Is device fingerprinting a fix for IoT security? Radware's Carl Herberger weighs in
(This article was originally published in Rethink IoT: https://rethink-iot.com/2016/09/08/device-fingerprinting-fix-iot-security-radware-weighs/)
Following on from a previous article in which talked about IoT kill-switches, in which we asked Barracuda Networks and ForgeRock about the feasibility of such an approach, we spoke to Radware’s Carl Herberger about the potential for kill-switches, and the possibilities of fingerprinting.
Herberger, Radware’s VP Security Solutions, explained that there were lots of problems with the killswitch idea that depended on the use-case. Killing off a medical or even HVAC device could have lethal consequences depending on its situational usage. Grandma won’t have an issue with her air conditioner taking part in a DDoS attack, but killing it in the middle of summer might just do the same to its user.
Radware signs mutual NDAs with it customers, so Herberger couldn’t disclose any names to us. He did note that the company has deployed in the IoT space, with a number of large customers – a market in which devices need to be always on and always available, and which therefore need to be much more secure than a smartphone.
Its mostly-software approach tends to focus on securing the gateway that gives the end-nodes access to the internet. This is a model that you can’t replicate in applications like cars for example, as there is typically no such gateway device between that car and the outside world.
But Herberger noted that gateways are something of an intermediary step before technologies like 5G enable direct connections to every device. While that reality is several years away, the paradigm would require a shift in focus from those invested in device security, as it would prevent them from using the gateway as a fall-back – and blocking insecure or compromised devices from accessing the internet.
Herberger believes the next step is device fingerprinting – a method for uniquely identifying a device that would allow vendors to blacklist and whitelist devices from particular actions or network permissions. Describing it as a way to categorize legitimacy, the approach involves cataloging device characteristics before using cryptographic keys to create a fingerprint for the device.
These characteristics could include aspects like the browser or OS version number, or a piece of the physical hardware, as well as the device’s internal IP address, which are cumulatively hashed by the security advocate and encrypted – making it very hard to fake the fingerprint.
Once you have these unique fingerprints in circulation, then (in theory) you would be able to securely ring-fence devices if they look like they have been compromised. Similarly, it would allow you to grant access to only the devices you actually want on your network or services, while retaining a strong degree of confidence that you actually know that the end-device is what it says it is.
Of course, being able to crack that fingerprint is going to be a huge target for cyber-criminals and nation states – both of which will be looking for ways to exploit the identity management systems that rely on these fingerprints. Herberger agreed with our rebuttal that everything can be cracked eventually. Ransomware is another major risk for critical devices, with the nightmare scenario of a defibrillator being offline in its time of need.
As for rolling out device fingerprinting, Radware launched its own fingerprinting approach in its Attack Mitigation System, which it unveiled back in January. The system has been used to help counter bots that were scraping an airline’s website and locking up tickets in sales processes – which led to planes taking off only partially full. Radware notes that “we’ve reached a point of ‘my good bot against your bad bot’ state in security.”
But in order to get the necessary scale, the approach would need to be adopted or at least advocated for by some form of standards body. As it stands, there isn’t an obvious standard that is trying to achieve an internet-native device fingerprinting, and legislation is reactionary and slow to catch-up, rather than proactive.
Radware, and many others in the security industry, would like some form of mandatory security penetration testing as part of a regulatory requirement, but waiting for individual states is likely going to be a slower process than trying to work this into a standard adopted by the technology providers themselves.