Slashdot Mirror
Wi-Fi Fingerprints -- the End of MAC Spoofing?
judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."
Cool hack, but who cares. With proper authentication (eg, WPA), you don't need to worry about MAC spoofing as the packets won't authenticate right to the access point.
Test your net with Netalyzr
Anyone seriously into wireless security / hacking probably has 20+ wireless cards. It is common knowledge that a wireless card can be identified by its traffic, so why not just buy one of each vendor's cards and use the relevent one during each hack?
:)
I expect to see a high-end wireless card come out soon that will 'emulate' the hardware differences quite nicely
Cybie! aka Ralph Bonnell
Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
...and once the paquet warr10rz figure out how to arbitrarily generate and utilise "transceiver prints" it's the end of this method of IDS.
(any wagers on how many other "first comments" will say the same thing?)
Slashdot? Oh, I just read it for the articles.
This has been in the HAM community for years.
http://www.motron.com/TransmitterID.html
Reduce, reuse, cycle
When they develop the hardware that has all of that enabled it does not cost an insane amount over the cost of something without signal analyzation; when they could just use other security measures, or multiple security measures which are cheaper.
Albeit the military and security conscious would still buy it.
Using this fingerprinting to track users would certainly work theoretically (wirelessly only of course).
However, I think it would be possible to create a fingerprint scrambling device.
My Computer Music Tutorial Videos
They were doing this during World War II, using the unique characteristics and variations of transmitters to "fingerprint" them. Similar things were done with the way radio operators send morse code to help detect spies that had been compromised.
Mea navis aericumbens anguillis abundat
One of the 'Artimis Fowl' stories predicted this quite nicely. The LEP (rechans) have had this technology for quite some time. They also have the ability to see a fingerproint on wired access and fingerprints from each router and each section of copper.
Wouldn't certain hacker-written firmware replacements make it act like something else? I know of a linksys one that lets you boost the signal 4x the normal max with the old firmware so how hard could it possibly be to get it to do other things that would mask it? Even if the way the antennas were built caused an unmistakable fingerprint, if you got the device's hardware to change its power levels on certain parts or tweak the frequency outside the 12 channel range for example, that would make it look like something else, right?
now stop reading and go play Dance Dance Revolution!
95 percent is still far too low for a viable consumer product. Can you imagine if 5 percent of the folks buying something based on this technology found that it didn't work? The public outcry would be enormous.
On behalf of the DoD, I would like to welcome IT geeks to antiquated military technology!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
What I gathered from the article is that (when this tech gets integrated into IDS) you can't pretend to be someone else on a network with only specific authorized MACs.
You could still hide your identity pretty well with a spoofed MAC on an open network. Do you think the manufacturers keep a database of RF signatures for all their products, cross referenced with the MAC? I don't think so either.
This is interesting but the sample size is too small to let us know how accurate this technique really is.r story10433.html?by=company
http://www.mathworks.com/company/user_stories/use
Wi-Fi fingerprinting is nothing new and we have tried the various techniques at our university but it simply does not work because the number of false positives is way too high for it to be practical and to be deployed in an environment with many users. We had support from one of the developers of the technology and after looking at the data and the floods of user complaints he even admitted that Wi-Fi fingerprinting is not practical and we had to give up on it.
In even MORE other news (see, the capitalized letters mean even more emPHAsis on the wrong sylLABle), folks are posting mildly humorous statements to slashdot in order to garner more Karma.
It was pretty funny, though.
Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
... and the beginning of transceiverprint spoofing on wireless networks. Right?
Accomplishing what's stated doesn't sound all that trivial. Or cheap. Which might make manufacturers unenthusiastic.
But if it is (trivial and cheap), then won't everyone eventually obtain and use such technology, including the black hats?
