Of all my prized technical books, one of my favorites in the networking space has to be LAN Switch Security : What Hackers Know about your Switches | A Practical Guide to Layer 2 Devices and Stopping Campus Network Attacks by Eric Vyncke.
Though written way back in 2008 -back when we had IoT but called it IP on Everything- Vyncke's book is more than just relevant in 2016, it's a must-have.
Why? Because Vyncke's book is one of only a handful of practitioner resources that explores in-depth a problem we've had in technology for over thirty years: the Address Resolution Protocol. ARP is a fun little plumbing protocol that exists way down at the bottom of the technology stack. I like to think of ARP as a map of both Layer 2 (MAC) & Layer 3 (IP) of the OSI model, but the technical definition is outlined in RFC 826, written way back in 1982.
So what's the problem with ARP you might ask? By its very nature, ARP is a veritable goldmine of useful and interesting information about a network, or more specifically, a broadcast domain. So at work, querying the ARP table on a switch is usually the first thing I do when I'm troubleshooting a LAN issue. And at home, where you also have an ARP table whether you realize it or not, devices and computers query the same table too to learn about each other.
This is the great benefit of ARP; it just runs on your switch automatically, doing its job in the background with zero drama, just the way a plumbing protocol should. But, therein lies the rub friends: because it provides such useful information automatically to devices that need it without any authentication mechanism, ARP is in reality an un-securable information leaker about your network and you, especially at home.
Vyncke, take it away:
All ARP requests are sent as Ethernet multicast and every Layer 2 adjacent host can build a traffic matrix (for example, which IP address talks to which IP address). There is no known way to mitigate [this] information leak vulnerability [in the Address Resolution Protocol]. Although the security impact of this vulnerability is small, paranoid network architects must make a design where the amount of hosts per Ethernet segment is small (even to the point of having a single host plus its default gateway per segment). Hence, an attacker will only be able to learn that some hosts communicate with a router but will not discover the remote hosts’ IP addresses.
I wonder if Vyncke would choose to use the same word "paranoid" if he were writing his book in 2016. Because from my seat, it's no longer considered paranoid to worry about the information my ARP table leaks out. Indeed, I'd argue that you're being negligent if you're not worried about it, especially as we adopt more IoT style technologies in our homes and workplaces.
Remember, this is a goldmine of real, substantive data on your network, its devices, and, well, you. In the enterprise space, we've got tools to deal with this, so typically we just segment our networks into ever smaller broadcast domains, usually via VLAN tagging or, ideally, Private VLANs.
In the home though, router and Wireless AP manufacturers offer little more than a Guest VLAN, if that. Your average home internet network, as a result, will leak out juicy details from your ARP table to whomever -or whatever- connects to it.
Hackers are one thing, but imagine what a Marketer could glean from querying, then storing and uploading data from the ARP table on your home network:
- When the devices you own come and go on the network
- Which devices are used the most
- The type, name, and manufacturer of the devices on your network
Consider that just by querying the ARP table over time, you could construct a detailed picture of a family's life at home: Dad's iPhone connects to the network a little after 6pm and leaves the network routinely at 7am. He must be employed. Junior's iPad is on and connected for about 7 hours a day, but the Wifi interface on the TV is off until late in the evening. Mom must not spend a lot of time with Junior. Meanwhile, the wifi thermostat, the wifi lights, and the daughter's MacBook are alive on this typical /24 network all day long. What's that tell us about this family and how can we tailor our direct-mail & web-based ads to them?
Frighteningly, since ARP and MAC addresses are easy to spoof -especially on a home network-, it's not inconceivable that an automated process inside an IoT device one day starts masquerading as your home's router, which would give you even more great details about this family. Even if your search queries are encrypted, there's still gobs of metadata to be had from such an approach.
All of this is not only possible, it's probable given the fierce competition in IoT, the lack of regulations governing technology use in general, and the fact that, to a marketer, such behavior has a very low risk of being detected due to the nature of a 30 year old plumbing protocol known as ARP.
I don't know of any device doing this of course, but I'm not the only one thinking about it. Steve Gibson dedicated a recent Security Now! show to the problem of ARP at home. His solution? He called it "Three Dumb Routers," a fix that more or less mirrors how enterprises use VLANs to segment broadcast domains.