The power of passive OS fingerprinting for accurate IoT device identification

The number of IoT devices in enterprise networks and across the internet is projected to reach 29 billion by the year 2030. This exponential growth has inadvertently increased the attack surface. Each interconnected device can potentially create new avenues for cyberattacks and security breaches. The Mirai botnet demonstrated just that, by using thousands of vulnerable IoT devices to launch massive DDoS attacks on critical internet infrastructure and popular websites.

To effectively safeguard against the risks of IoT sprawl, continuous monitoring and absolute control are crucial. However, that requires accurate identification of all IoT devices and operating systems (OSes) within the enterprise network. Without this knowledge, IT and security teams lack the necessary visibility and understanding to effectively implement targeted security controls, monitor network activity, identify anomalies, and mitigate potential threats.

Typically, admins can identify devices and OSes through unique Device IDs assigned by software agents that run on network endpoints and collect information for device identification. However, it may not be possible or feasible to install such agents on all operating systems, especially those used in embedded systems and IoT devices. That’s because IoT devices are designed to perform specific functions and often have limited resources — processing power, memory, and storage. They often lack the capability to support any additional software agents.

For those reasons, we need a passive approach to identification that does not involve software installations and works equally well with systems that are customized and stripped down to meet specific IoT device requirements. One such method is network-based fingerprinting and passive OS fingerprinting.

In practice, passive OS fingerprinting is like trying to profile people without any direct interactions, simply from their appearance and behaviors. Similarly, the way a device interacts with the network gives away a lot about its identity, capabilities, and potential risks. Instead of installing a software agent, passive OS fingerprinting involves analyzing network traffic patterns and behaviors generated by the devices to determine their operating system.

This method relies on established techniques and fingerprint databases which store traffic patterns and behaviors specific to various operating systems. For instance, the specific options set in TCP headers or Dynamic Host Configuration Protocol (DHCP) requests can vary between operating systems. OS fingerprinting is, essentially, matching a device’s network traffic patterns and attributes against known OS profiles and classifying the traffic accordingly.

Several network protocols can be used for OS fingerprinting:

Despite its limitations, analyzing behaviors and attributes for several protocols across the network layers can help in accurate device identification. Admins can use OS fingerprinting to make informed decisions regarding access control and security policies.

OS fingerprinting can be helpful for passive device identification, given the rapid expansion of IoT networks and the vulnerabilities they introduce. However, manual OS fingerprinting is a daunting task that requires extensive domain knowledge and expertise.

The main challenge is scalability. Manually mapping unique identifiers across thousands of traffic flows across enterprise networks is impossible. To overcome this challenge, organizations can tap into the resources and scale of a cloud-based, converged network and security stack. A cloud-native security stack, such as SASE (Secure Access Service Edge) or SSE (Secure Service Edge), can access the required resources and enable machine learning algorithms and statistical analysis to extract patterns and behaviors from large volumes of network traffic data.

Converging networking and security functions can allow automated collection and correlation of networking and security data from multiple sources, such as intrusion detection systems, firewall logs, and endpoint security solutions, to provide an overview of network activity and its relation to operating systems and IoT devices.

Convergence facilitates automated identification and classification of clients based on their unique characteristics. Finally, a centralized management console can help streamline the identification and analysis process and allow for immediate action regarding access control and security policies.