Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking a Specific Machine Anywhere On The Net

Posted by Zonk on from the not-the-sandra-bullock-movie dept.

An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."

22 of 470 comments (clear)

  1. Fingerprinting by BWJones · · Score: 5, Insightful

    Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."

    This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?

    Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.

    --
    Visit Jonesblog and say hello.
    1. Re:Fingerprinting by lgw · · Score: 5, Insightful

      Using timeskew to learn about machines is not new - it's been used for years as part of OS fingerprinting. This application is pretty insightful, however.

      This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.

      I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Fingerprinting by B'Trey · · Score: 5, Insightful

      Is this the same timeskew that the Kerberos protocol measures, which is simply a measurement of the difference in the setting of the client clock as compared to the server clock? If so, isn't this defeated by simply changing the system time? A cron job to run an NTP update once an hour and viola, this technique is useless. Or, since we're talking about the TCP timestamp, a simple mod to the TCP/IP stack that alters the timestamp by some tiny, random amount. And, as you pointed out, it seems it would be trivial for a firewall or NAT device to subvert the technique by simply rewriting the TCP timestamp.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    3. Re:Fingerprinting by Zapman · · Score: 4, Insightful

      Until this technique is put into the field, we won't know how good this 'one number' is. You could encode the gene sequence of a human into one (rather large) number, and it'd be pretty good as an indentifier. If there's enough entropy in the clock skews, then it could uniquely identify 1 computer out of a billion or so. But that's an 'if'.

      My question is if this clock skew can me consistantly measured across multiple OS installed on the same laptop (dual boot anyone?).

      --
      Zapman
    4. Re:Fingerprinting by Tassach · · Score: 4, Insightful
      A cron job to run an NTP update once an hour and viola, this technique is useless.
      That does nothing to correct the drift RATE. You may be setting your time correctly every hour, but it INSTANTLY starts deviating again. It's this RATE of deviation which is being measured. Running NTPD would help, because it constantly adjusts for the hardware skew rate.
      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
    5. Re:Fingerprinting by Lagged2Death · · Score: 2, Insightful
      This might be useful in proving that a particular machine is NOT the one that you are looking for, but it will likely suffer from a high false-positive rate... this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.

      Yes, but from a law-enforcement point of view, it is very helpful to be able to eliminate members of a suspect list.

      It seems to me that the main trouble is that it's going to be so easy to defeat, at least for the really dangerous technically savvy criminals. This could get 14-year-old Johnny in trouble for sharing those albums he downloaded, but Mr. I-Stole-500,000-Credit-Card Numbers will shrug this right off.

    6. Re:Fingerprinting by XSpud · · Score: 3, Insightful
      I took a bit of time to read the paper and there's some interesting stuff there.

      The clock skew for a particular device seemed to be reasonably constant over time and location (+/- 0.5 microsecond/sec) and nearly all devices had skews within the range -100 microseconds/sec to +100 microseconds/sec. This suggests the technique would only be useful for identification purposes when there are less than 100 or so candidate devices. Of course, this figure would go up substantially if the technique can be combined with other measurements (e.g. absolute clock time).

      When considering applications of the technique, the author states "For forensics, we anticipate that our techniques will be most useful when arguing that a given device was not involved in a recorded event."

      A number of posters have mentioned that the technique can be fooled by adding a random number to each timestamp. This won't work due to the way the author estimates clock skews (the slope of actual time plotted against reported system time) - what is needed is an adjustment to each timestamp that is proportional to the system uptime.

      And OS did make a difference - RH9 and Win XP on a particular laptop led to clock skews of -58 and -85 respectively.

  2. Easily avoidable? by DarkHand · · Score: 5, Insightful

    Wouldn't very slight randomizing of packet timestamps completely nullify this method?

    1. Re:Easily avoidable? by demi · · Score: 2, Insightful

      My guess is OpenBSD will have this or a similar countermeasure pretty soon.

      --
      demi
  3. TCP/IP stack by Laurentiu · · Score: 2, Insightful

    You own a Linux box. You know about this technique. You:

    1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.

    2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible, /.ers? I believe it is, but I'm no expert.)

    Either way, bye-bye Carnivore!

    --
    Just /. IT
  4. Re:How about this though? by BWJones · · Score: 4, Insightful

    I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?

    You assume incorrectly and are missing the point of this technology. Buy all the PCMCIA cards you want and you will still be able to be tracked with this technology. Essentially, it relies on "clock skewing" which means that when a CPU cycles, there are minor nano differences in the architecture of it that induce slight variations in the timing of the clock at various points throughout the CPU. When expanded out to the entire system, CPU, motherboard, peripherals, the differences become more complicated, but unique and thus easier to establish a unique signature.

