This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
For the purposes of the present invention device fingerprinting means gathering information about a device in order to characterize it. This process yields a signature, also called fingerprint, which describes the device's observed features in a compact form. If the generated signature is distinctive enough, it may be used to identify the device.
The description will be focused on fingerprinting devices that implement the standard for wireless communication called IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications; for short called IEEE 802.11 and defined in IEEE Std 802.11-1999 (hereinafter 802.11). This standard is for example used by WiFi. It will however be appreciated that the invention may also be used to fingerprint devices that implement other suitable communication techniques, such as for example ALOHA.
As already mentioned, device fingerprinting enables identification of devices, an identification that is independent of the purported identity of the device. A primary application of 802.11 device fingerprinting is the prevention of Media Access Control (MAC) address spoofing. This refers to the action of usurping the MAC address of another device in order to benefit from its authorization.
In several scenarios, the prevention of MAC address spoofing is of importance: Open wireless networks such as hot-spots often implement MAC address based access control in order to guarantee that only legitimate client stations (e.g. the devices that has purchased Internet access) connect to the access points. Attackers may then want to steal a legitimate device's session by spoofing the latter's MAC address. Conversely, the access points may be subject to attacks: tools like AirSnarf and RawFakeAP enable an attacker to set up a rogue access point, which could make client stations connect to the fake AP instead of the genuine one. A good fingerprinting method should be able to detect above attacks so that countermeasures may be taken.
In fact, it can make sense to use fingerprint signature verification even in wireless networks protected by a key, e.g. Wi-Fi Protected Access (WPA). A passive fingerprinting method may be used prior to the key-based authentication mechanism as an additional layer of trust, which may detect unauthorized devices and thus render pointless the active, possibly more vulnerable and costly, key-based authentication mechanism. Fingerprinting may also be used after the wireless authentication mechanism in order to control that only authorized devices are in the network. Indeed, keys may leak as there are several normal situations in which users voluntarily give out their Wi-Fi key. For instance, when inviting a friend and allowing his laptop to access the home network. While this scenario is both common and simple, it also endangers the home network; the key may later leak from the invited laptop or the friend may abusively reconnect. Finally, tools exist that allow hackers to crack the WEP protocol, which is known to be insecure, and there are currently existing services, e.g. WPA Cracker, that try to discover WPA keys.
The prior art comprises a number of solutions for fingerprinting wireless devices by analyzing implementation specificities of the network card and/or driver.
Franklin et al. characterize the drivers during the “active scanning period” where the card is searching for available wireless network. This searching process is underspecified in the 802.11 standard regarding the frequency and order of sending probe requests. Each manufacturer therefore implements its own algorithm and timers during this period. See J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker; “Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting”; In Proceedings Usenix Security 06, August 2006. A major drawback of this passive fingerprinting technique is that it only works during a short and specific period at the start of the wireless protocol. A similar solution is found in D. C. C. Loh, C. Y. Cho, C. P. Tan and R. S. Lee, “Identifying Unique Devices through Wireless Fingerprinting”, In WiSec'08, April 2008.
Gopinath et al. show that the 802.11 cards exhibit very heterogeneous behavior which are due to implementation specificities. They tested a set of 802.11 features such as Random Back-off timers and Virtual Carrier Sensing (NAV mechanism). The authors indicate that the observed heterogeneity in behavior may be used to fingerprint a card's vendor and model. See K. Gaopinath, P. Bhagwat, and K. Gopinath; “An Empirical Analysis of Heterogeneity in IEEE 802.11 MAC Protocol Implementations and Its Implications”; In Proceedings of ACM WiNTECH'06, September 2006. However, the paper does not further analyze this aspect and just presents bare experimental results.
Bratus et al. propose a method that uses the above work and performs actual fingerprinting of wireless client stations and access points. According to their method, malformed or non-standard stimulus frames are sent to the device to be fingerprinted and a decision tree is applied to the response or behavior of the device in order to fingerprint the vendor/manufacturer. See S. Bratus, C. Cornelius, D. Kotz, and D. Peebles; “Active Behavioral Fingerprinting of Wireless Devices”; In Proceedings of ACM WiSec'08, March 2008. A main drawback of this technique is that it is active, not passive.
Cache proposes two methods for fingerprinting a device's network card and driver; see J. Cache; “Fingerprinting 802.11 Devices”; Master Thesis, 2006. The first method is active and uses the 802.11 association redirection mechanism, which even if well specified in the 802.11 standard, is very loosely implemented in the tested wireless cards. As a consequence each wireless card behaves differently during this phase which allows characterization. The second method is passive and based on analysis of duration field values in 802.11 data and management frames. Each wireless card computes the duration field slightly differently yielding different duration values.
Common to all of the approaches hereinbefore is that they cannot differentiate between two devices using the same network card and driver. These approaches may thus for example not be used for detecting MAC address spoofing and even less order to identify the devices.
In contrast to the papers hereinbefore, Pang et al. discuss privacy implications of 802.11. Their paper highlights that users are not anonymous when using 802.11 as the protocol uses globally unique identifiers (i.e. the MAC addresses) that allows user tracking. Even if this identifier is masked—e.g. by temporarily changing addresses—it is still possible to track users by observing a set of parameters (used as implicit identifiers) in the 802.11 protocol. The authors apply a naive Bayes classifier on four implicit identifiers, namely network destinations, network names advertised in 802.11 probes, 802.11 configuration options and broadcast frame sizes. Three out of the four parameters apply even when the traffic is encrypted. Using busy hot spot test traces, they could identify 64% of users with 90% accuracy.
Other prior art documents deal with the fingerprinting of wireless access points (APs). Jana et al. calculate the clock skews of access points in order to identify them. The clock skews are calculated using the Timestamps contained in Beacon/Probe response frames emitted by the AP. An attacker that replays the clock skew is subject to the 802.11 protocol timers such as the DIFS (Distributed coordination function Interframe Space) which changes the actual time the beacon is sent. As those timers are not accessible from the driver level (where the attack is implemented), the timestamps and receiving times do not correspond, which changes the measured clock skew. Their proposed method is able to measure those differences and therefore detect the attack. See S. Jana and S. K. Kasera; “On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews;” In Proceedings of ACM MobiCom 08, September 2008.
C. Arackaparambil et al. refine the work of Jana et al. and propose a new method yielding more precise clock measures. They also successfully spoof an AP, making it indistinguishable from a ‘real’ AP by the methods used by Jana et al. Their method uses the fact that wireless cards automatically synchronize with the attached AP (which makes the wireless card having the same clock skew than the AP). This makes it easier to spoof an AP by associating with the AP prior to the attack. See C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz; “On the Reliability of Wireless Fingerprinting Using Clock Skews”; In Proceedings of ACM WiSec 10, March 2010.
The methods of Jana et al. and Arackaparambil et al. are however only applicable to access points as they require the timestamps included in the 802.11 beacon frames which are only sent by access points and not by client stations.
Finally, for completeness, two papers tackle the problem of MAC address spoofing, but do not engage in any fingerprinting. Both papers detect discontinuities in 802.11 frame sequence numbers in order to detect potential address spoofing. See J. Wright, “Detecting Wireless LAN MAC Address Spoofing”; Technical Report, 2003 and F. Gua and T. Chiueh, “Sequence Number-Based MAC Address Spoof Detection; In Proceedings of RAID 2005, September 2005.
It will therefore be appreciated that there is a need for a solution that can enable passive fingerprinting and individual identification of wireless devices. The present invention provides such a solution.