The Secret Life of Machines: An exploration of Device Identity and Behavior (transplant)
(NOTE: The Secret Life of Machines series was originally written for a different site in the 1st half of 2021. These are virtually unchanged)
· Our systems know next to nothing about the physical devices we depend upon. · This missing information is both valuable and knowable.
I’ve spent the last seven months digging into the unfiltered and unedited properties of machines. More specifically, I’ve been focused on the multitude of devices that we have all so completely and without reservation embraced in every aspect of our professional and personal lives – and I have to say that I was totally caught off guard by how little we as users and, more critically, our systems, know about the physical devices we depend upon. This is especially galling given how valuable this missing device information would be in improving overall security, safety, and productivity in IoT, online banking, smart cars, industrial automation, and the list goes on and on.
This post is the first in a series that will outline the problem, the opportunity, and a means to capitalize on “the secret life of machines.”
Living “under the radar” and “off the grid”- literally
Every object – animate and inanimate – emits electromagnetic radiation. Devices are special in that, in addition to whatever intrinsic EM profile they may have, they are designed to intentionally emit EM waves as part of their larger networking and data transmission function.
On the receiving end, devices filter and scrub incoming signals that initially present as a cacophony of continuously flowing EM energy to isolate the targeted frequency bands and eliminate everything but the “high” and “low” marks in that incoming stream. This kind of signal processing is a embedded into every receiver of the aforementioned “intentionally transmitted” data.
· We have thrown out the proverbial “baby with the bath water. · “Noise” encodes a naturally occurring device identifiers that cannot be spoofed or anonymized.
Put into historical context, in the 134 years since Heinrich Hertz first demonstrated the existence of EM waves, we have not merely ignored naturally occurring EM energy, engineers have worked tirelessly to find out and suppress environmental EM energy – what we call “noise.” And, in so doing, we have thrown out the proverbial “baby with the bathwater.” True, idiosyncratic anomalies impede traditional signal processing, but it is also true that this “noise” encodes naturally occurring identifiers that cannot be spoofed or anonymized.
Conversely, there can be no functional equivalent in today’s digital stacks because the unique identifying marks have been scrubbed before the first 1 or 0 bit has been set.
Today’s device identity is inherently weak
The worst kept secret is that systems can never be more secure than the devices they rely upon – and all of our mechanisms for device identification are digital, e.g., based upon those scrubbed 1’s and 0’s generated intentionally by a user somewhere down the line. The inescapable fact is that “Intentions” can always be misdirected, misinformed or even malicious.
This is not news. In their Security Framework (IIC:PUB:G4:V1.0:PB:20160926), The Industrial Internet Consortium writes in part “The level of trust attributed to a credential depends on its uniqueness and strength. An IP address, a MAC address and a QR code are all credentials, and they are unique, but they are not strong, as they can be falsified to impersonate another endpoint. A cryptographic certificate is both unique (with appropriate randomness) and strong (depending on key type and length). However, if the private key associated with the certificate is not stored and processed in protected storage and memory, the certificate can still be compromised.“
If we got ourselves into this bind because all our controls are digital, then there would seem to be only one obvious way out of this mess.
Let’s get physical
The illustration to the right illustrates the glaring omission inside today’s commercial systems; identity, access, and communication controls all operate in the digital layers (OSI layers 2 – 7).
There are no controls that operate at the lowest layer in our systems, the physical layer.
A control that operated off the raw, continuous analog EM signals could do for devices what advanced biometrics do for humans; provide unfiltered, authentic, and trusted identification and classification.
Further, an immutable source of device identity would elevate the device as a first-class peer to the user and, in so doing, strengthen user identity and access management as well.
Given the billions of machine-to-machine connections that we depend upon daily, this work is overdue.
If there is no solution, then there’s no problem
“All information looks like noise until you break the code.” - Neal Stephenson
The old saying goes something like “If there is no solution, then there’s no problem – it’s just life – so deal with it.” There are a number of contributing factors that have brought us to this state of affairs, but first among them is probably the fact that there are no commercially available options to rapidly and reliably identify, categorize, and monitor devices using only their ambient electromagnetic energy.
NEXT UP: What would the ideal device identity, classification, access, and monitoring technology look like? What features and properties would be required to best improve security, resilience, and trust in both our devices and users?