What is IoT Profiling?

What is the biggest challenge in IoT security?

IoT (The Internet of Things) devices are growing wildly in popularity - some estimates say as many as 25.4 billion devices will connect to the internet by 2030. As entertaining, useful, and often game changing as these devices are, they come with some serious inherent security challenges.  

The biggest one most corporate network administrators face is finding them on the network. In one study by Infoblox, 80% of IT leaders found IoT devices on their network they did not know were there – a phenomenon known as Shadow IoT. These devices are designed with ease of use in mind – just connect them to the network and go – which makes it easy for a user to add them without making IT aware. They also don’t typically respond to traditional monitoring protocols like SNMP and WMI, nor do they allow for the installation of extra software like an agent from a monitoring system.  

The first rule of securing your network is knowing what’s on it – which is why you need to look at software that does IoT profiling

What is IoT profiling?

IoT Profiling is the process of identifying IoT devices on a network by their unique characteristics such as MAC address. With the exploding popularity of IoT devices showing no signs of slowing down, IT Administrators are struggling with a new problem - Shadow IoT, aka devices being added to their networks without their knowledge. The first principle of securing your network is knowing what’s on it, so IoT profiling has become a critical element of security for corporate networks.

What does device profiling do?

Profiling typically gathers information about a specific device such as MAC address, operating system, firmware version, and manufacturer.  

How it accomplishes this varies - there are several possible methods. Here are a few of the most common ones: 

  • MAC Address Scanning: All devices (theoretically) have a Unique MAC address, the first six digits of which comprise the OUI, which is specific to each device manufacturer. For example, if your MAC address starts with 48:D7:05 it’s an Apple device. Although reasonably accurate, this method provides extremely limited information - sure, if the device is made by, say, Axis, it’s probably a cameraBut if it’s Sony, is it a television, a laptop, or did someone sneak their PS5 into the officePlus, it doesn’t tell you anything about firmware, operating system, etc. 
  • DHCP Gleaning: If your network is set up to use a DHCP server to hand out IP Addresses (and there’s a 99% chance it is), when a new device joins the network it sends a request to that server to get an IP addressBased on how the device makes that request, and what information is contained in it, you can often gather a surprising amount of information about the device itself.  
  • Nmap/Port Scanning: Oftentimes you can tell a lot about a device by what ports it has open, and some Nmap solutions craft custom TCP/UDP packets to help pinpoint the exact type of device by the response to those packetsUnfortunately, port scans can also be used for evil and thus are often blocked at the network levelThey also don’t scale very well - windows alone has 65,535 possible port numbers!

There are other methods available, but most IoT profiling solutions use some combination of the above.  

How can IoT profiling be used to improve IoT security?

As we mentioned above, the first key to securing your network is knowing what’s on it, so getting software that does IoT Profiling will let you find those Shadow IoT devices is key. The next steps are to make sure that these devices cannot move laterally through your network – the last thing you want is for your fish tank to be an entry point to your customer data, as happened to a casino in 2017. A good practice is to contain all IoT devices on a specific vlan which has limited access to anything except the internet.  

Another important aspect of IoT security is to make sure someone cannot spoof an IoT device to hide in plain sight. Advanced IoT profiling techniques will also incorporate some kind of device behavior analysis - for instance, if something identifies itself as a security camera, but sends and receives traffic like a laptop, it will be tagged for suspicious activity and quarantined. This is key to prevent someone from spoofing a MAC address to join your network and getting access through lateral movement to your confidential/critical IT assets.