Why would hackers not simply spoof the RF fingerprint. Some ideas come to mind. 1) dynamic adjust the outgoing signal digitally to imitate the fingerprint 2) add interference around the transmitter so the signal looks the same 3) use specialized analog electronics to imitate the fingerprint
There are variations in radios even among the same model. You can uniquely identify 2 separate radios of the same model pretty easily. This is something we have done to combat the squirrels (slang for the idiots who think it's fun to screw a ham repeater up) on our ham repeaters in our area....that and triangulation of the perp's signal. Nothing new and about time.
Gorkman
So... what was the 5% if they weren't false positives?
Given:
1) MAC addresses are easily cloned; it's child's play
2) Spoofing above the MAC layer is difficult
3) This methodology produces no false positives
4) The hacker community will find what the characterizations are then
5) Find nice and easy ways of memorizing the characterizations so that
6) They can continue to spoof whatever they want, whenever they want.
So, yes, there is are additional authentications that make things easier to secure-- but changing the character of a card isn't difficult to do as today, there are less than a dozen chipsets doing 98% of all WiFi, from 802.11abgn and 'turbo'/speed-enhanced non-standard variations.
So, Fi. Gimme 30 seconds with the analyzer to characterize what they're looking for, and I'll be pleased to embarrass your WEP-loving CTO.
---- Teach Peace. It's Cheaper Than War.
the End of MAC Spoofing?
Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.
The theory of relativity doesn't work right in Arkansas.
Not yet, but when/if this technology becomes widespread, do you really think that some law won't be passed requiring just that?
The question isn't whether you're Paranoid, [Lenny], the question is whether you're paranoid enough. --strange days
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
for no benifit. I have a 100% solution with no false positives. it's called 'VPN'.
This is really nothing new. A friend did something similair in the early 90's to catch a guy that was spoofing false calls on the police band.
He had a very (VERY) expensive reciever that had a built in spectrum analyzer, and they logged all calls with a timestamp and the frequency drift (stored as a 512 bit word) of the transmitter currently using the channel. Each time the operator suspected that he/she had a spoofed call they pushed a button that activated 4 direction finders that logged the timestamp and the directions. After enough data was gathered it was compiled and a geographical pattern appeared. Most of the spots from where the spoofed calls had originated was at a apartment block. They dispatched a civilian cruiser to monitor the apartment block. They picked up the guy 2 days later outside his home when he was sitting in his car spoofing a call.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Sounds like the same process that ham radio people have been using for at least 10 years now. Maybe they should check with the ham radio people before inventing a horse that has been in use for a while now.
Funny mods don't give you karma.
Hell, they could just download this program.
http://xmit.penguinman.com/xmit_id.html
This is old tech that Amateur radio users have had for 10 years now.
I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.
The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.
Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.
Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.
Everyone needs to think about this tactic! pr0n at work!
This technology has been used successfully on AMPS (analog cellular network) to get rid of ESN/MIN spoofing and it for the most part works. The result is that when spoofing calls with acoustic fingerprinting enabled, the call will get torn down if a fingprint for that cell phone exists in HLR (Home Location Register -- the central database that authenticates the subscriber).
The thing is, in practice, wireless networks are still *wide* open. There are tons and tons of free, public wireless networks going up (like the one in my town), with nobody thinking about the implications. Even with being able to determine that these two packets came from the same card, that still doesn't tell anybody anything about WHO that is. With public wireless networks, anybody can still do whatever they need to do (legal or illegal), and be completely anonymous.
The only thing that Big Brother would know is that somebody with model XXX of wireless card posted kiddie porn from this WAP.
Is this type of thing similar to Van Ecks effect?
Avoid Missing Ball for High Score
95%, no false positives -- == 5% false negatives. It also doesn't clearly define positive and negative in this context. Does this mean that 1 time in 20 when a valid card attempts a connection, it is refused? or that 1 time in 20, a spoofer gets in?
Ian Ameline
Apple will be glad to hear that. I think they're getting tired of people making fun of their ads.
Here's what you can make in terms of a signature:
1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.
And the success is 95%. That's wonderful. Bring it on.
In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.
---- Teach Peace. It's Cheaper Than War.
