by Diana Proud-Madruga
This three-part series explores the challenges of securing the Internet of Things. Part 2 examines the architecture and inner workings of the Internet Engineering Task Force’s specification rfc8520.
In March 2019, the Internet Engineering Task Force (IETF) published a draft internet standard intended to increase the ability of networks to safely deploy Internet of Things (IoT) devices. The Manufacturer Usage Description (MUD) Specification delineates an architecture that allows IoT devices to communicate functionality and access control needs in order for the device to function as intended.
Building in Security
Until recently, the internet was largely constructed for general-purpose devices, such as computers, where device owners determined their use and devices were presumed capable of protecting themselves. With the advent of IoT devices, the landscape of the internet is changing. In addition to general-purpose devices, there’s an explosion of specific-purpose ones with limited computing power that lack the capacity to carry security software and perform security updates. MUD addresses threats in specific-purpose devices by building in security in a way that is simple and secure.
The “M” in MUD stands for “manufacturer,” however, it does not necessarily mean the entity that originally created the device. It is the organization in the device’s supply chain that is responsible for informing the network about how the device needs to function, including the amount and types of access the device requires.
The intent behind MUD is to:
The MUD architecture consists of
How Does It Work?
Here is a vastly simplified description of how MUD works:
But what about non-MUD-enabled devices? Here, the MUD manager may need to search for the MUD URL and/or file using other mechanisms, such as serial numbers or public keys. Everything else remains the same. Thus, MUD is flexible enough to address security concerns of devices implemented prior to the creation of the MUD specification.
What do the descriptions look like? Let’s use the example of a printer. The MUD description for a printer might specify:
In this way, anyone can print to the printer, but local access would be required for the management interface.
A Way Forward . . .
The final part of this series will explore applications of MUD as described in NIST Special Publication 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices.
Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.