Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wi-Fi Fingerprints -- the End of MAC Spoofing?

Posted by ryuzaki0 on from the place-finger-here dept.

judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."

20 of 176 comments (clear)

  1. Cool hack, but who cares... by nweaver · · Score: 4, Interesting

    Cool hack, but who cares. With proper authentication (eg, WPA), you don't need to worry about MAC spoofing as the packets won't authenticate right to the access point.

    --
    Test your net with Netalyzr
    1. Re:Cool hack, but who cares... by Bender0x7D1 · · Score: 5, Interesting

      You are forgetting the insider threat. I might have the WPA key because I am an employee with my own laptop. However, if I spoof your MAC, then it looks like you are the one surfing /. (or porn sites) all day and not me.

      Encryption is good, but it doesn't solve every security problem.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  2. The sample was 15 devices by giafly · · Score: 3, Insightful
    As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer. Using "transceiverprints," Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers submitted to various conferences, including IEEE events on wireless and security.
    So I'm convinced.
    --
    Reduce, reuse, cycle
    1. Re:The sample was 15 devices by slew · · Score: 4, Insightful

      Okay, a show of hands, how many folks use centrino wireless vs buying a wireless card for their old computer? Now how many will buy a computer in the next year which has integrated wireless. How many of those will buy centrino wireless?

      Does anyone remember the good old days when your garage remote control that you just bought from sears would open the door down the street? That's why they had to put in the codes. Just relying on a "fingerprint" when the majority of devices are from the same manufacturer is just a false sense of security.

      However, if you really want to be scared, just google "bump key"...

  3. Old Idea by Detritus · · Score: 5, Interesting

    They were doing this during World War II, using the unique characteristics and variations of transmitters to "fingerprint" them. Similar things were done with the way radio operators send morse code to help detect spies that had been compromised.

    --
    Mea navis aericumbens anguillis abundat
  4. Welcome to the 80's! by Keebler71 · · Score: 4, Funny

    On behalf of the DoD, I would like to welcome IT geeks to antiquated military technology!

    --
    "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
  5. Re:the end of wireless mac spoofing?! no way by drinkypoo · · Score: 3, Interesting
    WiFi MAC spoofing will also remain useful on open unencrypted networks where it's not locked down by MAC, but you just don't want to be traceable.

    I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Re:the end of wireless mac spoofing?! no way by ergo98 · · Score: 5, Informative
    Anyone seriously into wireless security / hacking probably has 20+ wireless cards. It is common knowledge that a wireless card can be identified by its traffic, so why not just buy one of each vendor's cards and use the relevent one during each hack?

    If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
  7. Wi-Fi fingerprinting does not work by Anonymous Coward · · Score: 3, Interesting

    Wi-Fi fingerprinting is nothing new and we have tried the various techniques at our university but it simply does not work because the number of false positives is way too high for it to be practical and to be deployed in an environment with many users. We had support from one of the developers of the technology and after looking at the data and the floods of user complaints he even admitted that Wi-Fi fingerprinting is not practical and we had to give up on it.

  8. Re:Just spoof the fingerprint by Chanc_Gorkon · · Score: 3, Informative

    Cuz you likely can't. To do so would require a microscope on alot of WiFi cards and even then it you likely won't come close enough. The fingerprint is possible because of minor variations in the signal that is caused by variations in the caps and resistors used. You don't really think they can create a 0% tolerance cap do you?? The tolerances on caps and resistors can be 0.05%...that is still not 0%. A 0% tolerance cap or resistor is not possible. Spoofing a RF fingerprint is practically impossible with today's technology.

    --

    Gorkman

  9. Re:Just spoof the fingerprint by robertjw · · Score: 4, Interesting

    OK, but will the variation on the caps and resistors remain consistent over the life of the WiFi card? Will an allowance be made for ongoing variations in the signal? If so, will it be exploitable?

    --
    Find coupons in Greeley
  10. the only way by User+956 · · Score: 3, Funny

    the End of MAC Spoofing?

    Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.

    --
    The theory of relativity doesn't work right in Arkansas.
  11. Re:Just spoof the fingerprint by tppublic · · Score: 4, Insightful
    Trying to spoof using a hardcoded solution out of a fab is borderline impossible - I agree. However, you seem to presume that the only method of spoofing is to have (hardcoded) hardware that is identical. Given some (albeit not complete) knowledge of how analog electronics work, I'm not sure that is the only method of achieving such a result.

    It seems to me one could build analog electronics that allows signal parameters (frequency, rise time, etc.) to be electronically tuned based on the detected signal... after all, if they can identify a signal with high accuracy, then the traits to be spoofed may be distinguishable enough to be accurately measured.

    Given a sufficiently powerful software defined radio, a tunable amplifier and a tunable antenna, I don't think this is impossible. It's a heck of a lot more expensive than a WLAN card, for sure. It's also a problem that a neural network is used for identification, since neural networks are a notoriously poor analysis tool from which to extract usable rules. However, given their sample size and lack of other info in the article (of other methods of forecast analysis), it is difficult to say whether the required system is so complicated that it is an intractable problem to reverse engineer the measured characteristics. I'm not convinced it is.

  12. Seen it before by tsotha · · Score: 5, Interesting
    The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives.
    I'm sure it works great in her lab, but here in the real world...

    I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.

    The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.

    Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.

    Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.

  13. I don't think so..... by postbigbang · · Score: 3, Insightful

    Here's what you can make in terms of a signature:

    1. Amplitude
    2. Phase shift
    3. Signal cadencing... e.g. micro-sliced events
    4. Parasitics
    5. Encoding profiling.

    And the success is 95%. That's wonderful. Bring it on.

    In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.

    --
    ---- Teach Peace. It's Cheaper Than War.
  14. Re:Moo by Keebler71 · · Score: 4, Insightful

    Not really - the fingerprinting is an artifact of the fabrication process. Manufacturing irregularities cause small and unique modulation errors on each pulse. It is these errors that allow the "fingerprinting". You can't correct for this in software - and good luck hacking your wireless board at the nano-component level.

    --
    "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
  15. What's old is new again. by Ancient_Hacker · · Score: 4, Interesting
    waay back at the very start of real "Wireless" communication, the transmitters were these hefty spark-gaps, often modulated by a spinning set of electrodes. And back then most houses had DC power, and unsteady power at that.

    And each transmitter was hand-built, using rather rough tools.

    All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.

    Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.

    Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.

    So nothing new here. Not by like, almost 100 years.

  16. people actually use MAC filtering? by smcavoy · · Score: 3, Interesting

    Why would you rely on such a silly system?

  17. This idea is more than sixty years old by igb · · Score: 4, Interesting
    As well as analysis of individuals' style of morse, fingerprinting of the characteristics of individual transmitters was done during WW2. By following both equipment and personnel around networks it provided additional data for traffic analysis, which is both useful in its own right and useful as a source of cribs. In the case of U boats, it offered the chance to follow individual U boats from HF/DF fix to fix. Ralph Erskine wrote about this in Cryptologia, January 1999.

    ian

  18. Re:the end of wireless mac spoofing?! no way by munpfazy · · Score: 3, Interesting

    Yup. Hams have been doing it for decades. (Well, most of us have just been talking about it - since actually doing it requires rather expensive gear and jammers troublesome enough to be worth the effort.) I can only imagine governments have been doing it for a lot longer than that.

    But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.

    Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.