So, will this mean that if I buy a new antenna or break off my old antenna that my network will no longer recognize me?
How much variation will it handle? When my antenna heats up will it still have the same signature?
---k--
</stupid>
Not really - the fingerprinting is an artifact of the fabrication process. Manufacturing irregularities cause small and unique modulation errors on each pulse. It is these errors that allow the "fingerprinting". You can't correct for this in software - and good luck hacking your wireless board at the nano-component level.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
"... it's the end of MAC spoofing on wireless networks ..."
If implemented, of COURSE it is the end of MAC spoofing. But it is only the BEGINNING of WiFi fingerprint spoofing ...
Laws affecting technology will always be bad until enough techies become lawyers.
And each transmitter was hand-built, using rather rough tools.
All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.
Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.
Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.
So nothing new here. Not by like, almost 100 years.
If this is an analog fingerprint, there's a chance it'll change over time, under different conditions of heat, etc. Doesn't sound trustworthy.
cuz neural network processing sounds really cool... like those evil computers in terminator.
sarcasm:
-noun
1. harsh or bitter derision or irony.
Why would you rely on such a silly system?
This also means possibly expensive retraining each time a new card is added to the set. The "false positive" problem could possibly be avoided to some degree by applying some more traditional signal processing on the result, with just the binary question "is this signal similar to the training signal that the neural model chose".
Just a thought: Could this be used on wired applications i.e. ethernet or generic wired TCP/IP networks to identify packets coming from an individual machine? Surely, in principle, a network card would be have the same variations in fingerprint as a wi-fi transmitter.
Any ideas?
Nothing sucks like a Vax, nothing blows like a PowerMac G4
Soon to come on Slashdot, "The Return of MAC Spoofing!" In fact, despite the fact that the end of MAC spoofing is already a long ways off, someone out there is probably proactively working on getting around this already.
I'm not saying it can't be done, but relying on this as security is false security since the number of "dimensions" to create the fingerprint is probably pretty small given all the uncertainty it has to deal with anyhow to demodulate. I'm hypothesizing, the number of dimensions of the fingerprint is probably not much better than that dip-switch they had on the early garage door openers. I'd much rather also have a 40-bit number than just rely on a dip-switch setting. I don't think anyone is even thinking that this type of technique would in any way replace mac filtering, it would just make mac filtering less succeptible to snooping. As a bad analogy, imagine replacing your credit card number with your fingerprint. Then later finding out they are only checking 6 dimensions of your finger print. You would probably assume that your fingerprint was one in a million which is was, but your 16-digit credit card number is much more unique than what they are probably measuring in your fingerprint. For example, in the original paper, they claim a 95% accuracy rate and an attack false alarm rate of 2.13%.
In security, you always need to be wary of new things that people don't fully understand yet. People use fancy words like "fingerprint", and "neural networks", and "wavelets". However, if you read the original paper, they are taking transients, and classification, not oversampling. They are also using 802.11b which is QPSK based, not the newer OFDM schemes which don't have the same transients. I'm not sure their technique is applicable to anything but the pilot wave in OFDM.
The way I see it, if you have anything on your network people are going to bother finding a MAC which is on your list to get to, then you should be implementing authentication security and not just relying on what is essentially a card going going "Hi, I really am this device."
:D
Using WPA with Radius isn't that difficult
How many people can read hex if only you and dead people can read hex?
Considering you can change the signature by something as simple as using a different antenna, having such a database won't do much good.
ian
Yup. Hams have been doing it for decades. (Well, most of us have just been talking about it - since actually doing it requires rather expensive gear and jammers troublesome enough to be worth the effort.) I can only imagine governments have been doing it for a lot longer than that.
But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.
Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.
I am very happy with these efforts. MAC filtering is one of the best ways to keep your bandwidth for yourself.
If you can make sure MAC A is actually A, include-only filtering rules will guarantee even the "advanced" kiddies (those who know what wireless MAC spoofing is )will have trouble downloading pr0n from your handsomely-paid-for broadband.
