# The device-identity crisis, cured: the address is the device

> Every unit you've ever shipped authenticates with something that can be
> copied, and one of them is on a workbench right now. Whisper makes it an
> identity problem: the address is the device, derived from the key sealed in
> its secure element, so a copied credential with no chip behind it
> authenticates to nothing. Additive to your stack.

The fielded base runs on the credentials manufacturing could afford: a default
password, an API key in a config partition, one certificate for a whole product
line, at best a per-device cert whose issuing CA lives in a vendor console.
Every one of those is a *string*, and flash memory is not a vault. Dump one
unit and you hold a genuine credential for the class; present it from a
rotating cloud egress and the backend's last-IP log means nothing; and when the
console anchoring the fleet's trust retires, the fleet's identity retires with
it, in the field, mid-lifetime.

`whisper verify --trustless` · anchored at the IANA DNS root. Our own API is not in the trust path.

- **1 dump**: a secret in firmware is a secret in every unit of the line
- **600k** devices Mirai ran at its 2016 peak, on default credentials alone
- **Apr 2024**: the UK PSTI Act made universal default passwords illegal to ship
- **Aug 2023**: Google Cloud IoT Core retired; console-anchored fleets had to re-home their identity
- **10-20y**: a fielded device's lifetime; most clouds don't promise half of that
- **3 1 1**: the DANE-EE pin that makes a device's key checkable by anyone

---

## The problem, in their words

> "We can't rotate a secret that's soldered into a hundred thousand living
> rooms. We can't verify a device the way we verify a server, because the CA is
> the cloud vendor's and the CRL never reaches anyone. And when the impostor
> shows up with our own credential, our backend greets it like family."
> (A device-platform security lead, describing the problem shared across the industry.)

1. **SHIPPED SECRETS**: whatever manufacturing flashed, a password, a key, a fleet cert, exists in every unit sold, resold, and parted out. The attacker's supply chain is your sales channel.
2. **PASS AUTH**: the extracted credential is *real*, so it passes. One BOLA/IDOR flaw upgrades one device's session into any device's data. Behaviorally it's a device; cryptographically nobody ever asked.
3. **ORPHANED TRUST**: per-device X.509 into a vendor cloud is better, and still tenant-locked: only that cloud can verify it, revocation rides a CRL nobody fetches, and the whole scheme lives exactly as long as the console does. Google Cloud IoT Core's retirement in August 2023 made that failure mode a matter of record.

**Three generations of device credential, one shared flaw.** Generation zero is
the default password: banned outright now by ETSI EN 303 645 and the UK PSTI
Act, a decade after Mirai demonstrated at 600k-device scale why. Generation one
is the shared secret in firmware: an API key or a line-wide certificate, where
one flash dump forges the fleet. Generation two is per-device X.509 enrolled
into a cloud DPS: a real improvement, and still a credential only *one tenant*
can verify, revoked through *CRL/OCSP machinery that soft-fails*, anchored to
*a console with a lifecycle shorter than the hardware's*. All three share the
flaw: the verifier trusts an artifact, never the silicon. The root cause has a
name, OWASP broken authentication / BOLA: the credential authenticates a
*claim*, never the *device* on the other end.

---

## The reframe: stop detecting the impostor. Prove the device.

Detection will always be a step behind a credential that is genuinely valid.
The only strictly-stronger move is to change what the backend trusts.

**Today: the backend trusts an artifact.** A password, a key, a cert chain:
whoever holds it can present it.

**Tomorrow: the backend authorizes a device that proves itself.** Bind
authority to a key the device *holds in silicon* and can demonstrate by
signing, not an artifact anyone can copy. Now a request either proves it is the
device it claims to be, or it has no authority at all, before a single
detection rule runs.

---

## How it works: the device key becomes the device's name

Whisper has one primitive: **the address is the identity.** A routable IPv6
**/128** out of `2a04:2a01::/32` (announced by **AS219419**), deterministically
derived from a key, DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered.

