Fingbox Review: Simply not worth it.

I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda.



I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed.



The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in.


Devices Tab




I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about them, assign them to a user, "block" them completely, or just "pause" them. You can also perform some basic networking components on them such as traceroute, nmap scan, and ping. Pinging and Traceroute are going to be pretty much useless in most consumer networks because the topology is going to be mostly flat. I'll cover "pausing" a device later but we'll talk about blocking quickly.




Blocking



Blocking a device kicks it off the network until you decide to reallow it. Since this is a Man-on-the-Side injection, not a Man-in-the-Middle it's likely just speaking deauth packets to the router and the device to keep them from authenticating. I haven't tested this, but I'd take a bet. This is good in theory but I want to point something out with all of this.  Anything and everything takes processing power. The more stuff you are trying to do the more the device will struggle.



For quick reference, the specs of the device are:

  • Linux operating system
  • ARM 7 processor
  • 1 GB/s Ethernet port
  • 4GB home board storage
  • 512 MB RAM



The 512MB of RAM is what really drags the device down. It’s hard to really run much without at least a 1GB of RAM. 

Recommendation 


The Fingbox could benefit and provide better security use by automatically conducting a basic nmap scan of all devices every day and storing that information in a searchable table on the device. 

A second recommendation I have is to 


Network Tab





Unfortunately, the rest of this review is pretty downhill. You can see the framework of good ideas but there's simply not enough here to actually make this a decent security device.

Vulnerability Test


This is basically a nmap scan of your public IP address which depending on where you live and who your ISP is can be questionable. The big problem with this is that it's wrong...Pretty much all the time. 


 As you can see my vulnerability test shows TCP port 10 open. There are several things wrong with this. 
  1. I don't have port 10 open. I have tried fuzzing my network as much as I can but I can't ever get my network to reply to anything on port 10. 
  2.  A regular nmap scan does not show port 10 as open. 
  3. This vulnerability test does not show the actual ports I have open (4 of them). 
  4. This isn't a vulnerability test.  This is a port scan. Ports are not vulnerabilities. 
According to CISSP, a vulnerability is:  
Vulnerability—A flaw, loophole, oversight, or error that can be exploited to violate system security policy. 
While yes an open port can be seen as an "oversight" it's not necessarily a vulnerability. 


Recommendation 

The vulnerability test should be a true vulnerability test.  Use an OpenVAS scan and tell me what CVEs are publicly exposed.  Now I get that the Fingbox doesn't have enough power to really run an OpenVAS scan but I guarantee you could have it pull results from Shodan. I do appreciate that the Fingbox will attempt to close the ports automatically if something like UPnP is enabled. 

It would also be nice if I could disable an alert. I know the Fingbox thinks that Port 10 is open. Let me acknowledge that and clear it so I can get an accurate number. 


Wi-Fi intrusion prevention

This is probably my biggest irritation with the Fingbox.  Why can I not see the packets? Why can I not see even basic Netflow? 

The idea here is that the Fingbox will detect Access Point Spoofing, or Rouge Access Points, and collect packets to detect malicious redirection. 

Now, this is a good idea, but it's kind of pointless. The average user is going to be a home user. How often is a home user going to have someone try and spoof their AP? Probably not often, and definitely not often enough to dedicate valuable system resources to this. 

This is a theme we'll see a few times with the Fingbox. It's marketed as a home device but some of its features are aimed at businesses. 

I'm sorry, but honestly, this feature is worthless. 


Recommendation

Ideally, I would like to see a full IDS built into this part. Maybe the Fingbox 2 can up the RAM a bit and include a Bro or Snort sensor. I'd also like to have a way to actually review the PCAP of the alerts but that takes a lot of storage and/or remote storage. At the very least some form of NetFlow information. It's not an unreasonable request and I would definitely but a version that supported this. 


Internet Speeds

I like the idea, but with most things,  it feels wrong. 
I have Gigabit speeds with AT&T. The Fingbox does an automated speed check six times a day for me, which is fantastic.  I honestly love this feature, but I know that data isn't accurate.  I can pull a full Gb download on Steam and Humblebundle but the Fingbox shows my network speeds never really peak above 500Mb/s. 

Fing markets that you can use this "Hold your ISP accountable" 



So, don’t put up with that those terrible Internet speeds anymore. Get testing with your Fingbox and get on the phone to your ISP!
While Fing has several Twitter messages that list users getting support from their ISP because of the Fingbox logs I seriously doubt most ISPs will actually care.  What I've come to experience in over 7 years of IT is that ISPs only care about their speed test, and if you're not using their approved speedtest then they will claim it's an issue with the speed test service you're using.

