Standards and their use for IoT/Riding the crest of DDoS Event

From IIW
Standards for Internet of Things
Tuesday 5K

Convener: Dave Sanford

Notes-taker(s): Dave Sanford and Ryan Page

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Dave's Notes

Session was called to explore the implications and possible opportunities caused by the recent DDoS attack on Dyn (and thereby Dyn customers) caused by a botnet of IoT devices. The sense is that this was so public that the long standing IoT device security problem may receive enough public scrutiny that regulatory responses are likely. Is there any guidance that we as a community can provide that could either a) avoid bad regulation or b) help fix the IoT space which is recognized as broken in terms of security and in other ways.

One of the motivations for the session was a well attended session on the use of OAuth to help integrate security in the IoT space that George Fletcher had in 2014. Dave Sanford posited that - OAuth use in this way could help heal the home IoT space.

Conversation turned to the critical role of routers as firewalls in the home IoT space - as a potential focus given the multitude of low cost IoT devices some of which are made by foreign manufacturers for which little regulatory pressure might be possible. There was some discussion of Underwriters Labs (UL) based security standards that could be used to support regulatory and import requirements.

It was expressed that more critical abuse cases than use of IoT devices for DDoS attacks are likely to cause regulatory response - particularly as the IoT ecosystem includes medical devices, cars, etc. DDoS may not be the inevitable event that will cause regulatory response.

One of the reasons that the IoT space is broken and it would be hard for smarter devices (routers, messaging hubs) in the home IoT space to protect the cheaper, dumber devices is due to lack of interoperability. There is little impetus for the various players that want to become the dominant IoT hub in the home to work together to create standards (including security relevant standards) by which all devices can be protected by all IoT devices.

There was discussion about the fact that devices are manufacturer vs. user centric, expecting to communicate directly with manufacturers. Also conversations about the need for automatic provisioning. David Fotland (Amazon) talked a little about Amazon IoT specifications and that Amazon already uses OAuth for all devices. Overall no conclusions that would lead to future actions - but great discussion.

Ryan's Notes

We discussed methods of protecting against attacks using IOT devices. There were distinctions between super-dumb devices vs. devices that can be updated with software pushes, distinctions between devices behind consumer or industrial routers/firewalls, and devices in the wild or that have their own cellular connectivity.

Potential avenues of remediation:

- pushing software remediation to devices, either to limit points of communication or pushing use of a specification like OAuth 2.0

- updated firewalls or routers restricting protocols or frequency of traffic

- regulatory regime requiring minimum security controls and/or behaviors on regulated devices

- implementation of interoperable standards for device communication

- use of contact based authorization or de-provisioning for devices in the home (e.g., NFC)

- regulation or liability for carriers who fail to intervene in managing traffic (but see "there goes net neutrality")