Slashdot Mirror
Wi-Fi Fingerprints -- the End of MAC Spoofing?
judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."
In related new, the RIAA has been looking into installing transmitters on people's computers, that would leave a "fingerprint" on the server during a download. Senior technologist Albert Gore said in an interview, that one of the things he's supported about the Internet since he created it, was the ability to track its users. He wants to tax the fingerprints to help pay for free internet service in schools, and is willing to work with the RIAA in implementing the technology.
The Bush administration also seem to be jumping on the bandwagon, and is calling upon Congress to pass a law mandating fingerprint collection to be stored in a secret database, so noone can have access to it. Critics say this will cost too much to implement, and is a breach of privacy, but a presidential order has barred them from publicizing their remarks.
Hizbullah Spokesman Imawiddlekooky Intheheady has shown images of the destruction these fingerprints have done. Three hospitals, twelve ambulances, and twenty-five pillars of smoke have all been destroyed due to them, and together with the Iranian President have called for the evil west to give up.
The House is up in arms over children having fingerprints, but is divided over whether to take them away, or hang any adult that uses them.
The Apple corporation, has released a statement saying that MAC-spoofing is a real problem, and has asked for an injunction against Microsoft Windows.
More news at 11, if we can get it past the constituional filter.
In other news, replies are being made to Slashdot that have nothing to do with the stories themselves.
In even more other news, replies are being made to Slashdot claiming that they have nothing to do with the stories themselves, but in reality send subliminal messages.
20 GOTO 10
Have you read my journal today?
Cool hack, but who cares. With proper authentication (eg, WPA), you don't need to worry about MAC spoofing as the packets won't authenticate right to the access point.
Test your net with Netalyzr
Is this the same principle as identifying a radio based on the signal it produces when it keys up?
Anyone seriously into wireless security / hacking probably has 20+ wireless cards. It is common knowledge that a wireless card can be identified by its traffic, so why not just buy one of each vendor's cards and use the relevent one during each hack?
:)
I expect to see a high-end wireless card come out soon that will 'emulate' the hardware differences quite nicely
Cybie! aka Ralph Bonnell
Why would it be necessary to figure out a way to do this without using neural network processing?
Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
...and once the paquet warr10rz figure out how to arbitrarily generate and utilise "transceiver prints" it's the end of this method of IDS.
(any wagers on how many other "first comments" will say the same thing?)
Slashdot? Oh, I just read it for the articles.
This has been in the HAM community for years.
http://www.motron.com/TransmitterID.html
Reduce, reuse, cycle
When they develop the hardware that has all of that enabled it does not cost an insane amount over the cost of something without signal analyzation; when they could just use other security measures, or multiple security measures which are cheaper.
Albeit the military and security conscious would still buy it.
WiFi MAC spoofing will also remain useful on open unencrypted networks where it's not locked down by MAC, but you just don't want to be traceable.
They were doing this during World War II, using the unique characteristics and variations of transmitters to "fingerprint" them. Similar things were done with the way radio operators send morse code to help detect spies that had been compromised.
Mea navis aericumbens anguillis abundat
One of the 'Artimis Fowl' stories predicted this quite nicely. The LEP (rechans) have had this technology for quite some time. They also have the ability to see a fingerproint on wired access and fingerprints from each router and each section of copper.
Wouldn't certain hacker-written firmware replacements make it act like something else? I know of a linksys one that lets you boost the signal 4x the normal max with the old firmware so how hard could it possibly be to get it to do other things that would mask it? Even if the way the antennas were built caused an unmistakable fingerprint, if you got the device's hardware to change its power levels on certain parts or tweak the frequency outside the 12 channel range for example, that would make it look like something else, right?
now stop reading and go play Dance Dance Revolution!
95 percent is still far too low for a viable consumer product. Can you imagine if 5 percent of the folks buying something based on this technology found that it didn't work? The public outcry would be enormous.
On behalf of the DoD, I would like to welcome IT geeks to antiquated military technology!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
it's the end of MAC spoofing on wireless networks
and the beginning of transceiverprint spoofing.
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
What I gathered from the article is that (when this tech gets integrated into IDS) you can't pretend to be someone else on a network with only specific authorized MACs.
