dslreports logo
site
spacer

spacer
 
   
spc
story category
Fingerprinting WiFi Devices
New wireless security solution
by ytsejammer39 08:55AM Wednesday Sep 06 2006 Tipped by Karl Bode See Profile
MAC address spoofing via Wi-Fi could be bested by a new security technique that fingerprints each device on a network, reports Ars Technica, who points to new research (pdf) by Carleton University researcher Dr. Jeyanthi Hall. Hall studied the radio frequency (RF) signal of 15 devices and discovered that each device, even devices from the same manufacturer, had their own unique fingerprint. Hall had a 95% detection rate with zero false positives during testing. The technique could leave mac-based security further in the dust as the technology to record and store "tranceiverprints" becomes more practical and affordable.

view:
topics flat nest 

milnoc

join:2001-03-05
H3B
kudos:2

How long before even this is defeated?

Who wants to bet someone will find a way to alter a WiFi device's fingerprint and actually have it mimick someone else's device?

nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA

Re: How long before even this is defeated?

said by milnoc:

Who wants to bet someone will find a way to alter a WiFi device's fingerprint and actually have it mimick someone else's device?
While it's conceivable that you can defeat such a protection, the cost of doing so is considerably higher than other methods. This kind of defeats the purpose of freeloading (in most cases) in the first place.

-tom
--
"Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficial. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." -Louis D Brandeis
tkdslr

join:2004-04-24
Pompano Beach, FL
Reviews:
·T-Mobile US
·Speakeasy

Re: How long before even this is defeated?

said by nixen:

While it's conceivable that you can defeat such a protection, the cost of doing so is considerably higher than other methods. This kind of defeats the purpose of freeloading (in most cases) in the first place.
It's operating in an unlicensed band and any profiling is going to be fairly easy to defeat.

Just xmit a continuous low level jamming signal from a distant location using a directional high gain antenna. The interference will be enough mask any profiles.

Or use some social engineering and the same xmiter to generate false hacking hits from profiled nodes. (periods of high noise.) Before the end of the day the operators will shut the system off. (Then it's party time for the hackers.

nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA

Re: How long before even this is defeated?

said by tkdslr:

said by nixen:

While it's conceivable that you can defeat such a protection, the cost of doing so is considerably higher than other methods. This kind of defeats the purpose of freeloading (in most cases) in the first place.
It's operating in an unlicensed band and any profiling is going to be fairly easy to defeat.

Just xmit a continuous low level jamming signal from a distant location using a directional high gain antenna. The interference will be enough mask any profiles.

Or use some social engineering and the same xmiter to generate false hacking hits from profiled nodes. (periods of high noise.) Before the end of the day the operators will shut the system off. (Then it's party time for the hackers.
Just as easy as making two completely identical tuning crystals!

-tom
--
"Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficial. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." -Louis D Brandeis
Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
im sure it will be defeated but as i see it, every lock can only be so secure. however the better the lock the more crime it keeps out. you figure WEP can stop the driveby freeloader, WPA steps it up a notch and stops more, WPA+MAC Auth is really good and RF Fingerprints will stop all but the best. and the best probally arent after what the typical home user has, if your going to be cloning an exact RF varience of a device your not after some guy's SSN and bank account, you are after the bank itself.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports

Raptor
Not a Dumptruck

join:2001-10-21
London, ON
Reviews:
·Rogers Hi-Speed

This could be all sorts of good...

..for the high end user, commercial/industrial sector. But the extra equipment for recalibration & scanning for the fingerprint in the first place doesn't really do so well for your average user at this point in time. Even if the technology did become cheap / accessible, people have a hard enough time putting WEP/WPA encryption on their box-store wi-fi, let alone capturing a frequency fingerprint and keeping on top of changing ambient conditions.

A good read and an interesting discovery nonetheless, there is potential. Unfortunately it looks fairly unreliable at the moment.

Not to mention that a 5% rate of non-detection times millions of computers is still a lot
--
....where's my fiber?

God
THE Dslr Troll
Premium
join:2002-07-01
Colorado Springs, CO

Re: This could be all sorts of good...

just a matter of time .....
russotto

join:2000-10-05
West Orange, NJ

Cost'll kill it.

