Network and Distributed Systems Security (NDSS) Symposium is in full swing for its 25th anniversary year. As usual the NDSS program includes a really impressive array of great content on a wide range of topics. Prior to the main event there were four one-day workshops on themes related to the topic of NDSS: Binary Analysis Research, DNS Privacy, Usable Security, and the workshop I’d like to delve into here, Distributed IoT Security and Standards (DISS).
The DISS workshop received 29 submissions and accepted 12 papers. In an interesting twist on the usual scientific workshop format, the presented papers were all still in draft form and will now be revised based on the Q&A and offline discussions that took place as a result of the workshop. Revised papers will be published by the Internet Society in due course.
Introducing proceedings, co-chair Dirk Kutscher explained that it has become evident that the success of the Internet of Things (IoT) depends on sound and usable security and privacy. Device constraints, intermittent network connectivity, the scale of deployments, economic issues all combine to create an interesting and challenging environment for the research community to address.
A decentralised approach to IoT security is being pursued by multiple projects and several were presented during the workshop. Simultaneously, many IoT standards are under development in IETF, W3C, and elsewhere. It is therefore very timely to bring researchers together on the topic of DISS. The scope for the workshop was threefold:
- Enabling secure interoperability across IoT ecosystems;
- Security and privacy in ongoing IoT standardisation work, and;
- Other topics related to decentralised security and standardization in IoT
Ian Molloy gave a very interesting presentation on his work (with co-authors David Barrera and Heqing Huang) to monitor the connectivity profiles of different IoT devices and enforce network security policy to minimise the risks posed by insecure IoT devices to both the device owners and the wider Internet. The approach was described as ‘parental controls’ for IoT and brought to mind the work underway in the IETF on Manufacturer Usage Descriptions (MUD). An interesting difference between the two approaches is that Molloy’s explicitly does not require the user to trust the manufacturer to define a policy and provide a product that understands or respects the concerns of the end-user. There may be a place for a more distributed and crowdsourced approach.
Two papers addressed security reviews of existing standards. Michael McCool presented work (with co-author Elena Reshetova) to evaluate the security of the W3C Web of Things standard. Carsten Bormann presented an analysis of various developing standards for authorization solutions for the IoT. Both talks made clear that while standardisation for various pieces of a secure IoT ecosystem is underway, there is more work to be done to minimise the potential for implementation mistakes and the unintended consequences of exposing IoT device metadata.
Tomer Golomb presented a very interesting approach to anomaly detection including a great video demonstration of a wall of Raspberry Pis sharing state regarding normal operating conditions and then alarming when simulated exploits were run against known vulnerabilities.
The workshop also received an explicitly non-technical paper that considered the economic aspects of standardising security for the IoT. The authors tried to understand why IoT device manufacturers continue to ignore the findings of security research. They observed that consumers can’t determine the level of security provided by IoT products and are unwilling to pay for something they cannot assess. They identified a number of recommendations for ‘market-driven’ standardisation organisations:
- Define precise security model
- Stop consumer/business differentiation
- Add membership level for academic institutes
- Conduct security testing without conflict of interest
- Define and Enforce Update Policy
Lively discussion following this talk emphasised the importance of academic involvement, an open standards process with a multistakeholder ethos, and incorporating the development of reference implementations as part of the standards development life cycle. The need for regulation to help overcome the information asymmetry problem between industry and the consumers of IoT devices was also a hot topic of discussion.
Other topics discussed during the workshop included securing payments for outsourced computations, building a secure and open federation layer for IoT silos, authentication and key exchange protocols for IoT, practical implementation aspects and attestation.
To read more about NDSS, see our introductory blog post, our overview of the full NDSS 2018 program, and remember you can follow along via our social media channels – Twitter, Facebook, YouTube, and LinkedIn – or search/post using #NDSS18.