Modern Strategies for IoT Device Fingerprinting

in 2016, the creators of the Mirai botnet clearly demonstrated the risks posed by devices connected to the internet by exploiting the vulnerabilities of thousands of IoT devices. It is becoming increasingly clear that effective protection against IoT risks cannot be achieved without accurate identification of every device on the internet or corporate network.

According to forecasts from Statista, by 2033, the number of smart devices used in corporate networks and on the internet will exceed 39 billion. Continuous monitoring and control of network activity are essential to provide effective protection against risks associated with the internet of things.

However, this requires identifying all devices on the network. This can be achieved by capturing the digital fingerprint of the device’s operating system, as discussed in this article.

How IoT Works and its Perils

As we all know, the IoT concept has brought together various technical devices used in everyday life: smart TVs, routers, IP cameras, smart speakers and other gadgets and household appliances with internet access.

The issue with IoT is that all these devices are connected to the internet and can automatically perform certain tasks. This connectivity has allowed cybercriminals to repeatedly exploit vulnerabilities in the internet of things and the inherent unreliability of many gadgets connected to the network. The widespread adoption of IoT devices has created new cybersecurity challenges, including those related to external attack surface management.

In the case mentioned above, the Mirai botnet scanned the internet in search of IoT devices based on ARC processors and then took control of them, adding them to its zombie network. After finding a suitable device, it began using the simplest brute-force attack until it gained access.

In most cases, finding a login-password combination was not difficult. Many IoT devices come with simple default credentials that are pre-installed at the factory. Manufacturers have been releasing equipment with the same default settings for years because it makes testing and servicing easier for them.

Experts recommend changing the default settings immediately before starting to use an IoT device. However, most users tend to overlook these details, opting instead to rely on the official application provided by the supplier. As a result, it is not surprising that the Mirai botnet managed to compromise around 145,000 IoT devices. This allowed the creators of Mirai to organize massive DDoS attacks on the network resources of several hosting providers and popular internet sites.

This case is far from the only one, although it is considered one of the largest attacks involving smart devices. One of the well-known successors of Mirai is the NoaBot botnet, which not only used gadgets for DDoS attacks but also for more complex tasks, such as crypto mining.

Most cyberattacks on smart home devices are based on modifications of the Mirai malware. At the same time, more and more industries are incorporating IoT devices, including healthcare, the financial sector and the hospitality industry. With the widespread use of smart devices in manufacturing, medical institutions and other enterprises, there is an increasing need to create a secure industrial internet of things (IIoT).

Identifying IoT Devices Through Digital Footprints

The increase in the number of smart devices has raised a critical question for information security specialists: How to manage IoT traffic and ensure the protection of other network nodes? After all, using this attack vector, cybercriminals can compromise the confidentiality of sensitive information or seize control of vital resources, such as power supply systems.

IT administrators can identify the type of device and its operating system by using unique identifiers transmitted by pre-installed client software. However, installing such applications may not be possible on some operating systems. This is particularly true for the operating systems used in internet of things devices and integrated systems.

IoT devices are designed to perform specific tasks and typically operate with minimal computational power, memory and internal storage. As a result, IoT devices may not be able to support the installation of additional applications.

For these reasons, we are interested in a passive identification method that does not require the installation of any software. It should be as effective as a monitoring system specifically optimized for IoT devices. Such methods include analyzing the digital footprint.

Classifying IoT Devices by Network Behavior Without Direct OS Interaction

Passive OS fingerprinting works by examining specific characteristics of network traffic that indirectly reveal the operating system of the client device. It also takes into account the communication channel used for the Internet connection.

This approach relies on established methods and standard fingerprint databases, which summarize traffic patterns and behaviors typical of different operating systems, such as parameters broadcast in TCP/IP headers and DHCP requests.

In essence, passive fingerprinting – taking digital fingerprints – compares the network traffic generated by a device and its parameters with known OS profiles, allowing the classification of specific network activity. It is akin to the unobtrusive work of a security service that seeks to identify potential intruders among the general population based on their appearance and behavior without directly interacting with them. Similarly, a device’s interaction with the network can reveal much about its ownership, functionality and potential hidden threats. Passive reading does not require installing a client application.

