This is the presentation of the paper: "A Gateway based MUD Architecture to Enhance Smart Home Security".
The paper was presented during the 8th International Conference on Smart and Sustainable Technologies (SpliTech 2023).
Specifically, the paper was presented at the Special Session on Cybersecurity and IoT within the International Symposium on the Internet of Things.
Abstract of the paper:
Smart home systems, including consumer-grade Internet of Things (IoT) devices, are in a dangerous situation. On the one hand, the number of smart homes is increasing. On the other hand, the devices in these dwellings are often affected by vulnerabilities that could be exploited to generate massive (distributed) attacks.
To mitigate the issue of having compromised devices involved in such attacks, the Internet Engineering Task Force (IETF) recently proposed a new standard: the Manufacturer Usage Description (MUD).
The main contribution of this paper is to propose a slightly extended version of the MUD architecture. This architecture is centered around a smart home gateway (SHG) that can be extended through the contributions of plug-in developers.
Indeed, our proposed approach allows developers to specify which endpoints their plug-ins need to reach. These requirements will then be processed to generate a consolidated gateway-level MUD file exposed by the SHG itself. Thus, thanks to
this solution and developers’ intervention, even devices that are not natively “MUD-enabled” would be protected by the MUD standard if integrated through a proper plug-in. Moreover, these requirements are transparent for the device itself.
To demonstrate the feasibility of this approach, we realized a proof-of-concept for a widespread open-source smart home gateway: Home Assistant.
A Gateway based MUD Architecture to Enhance Smart Home Security
1. A Gateway-based MUD
Architecture to Enhance
Smart Home Security
Fulvio Corno and Luca Mannella
e-Lite research group
Department of Control and Computer Engineering
Politecnico di Torino,Turin, Italy
8th International Conference On Smart and Sustainable Technologies
Bol, June 21, 2023
2. Outline
• Internet of Things and smart homes context
Introduction
• Manufacturer Usage Description (MUD)
Background
• Presenting the architecture and the PoC
Proposed Approach
• Sum up and future work
Conclusions
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 2
3. Introduction
• Smart Home (SH) systems are in a dangerous situation
• Very widespread (12.2 billion active endpoints)
• USENIX 2019: at least 40% houses have an IoT device (70% in the U.S.A.)
• A large percentage of these devices has a known vulnerability
• Compromised devices could create serious issues
• IoT devices are infected to carry on DDoS attacks (Mirai Botnet)
• Affecting other devices in the same network
• To manage them, Smart Home Gateways (SHG) are often involved
• Goal: take advantage of the SHG to enhance SH security thanks to
• the MUD standard
• plug-in developers' intervention
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 3
4. Manufacturer Usage Description (MUD)
Less (connection) is more (secure)
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 4
5. Manufacturer Usage Description (MUD)
• IETF Standard: RFC-8520 (originally proposed by CISCO)
• Main goal: reducing unexpected communications to/from an IoT device
• Defining a proper architecture and data model
• How? With a white-listing approach
• The manufacturer specifies the authorized connections (policy) in a dedicated
"MUD file"
• Other connections are forbidden
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 5
6. MUD files and
MUD Policy Enforcement
• Each class of device produced by a Manufacturer must have a dedicated
MUD file
• E.g., a MUD file for Amazon Echo Dot, a MUD file for the Philips Hue, etc.
