Fingbox Network Security System

Dec 04 2017

 

If you use an ISP provided, low-end, or older Wi-Fi router, the options for network management are often quite limited. There is simply no way to find out who is connected to your network or control which devices have access when. Devices which add this capability have recently started popping up on the market; each with a different set of capabilities, and approach to getting more control over network. From this mix, the $129/£125 Fingbox focuses primarily on device awareness and network control, with little-to-no functionality around specific types of content which places it in a slightly different market than other consumer network monitoring devices.

Device

Where most networking kit is decidedly boring (on the outside anyway), the Fingbox is very unconventional with its round, glow-ring, in a blue plastic Fingshell (I made up this name for whatever the blue thing is supposed to be). I am not completely sold on the industrial design. It is neat, and on one hand I am happy to see Fing unafraid to be interesting, but on the other maybe something a bit more stackable would be a better long term choice for most people. That said, I spend significant effort on hiding my network devices away – so it does not matter much either way. In this case opting to wall mount the Fingbox in our hall closet next to the home automation (HA) controller.

The Fingbox does not support power over Ethernet (PoE), or wall mounting, which is annoyingly common – so perhaps excusable. Neither is an insurmountable barrier, but you will need to ditch the Fingshell (what is this for?) if opting to use 3M Command strips (they will not stay stuck), and pick up a 5V micro-USB Gigabit PoE adapter. Like the WT-AF-USB I went with. Lazy installers can naturally just stick with the power supply Fing includes in the box; which conveniently includes plug adapters for a global audience.

The Fingbox includes an unspecified ARMv7 SoC, 1GB RAM, and Gigabit Ethernet while running Ubuntu. This configuration pulls ~2.9W and has no troubles with heat, or stability in its passively cooled container. The bottom side does get a bit warm to the touch (43C average), and would likely get a bit warmer if housed within the completely optional Fingshell.

Use

After plugging in the Fingbox via Ethernet and power the first time, and waiting for the light to glow green, running through the setup experience is quite straightforward, although I am not quite sure why it needs to know our address. Once the initial setup is complete the first-run wizard encourages the creation of users, the fundamental paradigm of management with Fingbox.

Managing the network as a collection of users with devices, compared to a heap of devices, is the major difference between Fingbox and networking products with management features. When a device is detected it appears as an event, action can then be taken to assign the device to a user or dismiss it. With the user/device mapping compete it then becomes possible to control Internet access for a person holistically, without having to manage each device they could use individually. As part of this, we also get the ability to track users as they come and go from the network; optionally surfacing events (email/device notifications) signaling this. Unfortunately, for now these events and the user tracking that is made possible by it is siloed in the Fing app. Which, while neat, really limits the usefulness in a broader context. When asked about an API, Fing did mention that they are exploring adding some sort of capability in this area (e.g. IFTTT), so it is on the radar. This is great, and hopefully it provides a real and rich mechanism for interacting with the data when/if it becomes available, but I was too impatient and I think that they missed an opportunity here; especially in the business market. 

Blocking a user’s access to the Internet is one of the key features of the Fingbox. When I first started playing with the Fingbox it was only possible to manage manually in timed increments or indefinitely. Recently the ability to create schedules around when it would allow (or really not allow) Internet access for specific users. So I was really pleased to see the addition of scheduled “pauses”. This is a great feature for anyone (cough, with kids) whose router does not provide the functionality. Longer term, I would also like to see the ability to grant access for an arbitrary amount of time as a way to allow guests (e.g. my children’s friends) access to the Internet while I expect them to be here.

Our Internet is generally pretty good, but every so often things slow down to a crawl. This is another area where the Fingbox is very useful. Not only can you manually create a historical record of your speed, if it is slow you can also see if it is caused by devices on your network or the ISP. Device bandwidth monitoring is not costless though, so you will see a slight slowdown in total reported capacity while the Fingbox is monitoring. It is quite easy to reproduce this by running back-to-back speed tests with bandwidth analysis on/off. Whether this is due to a hardware limitation of the Fingbox, or the increased Address Resolution Protocol (ARP) traffic it is hard for me to say.

