On 10/21/18 2:33 PM, Jim Reid wrote:
MUD files can help to identify what’s a devices purpose and monitoring if the device is doing what it’s supposed to do. I agree that we should not have much hope that the device makers will do their job.
Indeed. However at least MUD files should (in principle anyway) give people an idea of what their latest IoT toy will do once it’s plugged in. Though just saying it phones home to google/Amazon/Facebook every so often isn’t much help if you don’t know what it's sending and receiving. Or why it’s doing that.
Or, as it was in the case of Samsung Television voice control data, whether the data that is ostensibly sent for a reasonable purpose is passed on to third parties by the service anyway. No amount of technical measures will protect against that. But at least then it will be the services' responsibility.
MUD files are a small step in the right direction. Hopefully we’ll one day see this information printed on the IoT device itself and the box it comes in.
I have started to wonder whether this won't be the other way around. As in, whether device manufacturers might be forced to disclose what their devices will be doing on the internet (similar to how they should disclose what power they safely operate at), and that MUD (or MUD-like) profiles will be derived from that.
BTW, Jelte spoke about the SPIN project at the WG meeting in Marseille. It was a revelation to see how much data was being sent outside his home network from its IoT devices. [And on a related note, why does my DVD player call the mothership and what data are being exchanged?] Michael’s idea of an IoT firewall would mean we can see what’s going on. This sort of thing will be essential if the concept of informed consent means anything.
Peter and I have been in contact after that presentation :) Anyway, the move to everything being encrypted, while protecting against eavesdroppers, will certainly not help protect against what our devices are sending out. At most to whom initially (but now I am repeating myself). But that is already very revealing; I have done a few presentations about SPIN where we connected an audience member's phone to the system, and every single time something interesting has popped up so far. The biggest 'whoa what the' moment you can get, by the way, if you can show an Amazon Echo owner that Amazon stores -and you can play back- all the audio commands they have ever given those things. Jelte