How to discover IoT devices when network traffic is encrypted

Abstract

Managing Internet of Things (IoT) devices should be easy. Yet, the increasing use of encrypted network traffic in IoT devices is complicating their management, for example during device audits or security scans. While desirable from a network security point of view, the use of encrypted traffic allows less visibility to IT environments looking to manage IoT devices. In this paper, we focus on the problem of identifying IoT device types by analyzing their encrypted traffic. We examine the TLS traffic of IoT devices and derive fingerprints from their session initialization message exchanges (i.e., ClientHello and ServerHello messages). We identify key features of the TLS handshake protocol that can serve as strong indicators for identifying IoT devices. We then build term frequency-inverse document frequency (TF-IDF) based models for identifying IoT devices based on their TLS fingerprints. In our experimental setup, we train on 71 IoT devices in 15 distinct categories over a range of three months; we derive TF-IDF classifiers for testing using two different feature sets. One feature set representing a greedy strategy contains ten prominent features extracted from the TLS handshake protocol. The other feature set contains the four features representing the most unique values in the training dataset. Experimental results show that the 4-feature set classifiers have similar classification performance as the 10- feature set, generating accuracy, precision and F1-score of over 90%.