How does Fing detect the model and MacOS version of a device
I was running Fing on my iPhone. My Macbook Pro is on the same wireless network and I noticed that Fing not only detected my laptop's name (this is understandable, it is broadcasted, I can see it on the router too), but it also detected the model generation (say Macbook Pro 13 in, 2017-2018) and the MacOS version (MacOS 10.15 Catalina). How is it able to determine the exact model and the exact OS version and is it possible to prevent broadcasting this info?
The two things you can control on the hardware MAC ethernet address and the macOS Catalina firewall.
To prevent detection, try these one by one. Power down your router and Mac so that these things cause a new IP address to be issued between scans.
- Turn on the firewall - https://support.apple.com/guide/mac-help/change-firewall-preferences-on-mac-mh11783/mac
- Enable stealth mode if Fing still knows who you are. https://support.apple.com/guide/mac-help/use-stealth-mode-to-keep-your-mac-more-secure-mh17133/10.15/mac/10.15
- Change your ethernet fingerprint (you have to change all the network adapters / ethernet wired and wireless) - How do I properly change the MAC address of my MacBook Pro?
When this is done, perhaps go back and look at stealth or carving holes in the firewall to allow incoming connections to system / known / signed apps, but if you want the maximum security - changing the factory delivered MAC address and enabling stealth firewall should help secure the hardware details from most scanners.
How does fing or nmap
fingerprint a machine? Usually a database of known claimed hardware manufacturers, looking at open ports and even issuing handshakes to the machine in question to pick apart minute differences in timing and implementation of TCP/IP transactions. It's a lot of reverse engineering and collaboration that lets these tools "identify" gear as the manufacturers generally don't want advertise "I'm a Mac" now that security and cracking are legitimate threats on home networks since routers and software have so many holes in them and it's hard for people to choose strong unique passwords and secure their "smart" devices. Once one is compromised, your whole network is open to "fing scans".
It's called Network Discovery.
Basically, Fing can get this information because your computer (not limited to Macs) is both broadcasting who/what it's resources are and responding to requests about what resources are available.
There's lots of tools (mostly professional) that will do a "network inventory" of not only what's connected to your network (type of device), but name, OS, installed software, etc. Network Inventory Advisor is an example of such software (this one is Windows based, but it's product info pages give good examples of what info can be obtained).
So, how can it get it?
- DNS Client (how your computer gets an IP address)
- SSDP Discovery - Simple Service Discovery Protocol
- UPnP - Universal Plug & Play
- Zero Config (Bonjour)
- OUI (Organizational Unique Identifier)
Using Wireshark (FOSS Network Sniffer) and just evaluating what ports respond, you can start building a network map and determine what computers are on your network.
The OUI alone can give you a clue as to what computer's identity - there are many free tools on the internet like Wireshark's OUI Lookup Tool. Try it for yourself, paste your MAC address (obtained from ifconfig
and see what vendor is identified. You can obtain all of the MAC addresses on your network segment by pinging your broadcast address.
These are just some of the services on your client machines that advertise what resources are available. All Fing is doing is utilizing one or more of these (which one they use specifically, I don't know) to do an inventory of the network.
Preventing Discovery
Can you prevent this? To a point. No matter what, even your MAC address (unless you spoof it) is going to give up some of the goods on you. Your browser's User Agent String tells whatever server you connect to what your running including the host operating system. Give it a try with the site WhatIsMyBrowser.com. What does this mean? Even your applications are giving up the goods on you.
When you attempt to prevent this, you are going to find it difficult to strike a balance between user convenience and perceived security. These identifiers are shared so that the end user doesn't have to go back to the 1970s and 80s and manually configure services (i.e. printing or network file sharing). For example, turn off a zero-conf service and you have to manually configure your printer on your client. You also have to manually configure your printer to not use DHCP because if that IP changes for whatever reason, you have to reconfigure that service again.
Remember, these services are added for user convenience. Can you turn them off and firewall your computer so it doesn't respond? Sure. Have you secured anything? Not really.
In the book The Art of Deception, the author, Kevin Mitnik (convicted hacker) describes many ways systems are compromised. There are many tools and steps you can take technologically and yes, you should implement them. But knowing what OS you're using is irrelevant when the weakest link can be found between the keyboard the chair. You can turn all of this off tomorrow and with very little effort, can get all this information via social engineering; in other words, just talking to the user.
TL;DR
Basically, you can spend a ton of time trying to make your system invisible with firewalls and disabling services and in the process, "break" the conveniences that were built into the system that makes your computing experience a good one. Instead, focus on security practices that harden your system. Knowing that you use macOS Catalina on a MacBook pro or Windows 10 on a Dell XPS is meaningless if you use the same password on a majority of your systems/services, for example. You would be better served by focusing on not letting unauthorized people onto your network in the first place and if you do have to allow guests, segment them to their own VLAN with access to nothing but the Internet, put time/bandwidth limits in place and lock down the protocols they can use (i.e. http/https only).