[iot-wg] "The Internet of Threats: Fighting FUD with MUD"

Hi, 

I just joined this group.  Today's and tomorrow's smart television are more a full blown computer with screen and keyboard, and it difficult to pin down exactly what the device should be doing in a MUD profile.  It's not a real IoT device.

A MUD profile for a thermostat or video camera or a real IoT device will be useful.

The prototype has shown for far it's functionally possible to make MUD work.

Jack 



>-----Original Message-----
>From: iot-wg <iot-wg-bounces at ripe.net> On Behalf Of Jelte Jansen
>Sent: October 22, 2018 12:29 AM
>To: Jim Reid <jim at rfc1035.com>; Peter Steinhäuser <ps at embedd.com>
>Cc: RIPE IoT WG List <iot-wg at ripe.net>
>Subject: Re: [iot-wg] "The Internet of Threats: Fighting FUD with MUD"
>
>
>
>On 10/21/18 2:33 PM, Jim Reid wrote:
>>> MUD files can help to identify what’s a devices purpose and
>>> monitoring if the device is doing what it’s supposed to do. I agree
>>> that we should not have much hope that the device makers will do their job.
>>
>> Indeed. However at least MUD files should (in principle anyway) give people an
>idea of what their latest IoT toy will do once it’s plugged in. Though just saying it
>phones home to google/Amazon/Facebook every so often isn’t much help if you
>don’t know what it's sending and receiving. Or why it’s doing that.
>>
>
>Or, as it was in the case of Samsung Television voice control data, whether the
>data that is ostensibly sent for a reasonable purpose is passed on to third parties
>by the service anyway. No amount of technical measures will protect against
>that. But at least then it will be the services' responsibility.
>
>> MUD files are a small step in the right direction. Hopefully we’ll one day see
>this information printed on the IoT device itself and the box it comes in.
>>
>
>I have started to wonder whether this won't be the other way around. As in,
>whether device manufacturers might be forced to disclose what their devices
>will be doing on the internet (similar to how they should disclose what power
>they safely operate at), and that MUD (or MUD-like) profiles will be derived from
>that.
>
>> BTW, Jelte spoke about the SPIN project at the WG meeting in Marseille. It was
>a revelation to see how much data was being sent outside his home network
>from its IoT devices. [And on a related note, why does my DVD player call the
>mothership and what data are being exchanged?] Michael’s idea of an IoT
>firewall would mean we can see what’s going on. This sort of thing will be
>essential if the concept of informed consent means anything.
>>
>
>Peter and I have been in contact after that presentation :)
>
>Anyway, the move to everything being encrypted, while protecting against
>eavesdroppers, will certainly not help protect against what our devices are
>sending out. At most to whom initially (but now I am repeating myself). But that
>is already very revealing; I have done a few presentations about SPIN where we
>connected an audience member's phone to the system, and every single time
>something interesting has popped up so far.
>
>The biggest 'whoa what the' moment you can get, by the way, if you can show
>an Amazon Echo owner that Amazon stores -and you can play back- all the audio
>commands they have ever given those things.
>
>Jelte
>
>_______________________________________________
>iot-wg mailing list
>iot-wg at ripe.net
>https://mailman.ripe.net/