You could still hide your identity pretty well with a spoofed MAC on an open network. Do you think the manufacturers keep a database of RF signatures for all their products, cross referenced with the MAC? I don't think so either.
This is interesting but the sample size is too small to let us know how accurate this technique really is.r story10433.html?by=company
http://www.mathworks.com/company/user_stories/use
Wi-Fi fingerprinting is nothing new and we have tried the various techniques at our university but it simply does not work because the number of false positives is way too high for it to be practical and to be deployed in an environment with many users. We had support from one of the developers of the technology and after looking at the data and the floods of user complaints he even admitted that Wi-Fi fingerprinting is not practical and we had to give up on it.
Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
... and the beginning of transceiverprint spoofing on wireless networks. Right?
Accomplishing what's stated doesn't sound all that trivial. Or cheap. Which might make manufacturers unenthusiastic.
But if it is (trivial and cheap), then won't everyone eventually obtain and use such technology, including the black hats?
Why would hackers not simply spoof the RF fingerprint. Some ideas come to mind. 1) dynamic adjust the outgoing signal digitally to imitate the fingerprint 2) add interference around the transmitter so the signal looks the same 3) use specialized analog electronics to imitate the fingerprint
There are variations in radios even among the same model. You can uniquely identify 2 separate radios of the same model pretty easily. This is something we have done to combat the squirrels (slang for the idiots who think it's fun to screw a ham repeater up) on our ham repeaters in our area....that and triangulation of the perp's signal. Nothing new and about time.
Gorkman
So... what was the 5% if they weren't false positives?
Given:
1) MAC addresses are easily cloned; it's child's play
2) Spoofing above the MAC layer is difficult
3) This methodology produces no false positives
4) The hacker community will find what the characterizations are then
5) Find nice and easy ways of memorizing the characterizations so that
6) They can continue to spoof whatever they want, whenever they want.
So, yes, there is are additional authentications that make things easier to secure-- but changing the character of a card isn't difficult to do as today, there are less than a dozen chipsets doing 98% of all WiFi, from 802.11abgn and 'turbo'/speed-enhanced non-standard variations.
So, Fi. Gimme 30 seconds with the analyzer to characterize what they're looking for, and I'll be pleased to embarrass your WEP-loving CTO.
---- Teach Peace. It's Cheaper Than War.
the End of MAC Spoofing?
Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.
The theory of relativity doesn't work right in Arkansas.
Not yet, but when/if this technology becomes widespread, do you really think that some law won't be passed requiring just that?
The question isn't whether you're Paranoid, [Lenny], the question is whether you're paranoid enough. --strange days
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
for no benifit. I have a 100% solution with no false positives. it's called 'VPN'.
This is really nothing new. A friend did something similair in the early 90's to catch a guy that was spoofing false calls on the police band.
He had a very (VERY) expensive reciever that had a built in spectrum analyzer, and they logged all calls with a timestamp and the frequency drift (stored as a 512 bit word) of the transmitter currently using the channel. Each time the operator suspected that he/she had a spoofed call they pushed a button that activated 4 direction finders that logged the timestamp and the directions. After enough data was gathered it was compiled and a geographical pattern appeared. Most of the spots from where the spoofed calls had originated was at a apartment block. They dispatched a civilian cruiser to monitor the apartment block. They picked up the guy 2 days later outside his home when he was sitting in his car spoofing a call.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Hell, they could just download this program.
http://xmit.penguinman.com/xmit_id.html
This is old tech that Amateur radio users have had for 10 years now.
I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.
The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.
Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.
Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.
Everyone needs to think about this tactic! pr0n at work!
This technology has been used successfully on AMPS (analog cellular network) to get rid of ESN/MIN spoofing and it for the most part works. The result is that when spoofing calls with acoustic fingerprinting enabled, the call will get torn down if a fingprint for that cell phone exists in HLR (Home Location Register -- the central database that authenticates the subscriber).
The thing is, in practice, wireless networks are still *wide* open. There are tons and tons of free, public wireless networks going up (like the one in my town), with nobody thinking about the implications. Even with being able to determine that these two packets came from the same card, that still doesn't tell anybody anything about WHO that is. With public wireless networks, anybody can still do whatever they need to do (legal or illegal), and be completely anonymous.
The only thing that Big Brother would know is that somebody with model XXX of wireless card posted kiddie porn from this WAP.