Key Parameters Captured in Digital Fingerprinting

The following characteristics can be used to obtain OS digital fingerprints:

• MAC Address – a unique identifier assigned to each network device. MAC address identification is widely used to control access to network resources. Each MAC address typically contains an organizationally unique identifier (OUI) assigned by the manufacturer to a specific piece of equipment. For example, if an information security administrator detects the MAC address “88:66:5A: 12:34:56,” they can identify that Apple manufactured this device, as the prefix “88:66:5A” is associated with Apple Inc. Similarly, the traffic flow of IoT devices contains MAC addresses with OUIs that are unique to specific manufacturers. However, the possibility of MAC address cloning or spoofing should not be overlooked.

• TCP/IP parameters. TCP and IP packet headers contain a specific set of fields that follow the corresponding protocol format. Different operating systems handle TCP/IP attributes in varying ways, leading to recognizable field values, such as the packet’s Time to Live, window size, TCP header flags, etc. Information security administrators can compare and analyze these fields to determine the underlying operating system based on its typical TCP/IP stack implementation. However, the TCP/IP fingerprint can be obfuscated or masked at the proxy server level, making it harder to identify the OS.

• HTTP Protocol. When a client device exchanges data with a server via HTTP, it includes a special User-Agent header in its request. This header includes details about the client’s software name and version, the device’s OS, and other pertinent data. For example, a User-Agent header value in the Chrome browser on Linux might look like this: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 127.0.6533.100 Safari/537.36”. Information security administrators can view this header, along with other lines in the HTTP request, to identify the device.

• DHCP Requests. Dynamic Host Configuration Protocol is used to automatically assign IP addresses to devices on a network. DHCP requests include specific fields that provide information about the client, such as the vendor class identifier, hostname, and OS type. However, due to the presence of additional settings and various modifications, DHCP requests are not considered a completely reliable source for determining the underlying operating system. Nonetheless, they are still useful for detailed device identification when the task requires it.

Despite some limitations, a comprehensive assessment of behavior and parameters at the TCP/IP protocol level often allows for reliable identification of devices. Information security administrators can use OS fingerprinting to guide access control decisions and ensure compliance with network security policies.

OS Fingerprinting Challenges and Peculiarities in IoT

Given the rapid growth of the internet of things and its associated vulnerabilities, OS fingerprints are crucial for the passive identification of devices in corporate networks. For example, cameras, routers, and printers are well-known as popular targets for hackers. However, manually removing digital fingerprints is a complex task that requires practical knowledge in this area and is time-consuming.

The problem lies in the scale. Manually analyzing traffic flow in corporate networks is nearly impossible because it requires comparing thousands of unique identifiers. To address this issue, enterprises can leverage the capabilities of converged network infrastructure and cloud security stacks. Solutions like secure access service edge (SASE) can provide access to necessary resources. Additionally, machine learning algorithms can be employed to analyze large volumes of network traffic, helping to identify signs of suspicious behavior by creating patterns based on data processing statistics.

A converged network infrastructure can enable automated collection and analysis of network data. The gathered information can then be compared with security data from various sources, such as cyberattack detection systems, firewall logs, and router configurations. This approach provides a comprehensive view of network activity and helps identify connections with specific operating systems and IoT devices.

Conclusion

Monitoring network security, detecting suspicious activity and preventing potential threats are all inseparable from the mandatory identification of IoT devices. Without a firm understanding of these principles, IT specialists and information security teams will be unable to implement effective data protection measures.

Convergence significantly simplifies the automatic identification and classification of client devices based on their unique characteristics. Additionally, organizing a centralized management console streamlines the process of identifying and analyzing OS digital fingerprints within the enterprise. These measures help ensure a prompt response to issues related to granting smart devices access to the internal network and maintaining compliance with security policies.