Re: [perpass] privacy implications of UUIDs for IoT devices

Dave Thaler <dthaler@microsoft.com> Thu, 06 October 2016 00:09 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BA11294CC for <perpass@ietfa.amsl.com>; Wed, 5 Oct 2016 17:09:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.022
X-Spam-Level:
X-Spam-Status: No, score=-102.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtTDIMbZhxZN for <perpass@ietfa.amsl.com>; Wed, 5 Oct 2016 17:09:12 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0118.outbound.protection.outlook.com [104.47.40.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B749E129442 for <perpass@ietf.org>; Wed, 5 Oct 2016 17:09:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=O4jT3CLrWWtgg9Y6g0yuJtS3jctSNPaSQYqUWncev8s=; b=VfDkkbujbmJU3AofCj3Praf6YdRsFSQ8uL5hS9VQHkoiMxMu3pSCz4qhhVajbwC2vbc1sxcXvSlT+qOnqjIbheqGgNIUQ0rXBlq1KH7orLkJJqxAEK08JLFEu1D1yFZmu3/v/6ST8NI20lGQyp6cT3exf1kS2arz2JDOtgOkVGo=
Received: from CY1PR03MB2265.namprd03.prod.outlook.com (10.166.207.17) by CY1PR03MB2267.namprd03.prod.outlook.com (10.166.207.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Thu, 6 Oct 2016 00:09:11 +0000
Received: from CY1PR03MB2265.namprd03.prod.outlook.com ([10.166.207.17]) by CY1PR03MB2265.namprd03.prod.outlook.com ([10.166.207.17]) with mapi id 15.01.0649.022; Thu, 6 Oct 2016 00:09:11 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: George Michaelson <ggm@algebras.org>, Peter Saint-Andre - Filament <peter@filament.com>
Thread-Topic: [perpass] privacy implications of UUIDs for IoT devices
Thread-Index: AQHSH2PcWiO88js37E+X2UQbY2LNp6CairuAgAABetA=
Date: Thu, 6 Oct 2016 00:09:11 +0000
Message-ID: <CY1PR03MB2265659F67817DF02F3FCF29A3C70@CY1PR03MB2265.namprd03.prod.outlook.com>
References: <5c32e81f-7e43-2bde-b8f4-46f08fecdefb@cs.tcd.ie> <db516334-43ab-e967-cfd5-87d920b65015@filament.com> <CAKr6gn2EjAwqvTXgNyO0Jc3yt9qFRfixXMURHg3wQLe4FcwWWQ@mail.gmail.com>
In-Reply-To: <CAKr6gn2EjAwqvTXgNyO0Jc3yt9qFRfixXMURHg3wQLe4FcwWWQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::348]
x-ms-office365-filtering-correlation-id: 5e787838-2f49-419f-140a-08d3ed7cffe0
x-microsoft-exchange-diagnostics: 1; CY1PR03MB2267; 7:P7VTHMrJs52jY3Sxn4DrQ8tIwxjBzPlggCtaGQi8XSHD2u9aiANHr41HQK8cj4ZDg1F+FpdfFvB6d6Mw0MOCDYRWLTIgf+eStlW6RkCEtg8TIC0yVxPyG6XKBjfNc7xg6ghqHUoTrmOEEmUSj4Rw3VUentjJLjTfeu7Op/dBQ4wd6gcwvqBNYD+fuz5gHDRXk69dM3sYU7d3yi/xSYRDzglxSMhlc0HOCOveJe8duJkqnZLwkSi0nFfo1RCcPlhXJhe8LI6a9JAfOdBXiIkQIJWcha2bcYXkNCmct6lIasQPm+2Lb1aY+T2nZ38vkasC8MnFhx0IOSKko22C+mHWGQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB2267;
x-microsoft-antispam-prvs: <CY1PR03MB2267AC57AEB451BF38A89E93A3C70@CY1PR03MB2267.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CY1PR03MB2267; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB2267;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(13464003)(199003)(24454002)(189002)(5001770100001)(7846002)(3660700001)(551544002)(11100500001)(87936001)(586003)(7736002)(86612001)(122556002)(9686002)(19580395003)(102836003)(4326007)(74316002)(305945005)(6116002)(8936002)(76576001)(106116001)(81166006)(81156014)(10290500002)(33656002)(54356999)(92566002)(68736007)(5005710100001)(10400500002)(101416001)(19580405001)(97736004)(2906002)(3280700002)(76176999)(106356001)(50986999)(99286002)(15975445007)(8990500004)(2950100002)(2900100001)(77096005)(5660300001)(5002640100001)(10090500001)(7696004)(189998001)(86362001)(8676002)(105586002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB2267; H:CY1PR03MB2265.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2016 00:09:11.1462 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2267
Archived-At: <https://mailarchive.ietf.org/arch/msg/perpass/bGmYMiPH8fT4dbUjlknkRrqzY60>
Cc: "perpass@ietf.org" <perpass@ietf.org>
Subject: Re: [perpass] privacy implications of UUIDs for IoT devices
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 00:09:15 -0000