Authentication should always be a part of your security process.
Is this type of thing similar to Van Ecks effect?
Avoid Missing Ball for High Score
95%, no false positives -- == 5% false negatives. It also doesn't clearly define positive and negative in this context. Does this mean that 1 time in 20 when a valid card attempts a connection, it is refused? or that 1 time in 20, a spoofer gets in?
Ian Ameline
Apple will be glad to hear that. I think they're getting tired of people making fun of their ads.
Here's what you can make in terms of a signature:
1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.
And the success is 95%. That's wonderful. Bring it on.
In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.
---- Teach Peace. It's Cheaper Than War.
So, will this mean that if I buy a new antenna or break off my old antenna that my network will no longer recognize me?
How much variation will it handle? When my antenna heats up will it still have the same signature?
---k--
</stupid>
"... it's the end of MAC spoofing on wireless networks ..."
If implemented, of COURSE it is the end of MAC spoofing. But it is only the BEGINNING of WiFi fingerprint spoofing ...
Laws affecting technology will always be bad until enough techies become lawyers.
And each transmitter was hand-built, using rather rough tools.
All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.
Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.
Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.
So nothing new here. Not by like, almost 100 years.
If this is an analog fingerprint, there's a chance it'll change over time, under different conditions of heat, etc. Doesn't sound trustworthy.
Why would you rely on such a silly system?
Just a thought: Could this be used on wired applications i.e. ethernet or generic wired TCP/IP networks to identify packets coming from an individual machine? Surely, in principle, a network card would be have the same variations in fingerprint as a wi-fi transmitter.
Any ideas?
Nothing sucks like a Vax, nothing blows like a PowerMac G4
Soon to come on Slashdot, "The Return of MAC Spoofing!" In fact, despite the fact that the end of MAC spoofing is already a long ways off, someone out there is probably proactively working on getting around this already.
I'm not saying it can't be done, but relying on this as security is false security since the number of "dimensions" to create the fingerprint is probably pretty small given all the uncertainty it has to deal with anyhow to demodulate. I'm hypothesizing, the number of dimensions of the fingerprint is probably not much better than that dip-switch they had on the early garage door openers. I'd much rather also have a 40-bit number than just rely on a dip-switch setting. I don't think anyone is even thinking that this type of technique would in any way replace mac filtering, it would just make mac filtering less succeptible to snooping. As a bad analogy, imagine replacing your credit card number with your fingerprint. Then later finding out they are only checking 6 dimensions of your finger print. You would probably assume that your fingerprint was one in a million which is was, but your 16-digit credit card number is much more unique than what they are probably measuring in your fingerprint. For example, in the original paper, they claim a 95% accuracy rate and an attack false alarm rate of 2.13%.
In security, you always need to be wary of new things that people don't fully understand yet. People use fancy words like "fingerprint", and "neural networks", and "wavelets". However, if you read the original paper, they are taking transients, and classification, not oversampling. They are also using 802.11b which is QPSK based, not the newer OFDM schemes which don't have the same transients. I'm not sure their technique is applicable to anything but the pilot wave in OFDM.
The way I see it, if you have anything on your network people are going to bother finding a MAC which is on your list to get to, then you should be implementing authentication security and not just relying on what is essentially a card going going "Hi, I really am this device."
:D
Using WPA with Radius isn't that difficult
How many people can read hex if only you and dead people can read hex?
Considering you can change the signature by something as simple as using a different antenna, having such a database won't do much good.
ian
Yup. Hams have been doing it for decades. (Well, most of us have just been talking about it - since actually doing it requires rather expensive gear and jammers troublesome enough to be worth the effort.) I can only imagine governments have been doing it for a lot longer than that.
But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.
Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.
I am very happy with these efforts. MAC filtering is one of the best ways to keep your bandwidth for yourself.
If you can make sure MAC A is actually A, include-only filtering rules will guarantee even the "advanced" kiddies (those who know what wireless MAC spoofing is )will have trouble downloading pr0n from your handsomely-paid-for broadband.
But how on earth are you going to eliminate signal analysis and a database of signatures (assuming every single card is different, even from chipsets in its own batch)?
That would be nice. Wake me when it happens.
Of course, there goes your defense when the RIAA sues you for filesharing, and your defense is, "It musta been someone hacking into my wireless network."
