Risk Assessments/Management, Asset Management, Security Architecture, Endpoint/Device Security, IoT

‘Digital exhaust’ may be the solution for tracking consumer IoT devices on networks

Jeff Williams, chief operating officer of Apple Inc., speaks during an Apple event  with imagery of the Apple Watch above. (Photo by Justin Sullivan/Getty Images)

The rapid growth of IoT over the past decade has sent billions of poorly-secured widgets and gadgets into the homes of consumers. Many of these devices connect to the internet, bringing a host of security weaknesses and vulnerabilities that could impact home and even corporate networks.

Research by Asia Mason, who is currently pursuing a doctorate degree in engineering and electrical engineering at Morgan State University in Baltimore, Maryland, suggests that a technique known as radio frequency (RF) fingerprinting can be leveraged to identify and classify different kinds of connected devices.

While presenting her findings this week at the HotSOS security conference hosted by the National Security Agency, Mason said finding a way to extract signals from and uniquely tag these devices could serve a number of cybersecurity purposes, such as guarding against impersonation attacks. Other IoT asset tracking schemes are also used by some security vendors to do asset inventory and keep track of specific products that may have been impacted by software or hardware security vulnerabilities.

“You’re familiar with human fingerprints, which have distinct features that belong to us on it and are difficult to replicate,” said Mason. “Similarly, our [radio frequency] fingerprints are comprised of features extracted from signals that are distinct to a device due to variations in the manufacturing process.”

Many cheap, commercial IoT devices tend to leak out radio frequency data as they beacon back to previously connected networks. After extracting this radio frequency data from four different devices, Mason plugged them into a machine learning algorithm to develop nine features or characteristics that allow researchers to classify the unique emissions of different kinds of devices, as well as 25 classification models. While other methods have been explored for identifying or classifying these internet-connected widgets, a lightweight solution like RF fingerprinting wouldn’t require modification of particular devices or the underlying protocols they rely on, cutting down on the chances of introducing new vulnerabilities in the process.

Devices within a network follow different sets of standards that govern how they communicate with each other. Mason used ZigBee in her research, a standard used by many battery powered devices. These emissions can be collected, processed and analyzed to identify the specific device, it’s location and other features, but if different devices are using different standards on the same network, they could interfere or collide in a way that could potentially complicate the identification process.   

Right now, if I only am using devices with that [ZigBee] protocol I won’t run into the issue of there being multiple devices. When I have the transmission, I can know that it’s only coming from one device,” said Mason. “I would run into an issue if I have multiple protocols. As of right now I don’t have that part figured out yet.”

Chris Rouland is the founder and CEO of cybersecurity startup Phosphorous, which sells software that helps businesses find and remediate vulnerable enterprise IoT devices. He told SC Media that a concept like RF fingerprinting would likely be most relevant in helping to identify rogue, agentless commercial devices lurking within the home networks of consumers. Some devices build multiple standards into their devices but leave them all on by default, leading to millions of connected devices leaking out what is often referred to as "digital exhaust."

“That leaves a tremendous digital vapor trail [and] all those network interfaces can be co-opted for an attack and a pivot someplace else,” said Rouland.

Massive companies like Google, Apple, Amazon and a few others have the resources to design and build security into their suite of connected devices. Some manufacturers who lack the same scale, resources or priorities may not, in some cases opting to use unpatched source code from similar devices.

“Everybody else are really kind of B players, or there are even some players where it comes out of the factory malicious…with malware pre-installed,” said Rouland.

For years, the cybersecurity community and policymakers have sounded the alarm that standards and processes need to be put in place to better secure the tens of billions of smart watches, refrigerators, dish washers and other products that now come with built-in connectivity. Those often connect to home networks, and can present risk to corporate networks when remote employees intermingle devices and networks while working from home.

Security worries about IoT have typically gone beyond identifying and classifying such devices, but it is an issue that becomes more urgent every year as IoT proliferates. A working group formed by the Cloud Security Alliance concluded that “the security industry is seeing a paradigm shift whereby [identity and access management] is no longer solely concerned with managing people but also managing the hundreds of thousands of ‘things’ that may be connected to a network.” Meanwhile, a European Commission report on IoT identity challenges specifically highlighted the need to build a collective mechanism for businesses and individuals to keep track of their internet connected assets.

“The issues of providing non-colliding unique addresses in a global scheme requires an infrastructure in place that supports highly dynamic devices that appear and disappear from the network at any time, move between different local and/or private networks and have the flexibility to either identify their user uniquely or hide his/her identity, thus preserving privacy as needed,” the commission wrote.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.