Re: [perpass] privacy implications of UUIDs for IoT devices

George Michaelson <ggm@algebras.org> Thu, 06 October 2016 00:25 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663CA1294F5 for <perpass@ietfa.amsl.com>; Wed, 5 Oct 2016 17:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-9dOY96jzxB for <perpass@ietfa.amsl.com>; Wed, 5 Oct 2016 17:25:12 -0700 (PDT)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30E8F129404 for <perpass@ietf.org>; Wed, 5 Oct 2016 17:25:12 -0700 (PDT)
Received: by mail-ua0-x234.google.com with SMTP id p102so3715635uap.0 for <perpass@ietf.org>; Wed, 05 Oct 2016 17:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K/elPMfO2xqfKKVbSZjPlp2y3WlxPC3t02USy4y19WM=; b=KWmpnK0/DLIP8hfGtsRhIDuUfwDG0bIbOKj9jtTuydewrYQI5UzueQm+g1NT5ztBly YEvbMl7eeGgCUBN9GvVTdDZ0q+OULiuIcNlEP3AD1+Wziq3KJ6ymBZ8NShgU1gcKTWH8 xSZB4H1Lz/ojItecLjTmOhTUhFFxPXMVk2xxJFEvtF5O9nbjvMJyYrAMI+KzKUqo1F2t ZOTRziqTVlBTi2c4MXjgzabc3rZ4fMjqeP1MpWx2LFyHgfZG1EhsWmqxpePX03vcfN1S tDpgJ4b2vjf68pG+xDjt4heUKLV1yrN7MonHRvRpdfS+/4PkwmvwCAaIIfLZbry5ealT eU1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K/elPMfO2xqfKKVbSZjPlp2y3WlxPC3t02USy4y19WM=; b=ZjkV7EN0r43GqXSjCLHan8GQuyZJMqW+TYNehFVh7XxqgXhmWQq/93ZKJ4XUhK58at Pi6KCUgWUxgMy/QLCWDOWb41Kx8S3lm9VebgjQDstwH09TMMJsWY/XP7dr0A5DCRmRvk MmnxxL506Z6Itvk5vYwjC5IUJqK/XI190u0YByJo4Pyo01s4Z+zjhNhEn1PvzSgWgMCk HNO2Q1iVx5+3K9RZnxGSI0w7W4TF93qLWFI5SgRuFg8SVcGfDYjyeJ6tJ2emMcrfGWrg Umxy8aSmhlnrc44iUz/TB4sM2EqAFDyTXV0Ws7KmDHTWOKlfFuG8RJ2sfC25o+Z06LrZ PUXQ==
X-Gm-Message-State: AA6/9RlOmREkkob+aObzx24PaEx7iEVOznnZ36UH9Jz9R4kBN+Z/c1vHP0n99jzB1jRjYWTfuRHFV6mkJfv3Vg==
X-Received: by 10.176.2.199 with SMTP id 65mr9016516uah.102.1475713511109; Wed, 05 Oct 2016 17:25:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.95.5 with HTTP; Wed, 5 Oct 2016 17:25:10 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:29c6:ab71:9f28:4d0a]
In-Reply-To: <CY1PR03MB2265659F67817DF02F3FCF29A3C70@CY1PR03MB2265.namprd03.prod.outlook.com>
References: <5c32e81f-7e43-2bde-b8f4-46f08fecdefb@cs.tcd.ie> <db516334-43ab-e967-cfd5-87d920b65015@filament.com> <CAKr6gn2EjAwqvTXgNyO0Jc3yt9qFRfixXMURHg3wQLe4FcwWWQ@mail.gmail.com> <CY1PR03MB2265659F67817DF02F3FCF29A3C70@CY1PR03MB2265.namprd03.prod.outlook.com>
From: George Michaelson <ggm@algebras.org>
Date: Thu, 6 Oct 2016 10:25:10 +1000
Message-ID: <CAKr6gn3vFNt4U_TyJjLRQdLx33Vo0LyPUnnoGYPc+87rCdi1Vw@mail.gmail.com>
To: Dave Thaler <dthaler@microsoft.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/perpass/3QESnDthEcKJ8Ur5KJ1zFAamwU4>
Cc: "perpass@ietf.org" <perpass@ietf.org>, Peter Saint-Andre - Filament <peter@filament.com>
Subject: Re: [perpass] privacy implications of UUIDs for IoT devices
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 00:25:13 -0000

....And UUID generation on many devices includes a function over the
MAC address, as a cheap entry to guaranteed unique bits. Such that the
MAC may be randomized on the wire, but the UUID function exposed to
the device may well be repurposing the baked in ID in ways which
expose.