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
These are cookie cutter devices. Their deltas are uber-thin. You'd need to resolve various characteristics to the femto-side of things. I'm sure that there's a lot of demand for high-resolution characterization gear out there that will slice things into ultra-tiny pieces, then have the ability to keep them in a useful db, then use that db to effectively serve as the gate of admittance control.
I don't think so.
Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engineer SLOTH. Tolerances will be widened so that customer support problems don't occur. Once the routines are discovered (and it won't take long), then they'll be abused.... oops I mean cracked. The software that initially characterizes will need to be plenty smart to be able to prevent the same aforementioned customer service problems, and so it'll have slop, too. Add the slops together, and there's a hole. The 95% citation seems more like a salesperson's view of things. I'm far more skeptical. Look at how APs have evolved, as well as the chipsets for WiFoo (and read the book by the same name).
Go to Taiwan Inc and take a spectrum analyzer with you. I have. Throw a high-rate sampling scope and look at the waveforms. Now add in some heat. User positioning. Skew it with some general and contentious noise to slop it up. Tell me you can get that kind of accuracy then tell me that I can't take a similar chipset card and foo it up to make it fool some bozo pseudo-NSA sampler. Bah.
---- Teach Peace. It's Cheaper Than War.
>will no longer be a valid method of protecting your identity
So swap in a different wireless card when you're emailing out dissident literature. You could use a new card every couple of weeks for less than your lunch budget.
Some years back when mayhem was happening to a local 2m NBFM repeater, I got into the habit of leaving an allmode radio monitoring the input, in USB mode. That lets you hear exactly what the FM carrier is doing.
All FM radios have a different keyup chirp. That is, when you key up they start on some frequency and drift off to their final frequency over a short period of time. Some do it quickly, some slowly, but all start off on and end on a different pair of frequency. Some would also have a tendency to AM on top of their FM, and others would have other artifacts.
After listening for a few weeks I could recognize all the regulars as soon as they'd key up.
Lots of other people have pointed out that as soon as they 'work it out' people will start spoofing it, but I'd question whether it's realistic to detect such a thing outside a lab environment in the first place. The paper says they are detecting differences in transient characteristics accurately enough to distingush between the same model device from the same manufacturer. But, there are other factors that will effect the apparent transient signal far more than the manufacturing differences.
The temperature of the device is a major one. The current power setting on a laptop will affect the signal. The relative antennae orientation. Any other environmental signal degradation, like a microwave getting turned on nearby.
Some of those won't effect the 'actual' transient the device transmits, but they will effect the 'apparent' transient as it's received by your router.
They briefly touch on this, saying that to avoid losing accuracy in the fingerprint they recommend constantly updating it (which they call a 'dynamic profile') to account for "factors, such as transceiver aging". But there are so many factors that could change the apparent transient signal, I strongly suspect the only way to avoid kicking off legitimate devices constantly as the signal degrades will be to include so much 'slack' in your dynamic profile, that another device of the same model (or possibly just the same chipset) will be able to take over seamlessly.
They might be on to something, but I'm not going to hold my breath.
Removable wireless networking devices are under $20 and are small enough to be easily hidden, destroyed, or lost forever. You can have a naughty one and a nice one.
"Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks." I'm glad the terminator is helping us on this one. Fuck the dedicated signal analyzer, all we need is the learning computer.
It's actually not that expensive. It's built in to our repeater. While repeaters are not as cheap as your regular ham rig, they are not that expensive.
Gorkman
For information, the margin of error @ 95% confidence for only 15 samples is about
:-)
0.98/SQRT(15) = 25%
ie, the detection rate lies somewhere between 70 and 100%
source: wikipedia, http://en.wikipedia.org/wiki/Margin_of_Error
Now, this is still quite interesting IMHO
Herve S.
So under ideal lab conditions 95% of the time it worked. And 5% of the time legitimate users wouldn't have been able to connect.
So what are they meant to do? Or the system admins running the network? Nip off and buy another wifi-card hoping the new one works, while junking a perfectly decent one? Or maybe just turn off the IDS?
MAC spoofing will continue to work, because this will be a) too expensive b) 95% is not enough by far and c) nobody cares.
The title is BS and very low-quality journalism
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.