The other main feature of interest is called “Digital Fence”. At the moment it provides an interesting look at 2.4GHz Wi-Fi devices and networks in the surrounding area. The usefulness of this feature is currently limited by the implementation (i.e. you must create a user and map nearby devices to it before receiving events) and the lack of 5GHz hardware. Obviously it is not possible to change the hardware, but longer term it would be great to receive alerts when a new Wi-Fi device shows up around your network even without connecting to it. For example this could provide some advance notice of someone (like a postal worker) approaching your house. This is an area of expected advancement with this enhancement likely in “Digital Fence 2.0”; so something to look forward to.

Within the app there are many other features that I would have liked to cover in more detail, like port scanning, Wi-Fi testing, and uptime monitoring. Most of the app screens have been provided above, if you have questions please let me know and we can cover in the comments.

We have covered a lot of what the Fingbox does, now let’s discuss how it actually works. As mentioned before, the Fingbox attaches via an Ethernet cable to your network as a peer – it does not act as a physical gateway to the Internet. To make it act as a logical gateway for the features that require this (e.g. Internet blocking & bandwidth analysis), some deception is required, with ARP spoofing providing the necessary slight-of-hand. Without getting too far into the technical weeds, this allows the Fingbox to trick devices into believing it is the gateway (e.g. note the change in MAC for 192.168.1.1 above) instead of the actual gateway (router). Which makes them send Internet bound traffic to the Fingbox, allowing it to measure, monitor, and block packets as requested. Similar in concept to a man-in-the-middle (MITM) attack. 

One of the things that concerns me about the Fingbox is that, admittedly like many other modern devices, it is wholly dependent on connectivity to “The Cloud” (aka the Internet). This is an obvious problem while your Internet is down, but also means that the long term viability of your Fingbox is linked to the health/whims of Fing as a company. As we have recently seen with the Harmony Link debacle, this is a real problem and something that needs be factored into the purchase decision.

While exploring the potential for using the Fingbox in a more “Cloudless” way I noticed that it does listen on the default SSH port, and will provide a login prompt when a connection is attempted. I asked Fing about this, and they replied:

“SSH is disabled on Fingbox. Even if the SSH service port looks active, the session and authentication systems are disabled. No credential can be used to access Fingbox from SSH.”

Frankly, I am not quite sure how to interpret this. Either they have left a potential attack surface exposed (not awesome on a device targeted at this market) or the response is not completely transparent (i.e. SSH serves some undisclosed purpose). Either way, disabling SSH in a future update is on their roadmap, so I guess it will be a non-issue soon enough.

For completeness, it is worth mentioning that the mobile App is not the only point of interaction for the Fingbox. It is also possible to view devices and perform some limited actions via the app.fing.io website. Also, I am very curious, can the Fingbox block itself?

Conclusion

The rapid pace of feature advancement was one of the major challenges when reviewing the Fingbox. I completely expect that this review will be out of date soon after publishing. While this was a little frustrating for me as I try to crank this out, it is awesome for anyone with a Fingbox. The device I bought, has become so much more functional in the short time I have owned it. Providing new, valuable features that make it an excellent supplement to almost any home network. Allowing owners to work around the limitations inherent in most ISP provided/consumer oriented routers. At $129/£125 the price is reasonable, but somewhat hard to cross shop against Circle’s $99 SRP and significantly greater content monitoring capability (also ARP spoofing based) if usage monitoring and enforcing screen time limits is a critical goal, but in many ways these devices are not directly comparable if your goals are different with the Fingbox more targeted at providing information about devices and the network management than a focus on content. For me personally, my goals are somewhere in between the two, with the decision heavily impacted by the very tangible possibility that Circle would unacceptably degrade network performance (i.e. for it to work every packet, all the time, has to go through it) in comparison to Fingbox’s lighter touch (i.e. only blocked/monitored devices are ARP spoofed) approach.

Fing was really helpful during the course of the review process, answering several questions about the device, and has provided a $10 off coupon code (MISSINGREMOTE10) for anyone interested in purchasing one from their store.

Pro:

  • Enables easy network management
  • User (instead of device) management paradigm
  • Rapid feature advancement

Con:

  • Needs API to be useful in a wider home automation context
  • Fingbox requires Fing to exist (Cloud dependency)
  • No 5GHz 802.11 monitoring (radio is 2.4GHz only)
  • No Power over Ethernet (PoE) support
Website design by Yammm Software
Powered by Drupal