**Point it at the device.** The anchor is already on the board: an **IEEE
802.1AR IDevID key** in a Microchip ATECC608, an NXP EdgeLock SE050, an
Infineon OPTIGA Trust M, or on-chip OTP/PUF key storage. Whisper derives the
device's /128 from that key's public half, with the **device serial or EUI-64
as the domain separator**. The private key never leaves the chip; the device
proves control by *signing*, the one operation a flash dump can never
counterfeit.

```
secure element        ──pubkey + serial──▶  /128  ──DNSSEC+DANE-EE──▶  a name anyone can verify
(the 802.1AR IDevID key,                   2a04:2a01:…::e51d           whisper verify --trustless
 never leaves the chip)                    routable identity           op:revoke → owner-thrown, public
```

- **"One dump → a whole fleet" becomes physically impossible.** Every forgery is a DNSSEC/DANE inconsistency any verifier catches, keylessly.
- **IP rotation becomes irrelevant.** The "last IP" was never the credential.
- **Extracted firmware fails.** The image never contained the key.
- **Verifiable outside anyone's tenant.** A partner, an auditor, a researcher: anyone confirms the identity with `dig` and RDAP.

> **"An extracted credential is byte-identical to the real device's; how do you tell them apart after auth?"**
> You bind authority to the silicon, not the string. The address derives from a
> key that never leaves the secure element, and the device proves control by
> signing against its DANE-EE pin. A session that presents copied bytes but
> can't sign never had authority in the first place.

**This is the DANCE model, deployed.** The IETF's DANCE work
(draft-ietf-dance-client-auth) defines exactly this: a device's DNS name and
its DANE-TLSA record become the device's TLS *client* credential, aimed
squarely at MQTT, CoAP and the IoT surfaces embedded fleets actually run.
Whisper's identity plane is that architecture live on real address space.
[The passwordless-device story →](/docs/device-secret-cure)

**The lineage is twenty years deep, and honest.** CGA (RFC 3972, 2005) proved
an IPv6 address can be a one-way function of a public key, no CA anywhere. What
CGA never had was global routability, a registry, or revocation. Whisper
supplies precisely those: real announced space (AS219419), an RDAP object per
/128, DNSSEC to the IANA root, and a `revoke` that lands at TTL speed.

**Honest about the smallest clients.** Any client with a TLS stack can call the
keyless verify endpoint today; the DoH client itself is tiny. The cost that
matters is TLS: roughly 20-60KB flash, 25-63KB peak handshake RAM. ESP32-class
and Cortex-M4/M33-class parts carry that comfortably; embedded Linux doesn't
notice it; an 8-bit AVR cannot, so an ATmega-class node works through its
gateway. The [capability map](/platform) says which path is yours.

Maps to the **EU Cyber Resilience Act**, **ETSI EN 303 645** / the UK **PSTI
Act**, **IEC 62443** identification controls, and **IEEE 802.1AR**.

---

## The graph: name whoever is already wearing your devices' faces

Identity stops the next impostor; the graph back-traces the operator behind the
credentials you already accepted. A live internet-infrastructure graph,
**7.44B** nodes and **39.3B** relationships,
answering in under 300 ms, fingerprints the *operator*, not the IP: cloud
rotation collapses into one infrastructure genealogy; a residential-proxy swarm
collapses on a `JA4/JA3` client fingerprint. Express fleet impersonation
directly, "one source presenting N distinct device-identities in a window," as
read-only Cypher, with a reproducible, replayable evidence chain on every answer.

```sh
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** verify and resolve any device identity,
trustless. **Your key:** provision, govern, revoke.

```sh
# keyless: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# the address is the device: reverse DNS names it
$ dig -x 2a04:2a01:1c0::e51d +short
  sn-04d0c85f3a1b.fleet.example-maker.whisper.online.
```

```sh
# give a device a name it can prove, and govern its egress
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper revoke 2a04:2a01:1c0::e51d   # owner-thrown, publicly verifiable, at DNS-TTL
```

Bring your devices home → <https://console.whisper.security/sign-up> · [For device makers →](/for-device-makers) · [Docs](/docs)

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
