Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking a Specific Machine Anywhere On The Net

Posted by Zonk on from the not-the-sandra-bullock-movie dept.

An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."

16 of 470 comments (clear)

  1. Fingerprinting by BWJones · · Score: 5, Insightful

    Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."

    This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?

    Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.

    --
    Visit Jonesblog and say hello.
    1. Re:Fingerprinting by lgw · · Score: 5, Insightful

      Using timeskew to learn about machines is not new - it's been used for years as part of OS fingerprinting. This application is pretty insightful, however.

      This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.

      I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Fingerprinting by harrkev · · Score: 5, Informative

      The application might be insightful, but to me it seems almost useless. From my reading of the article, it seems that they get ONE number -- a skew value. ONE NUMBER - that's it! This might be useful in proving that a particular machine is NOT the one that you are looking for, but it will likely suffer from a high false-positive rate.

      Let me put it this way. It is like measuring just height. If you are looking for a suspect who is 6'2", you can rule out the people who are 5'6". But if you find somebody who is 6'2", this does not make them automatically the perpetrator.

      You can combine this with other techniques (line nmap). But this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.

      And now that people know about this, I bet that it would be easy to put in some type of change in the linux kernal to randomize the timing values just a little. Then, you could swamp the signal with noise. Then, you are back to where you were having just nmap.

      --
      "-1 Troll" is the apparently the same as "-1 I disagree with you."
    3. Re:Fingerprinting by B'Trey · · Score: 5, Insightful

      Is this the same timeskew that the Kerberos protocol measures, which is simply a measurement of the difference in the setting of the client clock as compared to the server clock? If so, isn't this defeated by simply changing the system time? A cron job to run an NTP update once an hour and viola, this technique is useless. Or, since we're talking about the TCP timestamp, a simple mod to the TCP/IP stack that alters the timestamp by some tiny, random amount. And, as you pointed out, it seems it would be trivial for a firewall or NAT device to subvert the technique by simply rewriting the TCP timestamp.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    4. Re:Fingerprinting by Fjornir · · Score: 5, Interesting

      How about rigging my TCP stack to add/subtract a random number to the timestamp in my headers?

      --
      I want a new world. I think this one is broken.
  2. Paper and technical details are here: by JohnGrahamCumming · · Score: 5, Informative

    http://www.cse.ucsd.edu/users/tkohno/papers/PDF/

    John.

  3. This can be good... by TedTschopp · · Score: 5, Interesting

    I have a co-worker who just got her laptop stolen. Now if the computer could be tracked when the jerk logs it into the Internet, that would be helpful in tracking the guy down.

    Ted Tschopp

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  4. Dangers with licence activation by Harodotus · · Score: 5, Interesting

    Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.

    From TFA, it says that:
    The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

    This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.

    --
    Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
  5. Obligatory bash quote by natrius · · Score: 5, Funny

    hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

    1. Re:Obligatory bash quote by witte · · Score: 5, Funny

      1. upload & install apache on lost machine 2. host page with mac screenshots on it 3. post page on slashdot 4. follow smell of melting plastic 5. machine found

  6. So... by gowen · · Score: 5, Interesting

    Here's what I don't see. Let's say:
    i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
    ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.

    That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.

    Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:So... by Laurentiu · · Score: 5, Insightful

      If you search for computers on the whole net, that may well be the case. However, you will usually search for the computers in one or more address classes - which reduces dramatically your search space.

      Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.

      ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.

      --
      Just /. IT
  7. Easily avoidable? by DarkHand · · Score: 5, Insightful

    Wouldn't very slight randomizing of packet timestamps completely nullify this method?

  8. Slashdot is Slipping by commodoresloat · · Score: 5, Funny

    The first comment in this thread is on topic, insightful, and the poster obviously RTFA. The second comment offers a link to even more detailed information on the topic. Is this really slashdot or did I visit the wrong site?

  9. Can't you turn this off on Linux? by Anonymous Coward · · Score: 5, Informative

    Can't you turn this off on Linux with
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps

  10. Sceptical by bsd4me · · Score: 5, Interesting

    I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.

    --

    (S(SKK)(SKK))(S(SKK)(SKK))