This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
For the purposes of the present invention device fingerprinting means gathering information about a device in order to characterize it. This process yields a signature, also called fingerprint, which describes one or more of the device's observed features in a compact form. If the generated signature is distinctive enough, it may be used to identify the device.
The description will be focused on fingerprinting devices that implement the standard for wireless communication called IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications; for short called IEEE 802.11 and defined in IEEE Std 802.11-1999 (hereinafter 802.11). This standard is for example used by WiFi. It will however be appreciated that the invention may also be used to fingerprint devices that implement other suitable wireless communication techniques, such as for example ALOHA or Zigbee, or indeed wired communication techniques, such as for example Ethernet based protocols.
As already mentioned, device fingerprinting enables identification of devices, an identification that is independent of the purported identity of the device. A primary application of 802.11 device fingerprinting is the detection of Media Access Control (MAC) address spoofing. This refers to the action of usurping the MAC address of another device in order to benefit from its authorization.
In several scenarios, the detection of MAC address spoofing is of importance: Open wireless networks such as hot-spots often implement MAC address based access control in order to guarantee that only legitimate client stations (e.g. the devices that has purchased Internet access) connect to the access points. More controlled wireless networks such as site enterprise networks also often implement forms of MAC address based access control, as a supplement to cryptographic access control for instance. Attackers may then want to steal a legitimate device's session by spoofing the latter's MAC address. Conversely, the access points (APs) may be subject to attacks:
tools like AirSnarf and RawFakeAP enable an attacker to set up a rogue access point, which could make client stations connect to the fake AP instead of the genuine one. A good fingerprinting method should be able to detect above attacks so that countermeasures may be taken.
The prior art comprises a number of solutions for fingerprinting wireless devices by analyzing implementation specificities of the network card and/or driver. See for example WO 2012/069544; J. Cache, “Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field”, 2006; S. Jana and S. K. Kasera; “On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews”, In Proceedings of ACM MobiCom 08, September 2008; C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz; “On the Reliability of Wireless Fingerprinting Using Clock Skews”, In Proceedings of ACM WiSec 10, March 2010. It should be noted that the methods of Jana et al. and Arackaparambil et al. are only applicable to access points as they require the timestamps included in the 802.11 beacon frames which are only sent by access points and not by client stations.
However, it is also possible for an attacker to try to forge the fingerprint of a further device (called ‘victim’). Forging a signature generally requires two steps: 1) analysis of the network traffic characteristics of the victim, and 2) reproduction of network traffic with similar characteristics in order to fool the verifier. In a network with a broadcast channel, the attacker can easily access the network traffic of the victim, which simplifies the first step of the attack, while the generalization of software network interfaces or software radios simplifies the second step of the attack.
It will therefore be appreciated that there is a need for a solution that can prevent an attacker from forging the fingerprint of a victim. The present invention provides such a solution.