Overview Of the MUD IoT Standard
Since inception, the internet has overwhelmingly been built to service general computing devices. From the early days of ARPANET/MILNET, through to the current generation of mobile devices like phones and tablets, nearly every connected system has had sufficient computing capacity to possess some level of self-protection, like anti-virus, encryption, VPN, and so on. With the rise of the Internet of Things (IoT), many of these devices lack the built-in capability to defend themselves with such measures.
MUD, or the Manufacturer Usage Description (RFC 8520) is a standard for enabling IoT devices to signal to the network what access and protection they need, now ratified by the Internet Engineering Task Force (IETF). The purpose of which – as the name suggests – is to provide facility and standardisation for Internet of Things (IoT) manufacturers to declare the various functionalities of their respective devices. This is a different approach to historical computer security, as general computing devices like desktops and phones can be applied to an almost limitless number of functions and requirements, making it impossible to build such a profile. IoT devices, however, typically have a very limited and predictable pattern of data use, and their use case largely defines exactly what access they’ll need to computer networks. So MUD is ostensibly a framework to build device profiles that help shape and define access policies.
The Importance Of Standards
With the extraordinarily complex and interwoven nature of the modern technology space and the myriad disciplines that underpin it, standards are incredibly important. The interoperability of all the infrastructure elements is only possible through the diligent efforts of the bodies tasked with the development processes for standards creation and evolution.
The IETF, the body that formulated MUD, is “…a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.” according to their own literature. They, along with a host of other organisations like the FCC (Federal Communications Commission), ICANN (Internet Corporation for Assigned Names and Numbers), and the ISO (International Organization for Standardization) and others, provide the regulation, documentation, and standards that allow for networks, including the internet, to function. Without standards clearly set-out and readily actionable – including MUD – the devices and networks upon which we rely upon would be rendered so problematic and error-prone, they would be unusable.
The Shifting Challenge or IoT Security
Contextually, the MUD standard is fundamentally required as we’ve seen the burgeoning number of IoT surpass the number of general computing devices in the past year or so for the first time, and a solution to limited security capabilities is crucial. Compounding this necessity, the unadulterated rush-to-market from IoT device manufacturers as they attempt to grab market share, paying scarce attention to intentional security and often even basic secure connectivity concerns are ignored. Poorly implemented protocols lead to issues like Flooding, Wormhole attacks, Man-In-The-Middle attacks, Sybil, and Spoofing. This is potentially undermining the advances we’ve seen in the improved recognition and focus on security in the boardroom over the past decade, as IoT projects are embraced for the operational opportunity they provide, often without due consideration to the new attack vectors potentially being introduced.
The Benefits Of MUD for IoT Security
Within the MUD standard, manufacturers dictate explicitly the precise, and only, behaviours permissible for their devices as dictated by the data-types and methods that are necessary for the IoT device to function as intended. The MUD profile for each device is ostensibly a set of rules and expected behaviours against which a corporate network can compare current network traffic from that device. Therefore, using this delta, the network can prevent the IoT device from making any an unauthorised connections should the traffic be outside the parameters specified in the MUD profile.
The benefits to stakeholders within IoT deployments when MUD is implemented are far from zero-sum. Obviously, there are benefits through the uplift in security, and mitigation of any operational load on administrators given that each additional device is governed by singular device profile-type, and thus changes to asset discovery, management, and policy-enforcement are largely incidental. So too, risk assessment and any incident response are simplified greatly by the homogenous nature of networked devices in a potential IoT-centric attack. The clear benefits of MUD also carry to manufacturers in the shape of improved commercial and operational benefits. By meeting the MUD standards, it’s a safe bet that they are passing a threshold for vendor analysis that will become ubiquitous for most enterprise organisations in short order. Moreover, the reputation of the manufacturer (and their devices) will be solidified, both by actively adopting the MUD standard in the first place, and the avoidance of brand damage from any incident that may have otherwise taken place. This will likely lead to more potential success with their market share, and the boost in reputational standing, even outside IoT products.
How MUD Works for IoT Devices
MUD works by augmenting the protocol in use, whether LLDP, 802.1x, or most commonly, DHCP, with a Uniform Resource Identifier (URI). These URIs are a specific string of characters used to identify a reference profile defined by the device manufacturer, from whom, the network device then downloads the reference profile that defines the (potentially) allowed behaviours of that IoT device.
Fundamentally, MUD works. The issue becomes a question of, ‘For how long?’. As you can see from the diagram above, MUD generates additional network traffic, and there are real world implications for this. While the amount of data transferred is relatively insignificant, the source of this traffic is problematic as it requires the modification of DHCP or LLDP protocols, and there is little incentive to develop or implement this, presenting a significant barrier to adoption. While the MUD profile has now been ratified as a standard by the IETF, it’s proving a challenge for many manufacturers to build an accurate MUD profile because IoT devices are typically comprised of components from a host of suppliers (and even these can vary even within the same manufacturer) subtly distorting the behaviours of the IoT device.
Additionally, none of the above MUD implementations leverages a X.509 certificate to obfuscate the MUD URL. This means that the MUD URL issued can potentially be spoofed. Measures have been taken to adapt to this challenge, and cryptographic keys offered through Trusted Platform Module (TPM) do remove the opportunity of spoofing. The issue again becomes the requirement for additional resources, as TPMs require a prohibitive amount of resources to be a practical solution universally for IoT, and we’re just hoping for the swisscheese protection model rather than the more likely scenario when proverbially building on sand.
MUD is asking a lot from manufacturers too. While the benefits are numerous as recounted above, there are simply too many manufacturers that have illustrated already that they are more than willing to develop and sell a product as a rush-to-market cash-grab, despite (often known) security concerns.
A Better IoT Security Option
While MUD is a great move forward for IoT adoption and secure operations thereof, we’ve touched on some of its shortcomings. The main issue we’ve not highlighted with MUD is that it’s a measurement of a device(s) in a moment. It’s tantamount to taking a temperature reading for a patient once; the lack of a contraindication at that moment is enough to flag that device as ‘healthy’, irrespective of what that same measurement would be before or after that point in time.
CyAmast brings a fundamentally different approach to IoT security that we’ve developed through our research. We are constantly measuring the health of each and every device both individually and collectively by watching the pattern of device behaviour(s). While advantageous to efficiencies, we don’t need any device to adopt MUD standard to keep it secure. This means we can cater to existing IoT-rich networks, as well as already MUD compliant ones, seamlessly. We vigilantly watch for deviations in expected behaviours that we observe and document. We don’t ask for that type of data from a static file, in order to react to compromise or even suboptimal performance prior to what might otherwise be catastrophic failure. Our profiles of each device are calculated and evolved in (near) real-time to provide the basis for policy enforcement. Safer IoT means a safer network.
In summation, MUD is a light-weight and useful, and important benchmark for the evolution of IoT security – the first fin used on land for propulsion. It is, however, insufficient as the sole measure of protection for IoT enabled networks, particularly when the risks are appreciable.