But how on earth are you going to eliminate signal analysis and a database of signatures (assuming every single card is different, even from chipsets in its own batch)?
Nah, we'll all go on just pretending the ham heads don't exist like we were doing before.
The first rule about ham radio is you don't talk about ham radio. (Especially ON a ham radio)
"But this one goes to 11!"
That would be nice. Wake me when it happens.
Of course, there goes your defense when the RIAA sues you for filesharing, and your defense is, "It musta been someone hacking into my wireless network."
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
These are cookie cutter devices. Their deltas are uber-thin. You'd need to resolve various characteristics to the femto-side of things. I'm sure that there's a lot of demand for high-resolution characterization gear out there that will slice things into ultra-tiny pieces, then have the ability to keep them in a useful db, then use that db to effectively serve as the gate of admittance control.
I don't think so.
Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engineer SLOTH. Tolerances will be widened so that customer support problems don't occur. Once the routines are discovered (and it won't take long), then they'll be abused.... oops I mean cracked. The software that initially characterizes will need to be plenty smart to be able to prevent the same aforementioned customer service problems, and so it'll have slop, too. Add the slops together, and there's a hole. The 95% citation seems more like a salesperson's view of things. I'm far more skeptical. Look at how APs have evolved, as well as the chipsets for WiFoo (and read the book by the same name).
Go to Taiwan Inc and take a spectrum analyzer with you. I have. Throw a high-rate sampling scope and look at the waveforms. Now add in some heat. User positioning. Skew it with some general and contentious noise to slop it up. Tell me you can get that kind of accuracy then tell me that I can't take a similar chipset card and foo it up to make it fool some bozo pseudo-NSA sampler. Bah.
---- Teach Peace. It's Cheaper Than War.
Would it not be easier to instead create other random irregularities, thereby mixing the normal ones with some fake ones? That seems to be the way to go, rather than attempting to fix the irregularities on the wireless board.
Ah, give me a chance! You don't even know about my l337 nano-component-hacking skillz ;)
I agree with you that one could never use software to conceal the trancieverprint - but I think you could employ a physical method. Perhaps a tranciever circuit designed specifically to chaotically alter it's detectable fingerprint.
It just seems to me that you should somehow be able to modulate a signal in such a way that a fingerprint would not be possible to extract.
Please note that I do not claim that I think it possible to mimic another trancieverprint - only that I believe you can use the nature of radio communcation to "wear gloves" and thus conceal your device's unique fingerprint.
In other words, it seems possible that you could scramble your voice - but not possible to change your voice to sound like the police chief.
My Computer Music Tutorial Videos
Well, those who don't learn from history are doomed to repeat it. A horse with no name, stop you'll go blind........er..
Here is the motron system:
http://www.motron.com/TransmitterID.html
In principle, yes this is possible, but not in practice. The error modulations color the smallest unit of modulation - the pulse. To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse. While there likely are are DSP chips fast enough to do this - the one on your wireless card can't. From practical terms, why would your card be engineered to have greater modulation capability than the technology requires for communication? That wouldn't be very efficient. And oh-by-the-way, and faster modulation capability used to inject "noise" while approximating the pulse would also be composed of pulses (albeit smaller ones). These pulses would themselves be subject to exactly the same type of fingerprinting due to the same random fabrication errors.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
>will no longer be a valid method of protecting your identity
So swap in a different wireless card when you're emailing out dissident literature. You could use a new card every couple of weeks for less than your lunch budget.
You can beat this in software if you have a software radio. GNU Radio now has rudimentary wi-fi capabilities. You could certainly introduce randomized irregularities. Better yet, you can perform this analysis on your neighbor's wireless card and then train yours to impersonate it.
Some years back when mayhem was happening to a local 2m NBFM repeater, I got into the habit of leaving an allmode radio monitoring the input, in USB mode. That lets you hear exactly what the FM carrier is doing.