The issue with IEEE MAC's is that it's sent to untrusted observers, not that it is a stable identifier per se.
It just so happens that you typically don't have a choice but to send it in packets such that it can be observed
by untrusted observers, hence the need to use randomized MACs.

-----Original Message-----
From: George Michaelson [mailto:ggm@algebras.org] 
Sent: Wednesday, October 5, 2016 5:01 PM
To: Peter Saint-Andre - Filament <peter@filament.com>;
Cc: perpass@ietf.org; Dave Thaler <dthaler@microsoft.com>;
Subject: Re: [perpass] privacy implications of UUIDs for IoT devices

As an example the IEEE MAC registry is really only to provide uniqueness, but its been demonstrated to act as a passive-capture mechanism to identify probable host architecture from on-the-wire sniffs. This then leads directly to: "If its a Dell, then I know the iDrac default password so I can attempt to see if this is a badly configured Dell which has iDrac IPMI on the host address" and like attacks.

Unique identifiers are being used by the cellular provider to offer price differentiated service to people on the same basic substrate.
Which is a poshed-up way of saying you can get a SIM which is dataplan for an iPad but if you put it in your phone you are in breach of contract over the use of that SIM. I am not personally a fan of this legalism, but it is legal, and it is an ism.

I think there is a fundamental tension between baked in uniqueness, probabalistic uniqueness (think ULA) and non-unique state in Layer-2 and Layer-3

-G

On Thu, Oct 6, 2016 at 9:54 AM, Peter Saint-Andre - Filament <peter@filament.com>; wrote:
> Over on the CORE WG list, we've had a little discussion about the 
> desirability (or not) of unique identifiers for devices in the 
> Internet of Things. The message below provides some context.
>
> I'd be curious to learn more about the attack surface lurking behind 
> Stephen Farrell's comment that having long-term stable identifiers for 
> IoT devices is a privacy-unfriendly practice because people will abuse such identifiers.
>
> To be clear, the scenarios I have in mind are not specific to CoAP and 
> don't always involve IP-based networking (the technology I'm working 
> on these days enables mesh networking over long-range radio), but they 
> do involve discovery and eventual communication that is both 
> end-to-end encrypted and as close to metadata-hiding as possible.
>
> Thanks!
>
> Peter
>
> -------- Forwarded Message --------
> Subject: Re: [core] Implications of IP address / port changes for CoAP 
> & Co
> Date: Thu, 6 Oct 2016 00:11:26 +0100
> From: Stephen Farrell
> To: core@ietf.org <core@ietf.org>;
>
>
> Hi Peter,
>
> On 06/10/16 00:03, Peter Saint-Andre - Filament wrote:
>>
>> On 10/5/16 4:28 PM, Stephen Farrell wrote:
>>
>>> On 05/10/16 23:22, Dave Thaler wrote:
>>>>
>>>> It is important that every device have a unique UUID that is 
>>>> endpoint-address-agnostic and protocol-agnostic.
>>>
>>>
>>> Considering the privacy implications I'm not at all sure I'd accept 
>>> that argument. In fact I'd argue we ought encourage that devices not 
>>> have globally unique long-term identifiers at all unless there is a 
>>> real need for those, and unless we understand how to control their 
>>> (ab)use.
>>
>>
>> By "identifier" do we necessarily mean "network identifier"? It seems 
>> to me that it is useful to have a unique long-term identifier for 
>> every device, based on its public key. Whether you can obtain a 
>> network connection to that device based on such information is another story.
>
>
> It is undoubtedly useful to have long term stable identifiers of 
> various kinds. I'd include key IDs and public keys as such.
>
> Turns out that it's also fairly universally privacy unfriendly as 
> people will abuse such identifiers for good and bad reasons.
>
> So I think we need to get much better at analysing when such things 
> are really needed and in what scope. My bet is that a lot of the time 
> a locally or probabilistically unique more transient identifier would 
> be just fine.
>
> But yeah, I can't prove that. OTOH there is a hint in the term "IMSI 
> catcher" isn't there?
>
> Cheers,
> S.
>
>>
>> Peter
>>
>
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass