were also some positive discussions. Robert Kisteleki from the RIPE NCC presented on their work with RIPE Atlas, which in this context they consider to be an IoT network. He explained the security principles they used when designing the network – with the understanding that security incidents were inevitable, and it was about limiting their impact as much as possible rather than preventing them altogether. Constanze Dietrich from Technical University Berlin presented on her experience studying security misconfigurations, recommending regular "fire drills" and promoting a culture of blameless postmortems following security incidents.
Talking about an IoT WG and Next Steps
Everyone at the meeting supported the establishment of a working group on IoT. Producing BCPs, advisory documents or documenting risk factors was seen as well within the scope of the RIPE community. However, the question was asked who would pay attention to these kinds of outputs – as the disconnect between responsible and less-responsible actors comes into play. It was noted that there were plenty of 200 page documents already in circulation that dealt with various aspects of the IoT and the RIPE community should think carefully before it adds to this noise. It was also recommended that they not apply too much structure at this point, and focus on discussing the issue with more informal events such as this roundtable meeting.
It was noted that the RIPE NCC is regularly asked to participate in other fora as a neutral and trusted source of technical information. An IoT WG would provide a focal point where the RIPE NCC could request community input and report back on the content of external discussions. It could also function as a clearinghouse where other relevant information can be published and announced to the RIPE community.
There are already a number of disparate initiatives dealing with IoT. It was proposed that RIPE could have value as an information-sharing platform and the WG could provide a vehicle for the community to invite others in for dialogue. As RIPE is not alone in this space, it was noted that care should be given not to encroach on the territory of other groups. It is about scaling up and supporting existing efforts rather than creating new ones. However, other entities seem more focused on posing questions than providing solutions. RIPE has twenty years of producing running code. The operator community has already encountered many of the same issues that are currently affecting the IoT (e.g. default passwords on devices) and could demonstrate some authority from having been there and done that.
The need to draw in vendors and people from the security community was discussed. These people do not typically attend RIPE Meetings, so an IoT WG could help to attract participation by signaling that the community was looking at IoT issues. Vendors will likely engage if they see the community meeting to determine requirements in technical equipment, as they did in the past with IPv6.
The group reviewed an updated version of the draft IoT WG charter that was presented at RIPE 74. There was support for it in its current form, with some minor tweaks. The next step will be to further discuss the draft charter at RIPE 75 and consider future work.
You can find the day's agenda and presentation slides here.