Can Evil IoT Twins Be Identified? Now Yes, a Hardware Behavioral Fingerprinting Methodology

The connectivity and resource-constrained nature of single-board devices opens up to cybersecurity concerns affecting Internet of Things (IoT) scenarios. One of the most important is the presence of evil IoT twins. Evil IoT twins are malicious devices, with identical hardware and software configurations to authorized ones, that can provoke sensitive information leakages, data poisoning, or privilege escalation in IoT scenarios. Combining behavioral fingerprinting and Machine/Deep Learning (ML/DL) techniques is a promising solution to identify evil IoT twins by detecting minor performance differences generated by imperfections in manufacturing. However, existing solutions are not suitable for single-board devices because they do not consider their hardware and software limitations, underestimate critical aspects such as fingerprint stability, and do not explore the potential of ML/DL techniques. To improve it, this work proposes an ML/DL-oriented methodology that uses behavioral fingerprinting to identify identical single-board devices. The methodology leverages the different built-in components of the system, comparing their internal behavior with each other to detect variations that occurred in manufacturing processes. The validation has been performed in a real environment composed of identical Raspberry Pi 4 Model B and Raspberry Pi 3 Model B+ devices, obtaining a 92.6\% average accuracy with a Random Forest model and achieving the identification for all devices by setting a 50\% threshold in the evaluation process. Finally, a discussion compares the proposed solution with related work and provides important lessons learned and limitations.