The power of passive OS fingerprinting for accurate IoT device identification

The number of IoT devices in enterprise networks and across the internet is projected to reach 29 billion by the year 2030. This exponential growth has inadvertently increased the attack surface. Each interconnected device can potentially create new avenues for cyberattacks and security breaches. The Mirai botnet demonstrated just that, by using thousands of vulnerable IoT devices to launch massive DDoS attacks on critical internet infrastructure and popular websites.

To effectively safeguard against the risks of IoT sprawl, continuous monitoring and absolute control are crucial. However, that requires accurate identification of all IoT devices and operating systems (OSes) within the enterprise network. Without this knowledge, IT and security teams lack the necessary visibility and understanding to effectively implement targeted security controls, monitor network activity, identify anomalies, and mitigate potential threats.

Understanding IoT’s identity dilemma

Typically, admins can identify devices and OSes through unique Device IDs assigned by software agents that run on network endpoints and collect information for device identification. However, it may not be possible or feasible to install such agents on all operating systems, especially those used in embedded systems and IoT devices. That’s because IoT devices are designed to perform specific functions and often have limited resources — processing power, memory, and storage. They often lack the capability to support any additional software agents.

For those reasons, we need a passive approach to identification that does not involve software installations and works equally well with systems that are customized and stripped down to meet specific IoT device requirements. One such method is network-based fingerprinting and passive OS fingerprinting.

What is passive OS fingerprinting?

In practice, passive OS fingerprinting is like trying to profile people without any direct interactions, simply from their appearance and behaviors. Similarly, the way a device interacts with the network gives away a lot about its identity, capabilities, and potential risks. Instead of installing a software agent, passive OS fingerprinting involves analyzing network traffic patterns and behaviors generated by the devices to determine their operating system.

This method relies on established techniques and fingerprint databases which store traffic patterns and behaviors specific to various operating systems. For instance, the specific options set in TCP headers or Dynamic Host Configuration Protocol (DHCP) requests can vary between operating systems. OS fingerprinting is, essentially, matching a device’s network traffic patterns and attributes against known OS profiles and classifying the traffic accordingly.

Several network protocols can be used for OS fingerprinting:

• MAC addresses: A MAC (media access control) address is a unique identifier that the manufacturer assigns to a network device. Each MAC address typically includes an Organizationally Unique Identifier (OUI) unique to the manufacturer. For instance, by examining the MAC address “88:66:5a:12:08:8E”, administrators can determine that Apple manufactures the device, because the string “88:66:5a” is associated with Apple Inc. Similarly, IoT device traffic includes MAC addresses with OUIs specific to the device’s manufacturer.
• TCP/IP parameters: TCP and IP protocols have several fields within their respective packet header formats. Different operating systems implement TCP/IP attributes differently and may have unique values for TCP/IP fields, such as the initial time to live (TTL), Windows Size, TCP Flags, and more. Admins can analyze and compare these fields and identify the underlying operating system based on OS-specific TCP/IP implementations.
• HTTP User-Agent strings: When a network device (client) communicates with a server over a network using the HTTP protocol, the HTTP header includes an HTTP user-agent field. This field may provide information such as the name and version of the client software, the operating system, and other relevant information. Admins can inspect this field and others in the HTTP header for device detection.
• DHCP requests: DHCP is a network protocol used for automatic assignment of IP addresses. DHCP requests can include certain fields that provide additional information about the client, such as the host name, vendor class identifier, or operating system type. DHCP requests may not be definitive in determining the underlying operating system because of customizations and modifications, but they are still potentially helpful for more granular information regarding device identity.

Despite its limitations, analyzing behaviors and attributes for several protocols across the network layers can help in accurate device identification. Admins can use OS fingerprinting to make informed decisions regarding access control and security policies.

OS fingerprinting across enterprise networks

OS fingerprinting can be helpful for passive device identification, given the rapid expansion of IoT networks and the vulnerabilities they introduce. However, manual OS fingerprinting is a daunting task that requires extensive domain knowledge and expertise.

The main challenge is scalability. Manually mapping unique identifiers across thousands of traffic flows across enterprise networks is impossible. To overcome this challenge, organizations can tap into the resources and scale of a cloud-based, converged network and security stack. A cloud-native security stack, such as SASE (Secure Access Service Edge) or SSE (Secure Service Edge), can access the required resources and enable machine learning algorithms and statistical analysis to extract patterns and behaviors from large volumes of network traffic data.

Converging networking and security functions can allow automated collection and correlation of networking and security data from multiple sources, such as intrusion detection systems, firewall logs, and endpoint security solutions, to provide an overview of network activity and its relation to operating systems and IoT devices.

Convergence facilitates automated identification and classification of clients based on their unique characteristics. Finally, a centralized management console can help streamline the identification and analysis process and allow for immediate action regarding access control and security policies.