Identification of Wireless Devices Using Timing Based Fingerprinting

Abstract

In the following thesis, we propose a set of techniques that allow us to create unique signatures for devices using the 802.11 standard. To do this, we exploit some fundamental physical as well as some protocol specific properties of the devices to extract a set of features that can be converted into a usable fingerprint capable of identifying the device.

As wireless networks become more and more popular, there is an increased need to ensure that only authorised users using legitimate devices are allowed access into the network. As wireless networks typically allow any user with a wireless NIC and a passphrase to gain access to the network’s resources, it makes them many magnitudes less secure than traditional wired networks. Moreover it makes it easy for attackers to perform Man in the Middle attacks using rogue Access Points or gain entry into secured networks through non authorised Access Points set up unsuspecting users.

To create fingerprints we use the variations in the frequency of vibrations of the clock crystals in the devices. Due to certain physical traits in the crystal, no two crystals vibrate at exactly the same frequency, resulting in a distinctive variation in the number of oscillations in two devices over time. We use this characteristic to try and determine the rate at which the device to be fingerprinted diverges from our reference clock and use this mechanism to create unique fingerprints for devices. To gather the timing information from devices we use the beacon frames transmitted by Access points and for determining the skew of the end user devices we use TCP and ICMP based requisition protocols.

We found that our techniques for Access Point detection gives us a detection rate of over 90% in a live deployment with over 10 devices and the detection rates for end user device systems were 70% and 90% respectively in their test while the detection rates were in the neighbourhood of just 60-65% in the case of the device type detections. The capture sizes needed for such accuracy levels from our tests suggest that the required accuracy can be acquired by running the captures for 200-250 seconds for access points and ICMP based techniques and slightly over 500 seconds for TCP based techniques.

When our system is deployed in live networks, we believe that we can accurately detect the presence of possible intruder devices in the network from their fingerprints, allowing us to possibly detect intruders employing the use of measures such as MAC spoofing or rogue Access Point deployments. This improves the overall security of the network against such threats and expand the detection capabilities to cover hitherto undetectable or difficult to detect attacks and take preventative measures before any serious damage may take place.