All FM radios have a different keyup chirp. That is, when you key up they start on some frequency and drift off to their final frequency over a short period of time. Some do it quickly, some slowly, but all start off on and end on a different pair of frequency. Some would also have a tendency to AM on top of their FM, and others would have other artifacts.
After listening for a few weeks I could recognize all the regulars as soon as they'd key up.
You cannot beat this in software. Finally, a subject on slashdot I can speak about that I truly have first-hand knowledge of. The fingerprinting is based on the characteristics of the RF transmitter. Regardless of the software portion of the device you cannot hide the characteristics of your own physical transmitter. Let's look at it as a human fingerprint as an example. You could theoretically analyze another fingerprint and add it's properties to yours via some physical method, but without completely covering your own finger you cannot hide the unique characteristics of your own fingerprint. Hiding the characteristics of a radio transmitter may not be impossible, but it certainly is not feasible. Given the fact that the issue at hand is spoofing of another user's equipment rather than hiding your identity it would not be feasible to spoof another device's fingerprint. You could avoid being tracked by fingerprint by randomly altering characteristics of your radio's transmitter via software modulation techniques, but you cannot completely spoof another radio's fingerprint due to your own fingerprint being a part of the overall characteristics. Therefore, access to a MAC controlled network would still be denied. On the other hand, use WPA for crying out loud.
Lots of other people have pointed out that as soon as they 'work it out' people will start spoofing it, but I'd question whether it's realistic to detect such a thing outside a lab environment in the first place. The paper says they are detecting differences in transient characteristics accurately enough to distingush between the same model device from the same manufacturer. But, there are other factors that will effect the apparent transient signal far more than the manufacturing differences.
The temperature of the device is a major one. The current power setting on a laptop will affect the signal. The relative antennae orientation. Any other environmental signal degradation, like a microwave getting turned on nearby.
Some of those won't effect the 'actual' transient the device transmits, but they will effect the 'apparent' transient as it's received by your router.
They briefly touch on this, saying that to avoid losing accuracy in the fingerprint they recommend constantly updating it (which they call a 'dynamic profile') to account for "factors, such as transceiver aging". But there are so many factors that could change the apparent transient signal, I strongly suspect the only way to avoid kicking off legitimate devices constantly as the signal degrades will be to include so much 'slack' in your dynamic profile, that another device of the same model (or possibly just the same chipset) will be able to take over seamlessly.
They might be on to something, but I'm not going to hold my breath.
Removable wireless networking devices are under $20 and are small enough to be easily hidden, destroyed, or lost forever. You can have a naughty one and a nice one.
"Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks." I'm glad the terminator is helping us on this one. Fuck the dedicated signal analyzer, all we need is the learning computer.
It's actually not that expensive. It's built in to our repeater. While repeaters are not as cheap as your regular ham rig, they are not that expensive.
Gorkman
For information, the margin of error @ 95% confidence for only 15 samples is about
:-)
0.98/SQRT(15) = 25%
ie, the detection rate lies somewhere between 70 and 100%
source: wikipedia, http://en.wikipedia.org/wiki/Margin_of_Error
Now, this is still quite interesting IMHO
Herve S.
MAC spoofing will continue to work, because this will be a) too expensive b) 95% is not enough by far and c) nobody cares.
The title is BS and very low-quality journalism
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Would someone also care to explain to me how my comment above is "redundant"?
To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse.
You could hide it a different way...say, by using variable active components to distort the signal. However, the components' effects must be very small, and their use very precise; You want to emulate different flaw characteristics, not be recognizable for that emulation.
From practical terms, why would your card be engineered to have greater modulation capability than the technology requires for communication? That wouldn't be very efficient.
No, it wouldn't. But it might be more secure, which makes me think this technique would be useful in military settings. Heck...the military has been using software-modulated voice radio. The balance of over-engineering vs security there is rather obvious.
These pulses would themselves be subject to exactly the same type of fingerprinting due to the same random fabrication errors.
Still, they'd require equipment of higher precision to identify them.
tasks(723) drafts(105) languages(484) examples(29106)