The demand for internet-connected “smart” home and small business devices is growing rapidly, but so too are concerns regarding the potential compromise of these devices. The term IoT is often applied to the aggregate of single-purpose, internet-connected devices, such as thermostats, security monitors, and lighting control systems. Gartner predicts there will be 20.4 billion internet-connected IoT devices by 2020, and that the total will reach 25 billion by 2021.
Classes of IoT products are constrained devices designed to perform a single function and often lack state-of-the-art security software that is built into computers and mobile phones. This helps keep costs down, but there are consequences. In typical networking environments, malicious actors can detect and attack an IoT device within minutes of it being connected. If it has a known vulnerability, this weakness can be exploited at scale, enabling an adversary to commandeer groups of compromised devices, called botnets, to launch large-scale distributed denial-of-service (DDoS) and other network-based attacks.
The NCCoE and its collaborators have produced this practice guide to demonstrate the practicality and effectiveness of using the Internet Engineering Task Force’s manufacturer usage description (MUD) RFC 8520 to protect IoT devices on home and small-business networks, and to prevent them from being either victims and perpetrators of network-based attacks. MUD works by enabling networks to automatically permit each IoT device to send and receive only the traffic it requires to perform as intended, while blocking unauthorized communication with the device.
Users can implement MUD via several different approaches. This practice guide describes four MUD implementations—three of which are complete:
- Build 1 (completed) used products from Cisco Systems, DigiCert, Forescout and Molex.
- Build 2 (completed) used products from MasterPeace Solutions Ltd., Global Cyber Alliance (GCA), ThreatSTOP, and DigiCert.
- Build 3 (in process) is using equipment supplied by CableLabs and is leveraging the Wi-Fi Alliance “Easy Connect” specification to securely onboard devices to the network.
- Build 4 (completed) used software developed at the NIST Information Technology Laboratory Advanced Networking Technologies Division and technology from DigiCert.
This project can help different stakeholder groups, including:
- organizations that rely on the internet can understand how MUD can be used to protect internet availability and performance against network-based attacks.
- IoT device manufacturers can learn how MUD can protect against reputational damage that may result from their devices being exploited to support DDoS or other network-based attacks.
- service providers can benefit from a reduction of the number of IoT devices that can be easily used by malicious actors to participate in DDoS attacks against their networks and degrade service for their customers.
- users of IoT devices can gain insight into how MUD-capable products can protect their internal networks from being subverted by malicious actors.
Questions? Comments? Reach us at firstname.lastname@example.org.
MUD Related Resources
Find resources to MUD-related information, including standards, tools, implementations, research papers, articles, and conferences here.