Manufacturer Usage Description (MUD)

Defending the IoT devices in home environment

IoT devices are highly susceptible to cyber attacks and compare to software, they are usually an easier target for vulnerability hunting and eventually pwning. A proper defense against this, is to setup a fine grained firewall where it only allows each IoT device, to communicate with some predefined destinations. For instance, a smart bulb would not need to communicate with a smart toaster, or a smart crock-pot should not communicate with a www.i-am-safe.com.

Creating the rules for such firewall, is beyond the knowledge of a end user or even a super user. Even an experienced sysadmin will get frustrated for maintaining such firewall since the communication destination of each of the IoT devices might change throughout its lifetime. Introducing MUD: a self-install and self-maintain fine grained firewall, providing "a means for end devices to signal to the network what sort of access and network functionality they require to properly function" [1].

MUD works based on a usage description that is defined by the manufacturer, hence the name Manufacturer Usage Description. The manufacturer of a device, knows better than anyone where their device is supposed to initiate a communication to, or to which domain or service it should respond. Using this description, a smart bulb manufacturer that is aware its products will not communicate with any domain other than the company's domain, can enforce this rule to the future network where the IoT device is going to be deployed.

References

[1]https://tools.ietf.org/html/draft-ietf-opsawg-mud-25


Publications
Conference publications (5)
  1. Vafa Andalibi, Jayati Dev, DongInn Kim, Eliot Lear, and Jean Camp. Making Access Control Easy in IoT. In IFIP International Symposium on Human Aspects of Information Security & Assurance, June 2021.
    Keywords: IoT, MUD, MUD-Visualizer. [bibtex-entry]

  2. Vafa Andalibi, Eliot Lear, DongInn Kim, and Jean Camp. On the Analysis of MUD-Files' Interactions, Conflicts, and Configuration Requirements Before Deployment. In 5th EAI International Conference on Safety and Security in Internet of Things, SaSeIoT, May 2021. Springer.
    Keywords: IoT, MUD, MUD-Visualizer. [bibtex-entry]

  3. Vafa Andalibi, DongInn Kim, and L. Jean Camp. Throwing MUD into the FOG: Defending IoT and Fog by expanding MUD to Fog network. In 2nd USENIX Workshop on Hot Topics in Edge Computing (HotEdge 19), Renton, WA, July 2019. USENIX Association.
    Keywords: MUD, IoT. [bibtex-entry]