This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/iot-wg@ripe.net/
[iot-wg] "The Internet of Threats: Fighting FUD with MUD"
- Previous message (by thread): [iot-wg] GrowthEnabler's "Market Pulse Report for Internet of Things"
- Next message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Töma Gavrichenkov
ximaera at gmail.com
Thu Oct 18 19:00:53 CEST 2018
...and now bringing my question/suggestion to the mailing list. Previously on topic: we've agreed (haven't we?) that MUD is not currently targeting industrial IoT and connected health. So, smart homes. (By the way, it is more proper to directly specify the issue you're handling before proposing a solution. As MUD doesn't solve the security problem of IoT in general, let's then call it a solution for smart homes, but not a solution for IoT.) The issue with smart homes, wearables etc. is that a contemporary commodity IoT device is not connected to the Internet in order to really provide a service to the customer. Instead, it collects, processes and sends data and telemetry which is precious for its vendor, which said vendor would then be able to sell. - https://www.theverge.com/2017/7/24/16021610/irobot-roomba-homa-map-data-sale - https://www.warc.com/newsandopinion/news/general_motors_generates_new_radio_advertising_insights/41073 - et cetera. Expecting a vendor to cut their own cables themselves is a strange move, isn't it. Hence, "default policy is no access" stuff isn't just going to fly. And, setting a firewall will only slightly help because of countless reasons. a) We have agreed today (haven't we?) that an IoT device needs to be updated frequently, and probably via the Internet. Let's now phrase it in a different way: we have agreed that an IoT device has a right to connect to a server of its vendor and exchange encrypted data with that server. Good luck telling updates from telemetry streaming then. b) Given a), a vendor will have an 100% legitimate excuse for denying you a service (i.e. remotely switching off a device, or more precisely, *not switching it on*) if the device doesn't have an Internet connectivity. c) Moreover, if a data collected by roombas would be actually worth selling, we can prophesize that ToSes for devices would start to *include* that connectivity requirement. I.e. if you don't want to share data with a vendor, then you must not buy this $9 vacuum cleaner but should rather go for that $199 vacuum cleaner, because it costs $150 to produce the device and for the former, the remaining $141 are covered by selling the data you don't want to share now. I'd be thrilled to see if anyone would be really going to spend additional $190 for privacy and security. d) Also, if said data is worth selling, setting up a firewall won't help because an IoT device will then use whatever radio technology built-in to connect to the Internet without your nice firewall. The only outcome would be an increased manufacturing cost because of additional radio module (and yes, it's the customer who's gonna pay for this). Sorry guys. Nothing personal, it's just business. e) You cannot possibly set a firewall between the Internet and wearables, SmartTV, cars, etc. ... I'm curious how does MUD address those concerns. | Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera at gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58
- Previous message (by thread): [iot-wg] GrowthEnabler's "Market Pulse Report for Internet of Things"
- Next message (by thread): [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ iot-wg Archives ]