• The MUD file is composed by a set of policy
• Expressed in JSON format
• Each policy defines the endpoints of the allowed communications
• These policies are enforced by the network where the device is deployed
• A "MUD Manager" must be in the local network
• The enforcement is partially left to the local network administration
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 6
7. How MUD Works
These two components
can be deployed
on the same device
Thing
Router
or Switch
1. Expose a MUD URL
DHCP, LLDP, 802.1AR
MUD Manager
2. Forward the
MUD URL
5. Enforce the
device’s policies
End system network
3. Get URL
HTTPS
4. MUD file
MUD File
Server
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security June 21, 2023
7
8. Promising but not much deployed
• MUD is considered promising by ENISA and NIST
• Manufacturers are not creating (and deploying) MUD files
• A possible solution (already faced in literature):
• a third party could create the MUD file instead of the manufacturer
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 8
9. Proposed approach
A Gateway-based MUD Architecture to Enhance Smart Home Security
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 9
10. Extending MUD Architecture
• A suitable third-party could be a smart home gateway
• Device able to coordinate many IoT devices
• Often extensible through plug-ins
• Developers and tinkerers could help in creating these MUD files
• specifying plug-ins’ endpoints through some “MUD snippets”
• even if they have
• limited experience with the technology
• no dedicated servers
• To achieve this goal is necessary to extend the MUD architecture
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 10
11. Extended MUD Architecture
Smart Home
Gateway
Router
or Switch
2. Expose MUD URL
DHCP, LLDP, 802.1AR
MUD Manager
6. Enforce
the SHG
policies
End system
network
Func 1
Thing 1
Plug-in N
3. Forward
the MUD URL
MUD
Generator
MUD Policies
MUD Policies
MUD Policies
MUD
File
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security
1. Generate and
sign the MUD File
0. Plug-in’s developer writes MUD-compliant policies
June 21, 2023
11
7. Reiterate
the flow
12. Main Contributions of the Paper
1. Extend the MUD concept in a transparent way
• A SHG can manage many devices in its smart home
• The devices and the MUD manager are not aware of this change
2. Protect devices not natively MUD-enabled
• Thanks to developers’ contributions
3. Protect SHGs and their plug-ins with the MUD standard
• Protecting every kind of plug-in
• Regardless of the offered functionality
• I.e., not only devices
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 12
13. Use Case: MUD Manager
OpenWrt — https://openwrt.org/
• Open Wireless Router
• a Linux operating system targeting embedded devices
• Initial release in January 2004
osMUD — https://osmud.org
• The open source MUD manager
• A C-based MUD manager
• Designed to run on OpenWrt version 17
• Version 0.2 (released in March 2019)
• improved for this project — https://github.com/Sarcares/osmud/tree/mud-refreshing
• osMUD is now able to manage updated versions of the devices’ MUD files
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 13
14. Use Case: Smart Home Gateway
Home Assistant (HAss) — https://www.home-assistant.io/
• A Python-based open-source smart home gateway software
• Developed since 2013 and released in 2016
• More than 240,000 active installations
• Four different types of release
• Each of them with additional features with respect to core version
• Extensible through two different kind of plug-ins: integrations and add-ons
• Focus on Integrations — https://www.home-assistant.io/integrations
• Available in all Home Assistant releases
• Closer to “traditional” plug-in concept
• Deeply integrated in Hass
• Developed integration: MUD Generator
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 14
15. The Prototype
• Two Raspberry Pi 3 Model B
• One Raspberry equipped with:
• OpenWrt OS: version 17.01.6
• Slightly improved version of osMUD 0.2
• adding processing of MUD files from already
known devices
• Another Raspberry equipped with:
• Home-Assistant OS: version 9.2
(currently updated to 10.2)
• default and custom integrations
• the MUD generator integration
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security June 21, 2023
15
16. Testing the Prototype
• Testing the solution with 3 integrations
• 2 custom: an emulated temperature sensor and a switch
• 1 standard: a meteo adapter
• We wrote the related “MUD snippets”
• With the necessary endpoints
• MUD generator merges them in a gateway-level MUD file
• The MUD file is correctly signed, exposed, verified, and enforced
• After the enforcement, we observed as the SHG can reach only
the specified endpoints
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 16
17. Conclusions
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 17
18. Conclusions
• Purposes of this proposed approach
• Protect devices not natively MUD-enabled
• Extend the MUD concept even to software functionalities
• Achieved through an extended MUD architecture
• Transparent for
• The MUD manager
• The integrated devices
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 18
19. Current and Next Steps
• Expanding this proposed approach even to add-ons
• MUD snippets’ authentication
• only trusted developers must be able to add their MUD snippets
• MUD snippets must be associated to the proper plug-in
• MUD policies issue
• Policy Errors: detecting if a policy is wrong-written
• Policy Conflicts: detecting if two policies contradict each other
• Policy Sub-Optimizations: detecting if policies are overlapping
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 19
20. Thanks for your
kind attention!
Any questions?
F. Corno and L. Mannella — A Gateway-based MUD Architecture to
Enhance Smart Home Security
e-Lite research group
Department of Control and Computer Engineering
Politecnico di Torino, Turin, Italy
June 21, 2023
Publications
Stay Connected
Fulvio Corno
fulvio.corno@polito.it
Full Professor
Luca Mannella
luca.mannella@polito.it
Ph.D. student
20
21. License
• These slides are distributed under a Creative Commons license:
“Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)”
• You are free to:
• Share — copy and redistribute the material in any medium or format
• Adapt — remix, transform, and build upon the material
• The licensor cannot revoke these freedoms as long as you follow the license terms.
• Under the following terms:
• Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made.
You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
• NonCommercial — You may not use the material for commercial purposes.
• ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same
license as the original.
• No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing
anything the license permits.
• https://creativecommons.org/licenses/by-nc-sa/4.0/
June 21, 2023
F. Corno and L. Mannella — A Gateway-based MUD Architecture to Enhance Smart Home Security 21