Call For Papers: Internet of Things Software Update Workshop (IoTSU)

[IAB Executive Administrative Manager <execd@iab.org>]

Internet of Things Software Update Workshop (IoTSU)
13-14 June 2016, Trinity College Dublin, Ireland
Website: https://www.iab.org/activities/workshops/iotsu/

Background

In his essay ‘The Internet of Things Is Wildly Insecure And Often 
Unpatchable’ [1] Schneier expressed concerns about the status of 
software/firmware updates for Internet of Things (IoT) devices. IoT 
devices, which have a reputation for being insecure at the time when 
they are manufactured, are often expected to stay active in the field 
for 10+ years and operate unattended with Internet connectivity.

Incorporating a software update mechanism to fix vulnerabilities, to 
update configuration settings as well as adding new functionality is 
recommended by security experts but there are challenges when using 
software updates, as the FTC staff report on Internet of Things – 
Privacy & Security in a Connected World [2] and the Article 29 Working 
Party Opinion 8/2014 on the on Recent Developments on the Internet of 
Things [3] express. Even providing such software update may provide 
challenges for constrained devices, as a buffer overflow vulnerability 
in the implementation of a software update protocol (TR69) [4] and an 
expired certificate in a hub device [5] demonstrated. On top of 
challenges there are various problems with privacy, lack of incentives 
to distribute software updates along the value chains, and questions 
about who should be able to update devices, and when, e.g. at or after 
the end-of-life of a product or component.

There are various (proprietary) software update mechanisms in use today 
and the details vary significantly, particularly depending on the 
envisioned use with IoT devices. More powerful IoT devices, such as 
those running general purpose operating systems (like embedded Linux), 
make use of sophisticated software update mechanisms known from the 
desktop and the mobile world. The focus of this workshop is, however, on 
more constrained embedded devices that run embedded OSs or potentially 
no operating system at all. These devices are typically not equipped 
with a memory management unit or similar concepts. Many of these devices 
also do not allow software packages to be downloaded to be run in a 
sandbox (such as a virtual machine) either.

We solicit contributions in the following areas:

- Protocol mechanisms for distributing software updates.
- Securing software updates.
- Meta-data about software / firmware packages.
- Implications of operating system and hardware design on the software 
  update mechanisms.
- Installation of software updates (in context of software and hardware 
  security of IoT devices).
- Privacy implications of software update mechanisms.
- Seeking input on experience and state-of-the-art.
- Implications of device ownership and control for software update.

Participation at the workshop is free of charge.

Sponsors

The IoTSU workshop is co-sponsored by the Internet Architecture Board 
and the Science Foundation Ireland funded CONNECT Centre for future 
networks and communications. The program committee would welcome 
additional sponsorship for a social event.

Important Dates

Position papers must be submitted by 20th May 2016 at the latest.

The program committee will review submitted position papers and send an 
invitation to the workshop to one of the paper authors. Invitations will 
be distributed by May 23rd, 2016 at the latest.

This workshop will be a day and a half, and take place on the 13th and 
14th of June, 2016.

Position Paper Requirements

Interested parties must submit a brief document. We welcome papers that 
describe existing work, raise new requirements, highlight challenges, 
write-ups of implementation and deployment experience, lessons-learned 
from successful or failed attempts, and ideally a vision on how to 
improve interoperability of software update mechanisms. Contributions 
are not required to be original in content.

We solicit brief write-ups of one to three pages, formatted as HTML, 
PDF, or plain text (for example as a submitted Internet Draft).

We will publish accepted position papers (as well as meeting minutes, 
slides, and a workshop report). Please submit your position papers via 
EasyChair <https://easychair.org/conferences/?conf=iotsu2016>.

Venue

The planned location for the workshop is at Trinity College Dublin, 
Ireland. We will provide the full details of the meeting venue to the 
invited workshop participants. Smaller workshops tend to encourage 
focused conversation and deep dives on specific topics, so the number of 
participants will be limited to ~40 persons. For local information 
please contact Stephen Farrell <stephen.farrell@cs.tcd.ie>.

IPR Policy

The workshop will have no expectation of IPR disclosure or licensing 
related to its submissions.

Privacy Notice

You provide your name and your email address for the registration to 
this workshop. We use this information for planning purposes (such as 
finding rooms and ordering refreshments). We will also use this 
information to contact you about the location of the meeting venue, or 
other urgent and relevant notifications. Before the meeting minutes are 
publicly distributed, you will also receive a copy for review. We will 
share your contact details with the other workshop participants, if 
necessary, for example for post-workshop discussions. Your name and 
affiliation will be listed on the participant list contained in the 
workshop report.

Program Committee

This workshop is organized by:

- Stephen Farrell, IETF Security Area Director, Trinity College Dublin
- Arnar Birgisson, Google
- Ned Smith, IPSO Identity and Security Committee Chair, Intel
- Jari Arkko, IETF Chair, Ericsson
- Carsten Bormann, IETF CORE WG Chair, IRTF T2TRG Chair, TZI University 
  Bremen
- Hannes Tschofenig, IETF ACE/OAuth Chair, ARM Ltd.
- Robert Sparks, IAB member/IETF STIR Chair, Oracle
- Russ Housley, IAB member/IETF STIR WG chair, Vigilsec.

References

[1] Bruce Schneier,  “The Internet of Things Is Wildly Insecure And 
Often Unpatchable”, January 2014.

[2] FTC, “FTC Report on Internet of Things Urges Companies to Adopt Best 
Practices to Address Consumer Privacy and Security Risks”, January 2015.

[3] Article 29 Data Protection Working Party, “Opinion 8/2014 on the on 
Recent Developments on the Internet of Things”, September 2014.

[4] Lior Oppenheim and Shahar Tal, “Too Many Cooks – Exploiting the 
Internet-of-TR-069-Things”, December 2014.

[5] Brian Barrett, “Winks Outage Shows Us How Frustrating Smart Homes 
Could Be”, April 2014.