Pulling the data out of the signal is (relatively) easy; it's designed to be. Identifying quirks of the particular radio requires far more complex and expensive equipment and lots more processing power -- compare a WiFi chipset with an ARM processor to the spectrum analyzer plus MatLab they used. I'm sure you could get cost and processing power requirements down, but not even to within a couple of orders of magnitude of the usual WiFi chipset. Particularly not when you've got to do it real-time.

Thrudd

join:2004-06-21
Mississauga, ON

Re: Cost'll kill it.

Not so .... have you considered the first incarnations of WiFi when it was in the laboratory stage? Back then it was speculated to cost hundreds for a unit with scales of production and the technology available at the time. Compare that to the fist full of dollars that a chip set now costs.

As for what was used in the lab and what will be implemented in the field, again, worlds of difference. What would be deployed would be a chip or chip set dedicated for analysis and processing of the spectrum fingerprint. So look at what the bleeding edge has to offer at the moment and then scale the prices down to commodity levels for the mass implementation of such a technology.

Of course the big corporate users will be getting this long before anyone else at much higher costs but they know they need it and will pay for the added security.
ThereYouAre

join:2003-11-17

Old technology

I don't think the basic technology is new, but the application to WiFi might be.

If I remember right, ham radio operators had a similar device at least 10 years ago to identify FM transmissions regardless of the callsigns used. Ie, you could get a fingerprint of all the transmitters that typically used your repeater, then if any of those radios were used to interfere, you'd be able to identify who used the radio last, if it's the same transmitter doing all the nonsense, etc.

Fatal Vector

join:2005-11-26

Yes, It's old



And, no, it wasn't ham radio. It was the cell providers. Used to be phone phreaks could pull your cellphone ID information off the air on the old analog networks with a service device they referred to as a test monitor.

They would sit at airports, etc and sniff the traffic from the analog cellphones in the area. When intercepted, the phones ID info which let it access the network was displayed on a small screen and retained in memory.

After that, it was just a matter of programming another phone with the ID. The telcos lost millions to this sort of thing.

The media made a big deal of it at the time, so some genius at some company came up with the idea that all radio transmitters had unique characteristics to their transmitted signals, and so were uniquely identifiable. They even called it fingerprinting back then.

It was never implemented because it cost too much. Both for the hardware to sniff the signal and the larger hurdle of the software needed to implement.

Never mind it was only a short time thereafter that digital networks were deployed that stopped the problem inherently, since a cellphone only transmits data packets now.
ThereYouAre

join:2003-11-17

Re: Yes, It's old

Not the same thing. This device sounds like it fingerprints the RF signature, rather than pulling data out of the actual transmission. Ie, when a transmitter turns on, it tends to wobble around a bit and produce other unique looking patterns before the logic in the device begins to transmit data.

Hams would fingerprint someone, and when they IDed, they'd enter the data into the fingerprinting software. Each time that transmitter turned on, it would immediately be fingerprinted, regardless of the information being sent in the transmission (usually voice).

The cell phone guys would simply extract the coded data, but they didn't do anything with the RF signature as far as I know.

Digital Boy

@sbc.com

Re: Yes, It's old

ThereYouAre, FatalVector is correct. The system was called "Raven".

The ESN and MIN on AMPS and NAMPS mobiles (Analog Mobile Phone System/Narrowband AMPS, a precursor to GSM) were transmitted in the clear, so anyone with a sniffer could grab the MIN (telephone number) and ESN of a paying cellular customer and clone that person's phone.

Raven would compare the "fingerprint" of the paying customer's phone to a stored fingerprint profile in a datacenter, and if the RF signatures deviated too far outside of certain paramaters (to account for component aging, and multipathing in urban environements) it would flag the phone as cloned, and suspend that customer's service.

Like was pointed out earlier, it is technically feasible to do, but at that time (early 1990's) it was *expensive* to implement, since all the cell towers would have had to be retrofitted with equipment to analyze the RF patterns of all incoming phonecalls. Then there's the administrative overhead and customer service issues when the system returns a false positive and suspends a valid phone.

The advent of GSM, and CDMA a little later, rendered the point moot. CDMA and GSM are clonable, but the equipment necessary to decipher the MIN, ESN,walsh key, etc puts the capability in the hands of big corporations and 3 letter agencies.
Jusmrg

join:2004-06-04
Mcadenville, NC

heh

Like all these muni-wifi plan... again.. I'll believe it when i see it