    --
    Visit Jonesblog and say hello.
  5. Re:Dangers with licence activation by msaulters · · Score: 4, Insightful

    I'd like to know what are the chances of two, three, or more machines having the same clock skew? The article says that in their test, the clock skew was discernable for otherwise identical systems, but he has a miniscule data sample compared to the hundreds of millions of devices now out there. This would cause MAJOR headaches when activation fails because some other system has the same clock skew as yours.

    --
    These people looked deep into my soul and assigned me a number based on the order in which I joined.
  6. yet another smackdown for freedom by pintpusher · · Score: 3, Insightful

    remote physical device fingerprinting ... without the fingerprinted device's known cooperation.

    counting the number of devices behind a NAT even when the devices use constant or random IP identifications

    I, for one, welcome our new time-skew fingerprinting overlords.

    Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one ;-)

    Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.

    --
    man, I feel like mold.
  7. Re:This can be good... by evilviper · · Score: 3, Insightful

    This is the kind of thing that is only useful in the short-term, as criminals will quickly learn to easily and cheaply swap-out the time-keeping devices (quartz crystal) on notebooks. Or just by changing the date/time, or running NTPD on the machine...

    In addition, it's really of no use to mere mortals... No way is the FBI/NSA going to spend a second looking through their logs to help you catch a small-time criminal. It's only of help for those who have great political importance, and for companies who want to track you...

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  8. Re:So... by Laurentiu · · Score: 5, Insightful

    If you search for computers on the whole net, that may well be the case. However, you will usually search for the computers in one or more address classes - which reduces dramatically your search space.

    Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.

    ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.

    --
    Just /. IT
  9. Re:Wouldn't it be easier by beerman2k · · Score: 2, Insightful

    That's a good point. There's no reason a computer can't be on the internet and have no concept of a MAC...

  10. Re:Paper and technical details are here: by ka9dgx · · Score: 2, Insightful
    Having read the actual article (Thanks John), it's very interesting to see the strengths and weaknesses of their approach. It seems that power management as a side effect changes the clock drift (skew), and laptops are especially drifty due to changing power states.

    While I don't think this would hold up as evidence in a court of law, it certainly might have some use as a covert authentication protocol, along with the other signatures noted.

    With respect to privacy issues, resetting your system time via NTP will break a measurement sample. If you use NTP, and have it update every hour, your clock skew is going to change often enough to make an accurate (long term) measurement very difficult.

    --Mike--

  11. Re:Dangers with licence activation by Anonymous Coward · · Score: 2, Insightful

    Two computers with the same skew would not cause activation to fail.. it is two computers with a DIFFERENT skew that matter. So as long as your computers skew is consistent, then it will always finger print as your computer. This workds becasue it seems that the probability of any two given computers having the same skew is unlikely (note what is meant by given computers.. this doesn't mean that any two computers with the same fingerprint cannot be found, it just means that if you randomly pick two computers they will likely have different time skews).

    So you can't use the fingerprint for security (this computer is the right one) but you can use it for exclusion (this computer is definatly NOT the right one).

  12. Re:This can be good... by Wyatt+Earp · · Score: 3, Insightful

    "This is the kind of thing that is only useful in the short-term, as criminals will quickly learn to easily and cheaply swap-out the time-keeping devices (quartz crystal) on notebooks. Or just by changing the date/time, or running NTPD on the machine..."

    Yep because criminals and pawnshop owners are smart enough to do those things. In a world where people still use crystal meth, I think it's safe to assume jackasses that steal the random laptop or car aren't going to swap hardware on a motherboard or run utilities on a machine.

  13. Re:This can be good... by khrtt · · Score: 2, Insightful

    Ever try to swap a quartz in a notebook? You'd have to take the whole damn thing apart, take out the motherboard, find the RTC crystal on it, obtain a replacement crystal (same model/frequency), and solder it in. If you have enough skills to do that, you probably don't need to bother stealing laptops in the first place.

    Most people who steal laptops don't even reinstall the OS, and I know people who recovered their laptops using the noip client that they had on the machine (http://www.noip.com).

    The thing is, to measure clock skew on a suspect machine you need to be able to connect to it, and if you can connect to it, there is no need to additionally confirm that it's your machine.

  14. Re:entropy by Random832 · · Score: 2, Insightful

    don't you mean 1 computer in 64?

    --
    We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
  15. Re:Skeptical by greg1104 · · Score: 2, Insightful

    > PC clocks are rather crappy and temperature sensitive

    Line voltage sensitive, too. With the way newer processors throttle their speeds around based on temperature and loading, and the way fans change their parameters based on temperature, I have little hope for this technique nailing any new system.

    Let's see, what were the authors using in the lab where they tested machine to machine variations?

    "All the machines were Micron PCs with 448MHz Pentium II Processors". Right. From this, we get the grand statement shortly afterward "The current results strongly support our claim that modern processors have relatively stable clock skews". Uh, sorry guys, you didn't use a single modern processor for this section; just some obsolete ones that run so cool they don't have any CPU clock or temperature varation. There's not a machine to be found in their entire test that features the kind of design we seen in acutal modern processors.