That said, Fing acknowledges that the ISP might do nothing at all:
Well unfortunately we cannot make any promises on behalf of your ISP, but at the very least we would hope they would fix it!
And it wouldn't be reasonable to hold them accountable for the ISP's actions.  

I actually really like the feature even if I never plan to use it to argue with my ISP.  It's just good situational awareness and I like that.  

No recommendations. 


Wi-Fi Performance

This is another feature I actually like. I don't really have much to say here. It's pretty cut and dry. 


Bandwidth Analysis

This one is interesting. The basic premise here is that the Fingbox will ARP spoof whatever devices you identify and monitor how much bandwidth they are using. I like this idea but the Fingbox just simply does not have enough hardware to actually APR spoof an entire network. 


Recommendation

I've made this recommendation before but place the Fingbox inline and collect NetFlow. Then you can really do a true bandwidth analysis.

That rounds up the networking tab. 


People Tab

The people tab is where the Fingbox dabbles a bit into the parental management toolset. 




Let's dive right in. I love the digital presence feature, but I don't understand why I can't get a digital presence for kids.  I have two kids, both of whom are marked as kids in the app. The Fingbox will show me the presence for anyone I want who is not marked as a kid.

My kids are the ones I actually want to know about. I want to know that my kids made it home safe, and I want to know if they're sneaking out, but I can't. If I set them as just regular adults it'll show me their digital presence but not if they're marked as kids. 

I'll very briefly cover the scheduled pausing (I'm saving Digital Fence for last). It's a timer. When the timer hits it "pauses" the device. I've already talked about how ARP spoofing is not an effective way to block traffic so I won't belabor the point. I've had issues with it, so have a lot of people on Facebook.

One point I will make however is that since this is an additional device instead of an inline device simply unplugging it is all your kids need to do to get around the block.

Restricted Devices is just a tab to list all the paused or blocked devices.  It's convenient to have them all in one place. 


Digital Fence

Oh-boy.  This is quite possibly the most useless feature of this app. 
In a nutshell, what this does is keep a list of Wi-Fi capable devices that pass within range of the Fingbox. My only real response is "Who cares?".

Now Fing does list some situational dependant times when this "could" be useful. 

Digital Presence: want to keep an eye on what time your dog walker arrives and leaves? Worried your kids might be having a house party whilst you are away? With the DigitalFenceTM you can look at what is near your Fingbox is real-time, and at historical logs of each device that has been within range between set times. You can also select devices to watch and receive alerts when they move in and out of range.
The problem here is that everything has Wi-Fi now. Even Cars have Wi-Fi. Every device that sends a Wi-Fi probe message (hint: anything with Wi-Fi enabled) will be displayed here.

I don't know about you but I don't know what type of Cell phone my Dog walker (I don't actually have dog walker) has. How am I going to find it in all that noise of almost 600 devices? 

The maximum range of the Fingbox is 15M. While you can filter that down to be more restrictive it begs the question of why. I know the answer to that but I don't like it. This is again an issue where the Fingbox was designed for a business but sold to home users. 

A business would benefit from this by being able to see if users were sitting in the parking lot and trying to spy on users, or if someone was casing the place to rob, etc.  However, trying to find a single device like this in all the noise is going to be a monumental task. 


 Business Features

I've talked about how Fingbox is a business "tool". In the Fingbox support pages, you can see references to tools in the Business beta program. Two of those features are DNS filtering and Web Content Filtering. 
DNS is a serious concern. Cisco's Talso Security group estimates that over 50% of malware uses DNS as a covert C&C system.  Implementing even a basic DNS filtering tool would have been amazing. 
I'm disappointed this is locked behind a business beta, that has no public way to sign up.  Seriously, the only way that I've found to sign up for the (now closed) beta is through a comment on a user post in the closed Fingbox facebook group. 

The second tool that they list is the web content filter. 
 Companies pay big money for tools like Palo Alto to do WCF for them. 
I can't confirm this, but looking at the screenshots it seems like you can view the sites that the Fingbox analyses, so it appears that NetFlow was an idea at some point. 



Conclusion

The sad truth is that Fingbox is an infant in the Security Devices market. It combines a lot of ideas to give situational awareness and some management, but calling this a security device is folly. The good security things that Fingbox does can either be done with a commercial router or some Raspberry Pis.  For the price of one Fingbox, you can buy 5 Raspberry Pi 3 B+s and have all the capabilities and more. 


One last Recommendation

The Fingbox needs to really decide what it wants to be. Is it a network management tool? Is it a parental management tool? Or is it a Security appliance? It tries to do all three and unfortunately doesn't really do any of them well enough to justify its purchase price. Focus on one, perfect that, then consider adding more features.

Comments

Popular posts from this blog

Cypherpunk: A VPN review

Simple Security: The Basics