Monster Rain
Premium
join:2002-08-03
USA
| Remote physical device fingerprinting
Yoshi Kohno (doctoral student in UCSD's CSE program) just released an eye-opening paper demonstrating methods for remotely fingerprinting a physical device without any modification to or known cooperation from the fingerprintee. At a high level, these techniques exploit microscopic deviations in device hardware: clock skews. Specifically, they exploit the fact that most modern TCP stacks implement the TCP Timestamps Option (RFC 1323). When this option is enabled, outgoing TCPs packets leak information about the sender's clock. Yoshi's results further confirm a fundamental reason why securing real-world systems is so difficult: it is possible to extract security-relevant signals from data canonically considered to be noise. The equally disturbing corrolary is that there remain fundamental properties of networks that we have yet to integrate into our security models.
paper and abstract available here:
==================================================
»www.cse.ucsd.edu/users/tkohno/papers/PDF/
[mirror site] »www.caida.org/outreach/papers/20···rinting/
If found this pretty interesting, and just thought I'd share.
Our abstract: We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device's system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces. |
