Remote Physical Device Fingerprinting

| 1 Comment

For those of you that are technologically challenged, I suggest you only read the conclusion of this post. Those of you that know and understand a bit more, or are willing to wrap their heads around new tricks, read on.

Based on output from one machine to another - whether connected through the internet or locally - it's been quite easy to identify one machine from the next. Apart from just telling what was broadcasted by sniffing TCP/IP traffic, it was also possible to tell how many machines were hiding behind a NAT device such as a router. Various tools have existed both in Open Source as well as commercial packages to help accomplish these tasks, often with quite suprisingly good results. Of course usage of these tools requires quite some technical knowledge, not only to properly set them up and capture what is needed, but also to analyze the output.

A paper was just published that pushes everything even further : it seems to be possible to identify a machine with quite a certainty, without the owner or user knowing about it. It's not based on a MAC address - because that would be too easy to spoof or replace - and it works no matter where the machine is. The trick seems to be to measure clock cycles and more specifically the skews in it. Every computer has an internal clock (and I don't mean the one you see on your screen) and they all have their own cycle. Now Ph.D. student Tadayoshi Kohno found several ways to track this, and thus identify what machine is responsable for a certain cycle pattern.

Sure enough, it is the same as with fingerprints on humans : if anyone has your fingerprints, they may be able to match other prints to yours, putting you in certain places, but they still may not have your identity. The same goes for clock cycles. Monitoring TCP/IP streams, they actually do remote fingerprinting, which leads to certain patterns becoming visible. Now, if a clock cycle pattern is recorded, it is possible to check that against other streams, resulting in a match if the same machine broadcasts again.

Let's take it a step further. You've got a laptop you use and travel around with. The data stream that leaves your laptop is analyzed and a clock cycle pattern recorded. You travel around the world, and in various locations you connect to the internet and check mail, browse sites. If the datastreams were analyzed again, they would match the pattern recorded earlier on, thus putting you in different locations at the times of the broadcasts. Without you knowing it, that is.

At least one possible use for it would to be to track corporate laptops. In addition to GPS transmitters that are often embedded in high-end machines that contain very valuable corporate info, clock cycle patterns can be analyzed and recorded before the laptop is handed over to the designated user. Should the laptop disappear one day, it is theorethically possible to find it back by analyzing datastreams on the internet. Sure enough that would mean all streams are analyzed all the time, which at this point seems quite unprobable as well as impossible, but it may not stay that way.

Conclusion : new and ever changing and improving techniques are now able to track any machine as it connects and broadcasts information, no matter where or when this happens. This reduces anonimity to practially none, unless we find a way to deal with this. This means that we should either drop or enforce a new version of the TCP/IP protocol that doesn't reflects clock cycles in it's timestamp, or securely connect to an uncomprimised machine which handles all broadcasts to the external network, relaying the TCP/IP requests with it's own timestamp. This would still lead to 1 pattern being recorded, but making tracking specific machines more difficult. An interesting development in fingerprinting and tracking for sure.

Links : Machine fingerprinting using Nmap - TCP Fingerprinting - Remote Physical Device Fingerprinting Paper (PDF, 10MB)

1 Comment

damn... difficult post...
does this mean that ... nope ? yes ?
damn, i don't even understand the conclusion...

Leave a comment

Monthly Archives


OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on March 4, 2005 6:17 PM.

Felines, Booze and Berry was the previous entry in this blog.

Westvloams anyone? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.