Slashdot Mirror
Wi-Fi Fingerprints -- the End of MAC Spoofing?
judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."
Cool hack, but who cares. With proper authentication (eg, WPA), you don't need to worry about MAC spoofing as the packets won't authenticate right to the access point.
Test your net with Netalyzr
Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
...and once the paquet warr10rz figure out how to arbitrarily generate and utilise "transceiver prints" it's the end of this method of IDS.
(any wagers on how many other "first comments" will say the same thing?)
Slashdot? Oh, I just read it for the articles.
This has been in the HAM community for years.
http://www.motron.com/TransmitterID.html
Reduce, reuse, cycle
They were doing this during World War II, using the unique characteristics and variations of transmitters to "fingerprint" them. Similar things were done with the way radio operators send morse code to help detect spies that had been compromised.
Mea navis aericumbens anguillis abundat
On behalf of the DoD, I would like to welcome IT geeks to antiquated military technology!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
This is interesting but the sample size is too small to let us know how accurate this technique really is.r story10433.html?by=company
http://www.mathworks.com/company/user_stories/use
Wi-Fi fingerprinting is nothing new and we have tried the various techniques at our university but it simply does not work because the number of false positives is way too high for it to be practical and to be deployed in an environment with many users. We had support from one of the developers of the technology and after looking at the data and the floods of user complaints he even admitted that Wi-Fi fingerprinting is not practical and we had to give up on it.
Why would hackers not simply spoof the RF fingerprint. Some ideas come to mind. 1) dynamic adjust the outgoing signal digitally to imitate the fingerprint 2) add interference around the transmitter so the signal looks the same 3) use specialized analog electronics to imitate the fingerprint
There are variations in radios even among the same model. You can uniquely identify 2 separate radios of the same model pretty easily. This is something we have done to combat the squirrels (slang for the idiots who think it's fun to screw a ham repeater up) on our ham repeaters in our area....that and triangulation of the perp's signal. Nothing new and about time.
Gorkman
the End of MAC Spoofing?
Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.
The theory of relativity doesn't work right in Arkansas.
for no benifit. I have a 100% solution with no false positives. it's called 'VPN'.
This is really nothing new. A friend did something similair in the early 90's to catch a guy that was spoofing false calls on the police band.
He had a very (VERY) expensive reciever that had a built in spectrum analyzer, and they logged all calls with a timestamp and the frequency drift (stored as a 512 bit word) of the transmitter currently using the channel. Each time the operator suspected that he/she had a spoofed call they pushed a button that activated 4 direction finders that logged the timestamp and the directions. After enough data was gathered it was compiled and a geographical pattern appeared. Most of the spots from where the spoofed calls had originated was at a apartment block. They dispatched a civilian cruiser to monitor the apartment block. They picked up the guy 2 days later outside his home when he was sitting in his car spoofing a call.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.
The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.
Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.
Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.
Here's what you can make in terms of a signature:
1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.
And the success is 95%. That's wonderful. Bring it on.
In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.
---- Teach Peace. It's Cheaper Than War.
So, will this mean that if I buy a new antenna or break off my old antenna that my network will no longer recognize me?
How much variation will it handle? When my antenna heats up will it still have the same signature?
---k--
</stupid>
Not really - the fingerprinting is an artifact of the fabrication process. Manufacturing irregularities cause small and unique modulation errors on each pulse. It is these errors that allow the "fingerprinting". You can't correct for this in software - and good luck hacking your wireless board at the nano-component level.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
And each transmitter was hand-built, using rather rough tools.
All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.
Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.
Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.
So nothing new here. Not by like, almost 100 years.
If this is an analog fingerprint, there's a chance it'll change over time, under different conditions of heat, etc. Doesn't sound trustworthy.
Why would you rely on such a silly system?
Spoken like someone who's never touched a radio outside of the one GM sold him with his car.
Each radio in existence has a unique signal generated, mostly due to component variation in each production run. Resistors and capacitors in circuits are designed to tolerate a certain amount of variation in resistance, capacitance, etc etc. It's difficult to replicate - and by 'difficult', I mean an electrical engineer with a laboratory full of equipment and a team working for him would find it difficult. A signal generator designed to replicate a specific signal fingerprint would be (a) prohibitively large and (b) prohibitively expensive. Hundreds of thousands, maybe millions of dollars. NSA stuff.
This is a good idea, really, but I'm skeptical of the ability to pack that much sensing equipment into a consumer-portable wireless card.
'If you're flammable and have legs, you are never blocking a fire exit.'
ian
Yup. Hams have been doing it for decades. (Well, most of us have just been talking about it - since actually doing it requires rather expensive gear and jammers troublesome enough to be worth the effort.) I can only imagine governments have been doing it for a lot longer than that.
But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.
Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.
These are cookie cutter devices. Their deltas are uber-thin. You'd need to resolve various characteristics to the femto-side of things. I'm sure that there's a lot of demand for high-resolution characterization gear out there that will slice things into ultra-tiny pieces, then have the ability to keep them in a useful db, then use that db to effectively serve as the gate of admittance control.
I don't think so.
Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engineer SLOTH. Tolerances will be widened so that customer support problems don't occur. Once the routines are discovered (and it won't take long), then they'll be abused.... oops I mean cracked. The software that initially characterizes will need to be plenty smart to be able to prevent the same aforementioned customer service problems, and so it'll have slop, too. Add the slops together, and there's a hole. The 95% citation seems more like a salesperson's view of things. I'm far more skeptical. Look at how APs have evolved, as well as the chipsets for WiFoo (and read the book by the same name).
Go to Taiwan Inc and take a spectrum analyzer with you. I have. Throw a high-rate sampling scope and look at the waveforms. Now add in some heat. User positioning. Skew it with some general and contentious noise to slop it up. Tell me you can get that kind of accuracy then tell me that I can't take a similar chipset card and foo it up to make it fool some bozo pseudo-NSA sampler. Bah.
---- Teach Peace. It's Cheaper Than War.
In principle, yes this is possible, but not in practice. The error modulations color the smallest unit of modulation - the pulse. To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse. While there likely are are DSP chips fast enough to do this - the one on your wireless card can't. From practical terms, why would your card be engineered to have greater modulation capability than the technology requires for communication? That wouldn't be very efficient. And oh-by-the-way, and faster modulation capability used to inject "noise" while approximating the pulse would also be composed of pulses (albeit smaller ones). These pulses would themselves be subject to exactly the same type of fingerprinting due to the same random fabrication errors.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell