Wireless internet access has become one of the enabling technologies of the modern world. Indeed, many think of Wi-Fi is the oxygen of the computer generation.
While wireless access is hugely useful, it is also a security threat. Anybody can access a wireless network by masquerading as a computer that already has access. This technique is known as MAC spoofing: the action of taking the MAC address of another computer to benefit from its authorization.
One way to prevent this is to have some other way of identifying the computer trying to get access. The question is how.
Today, Christoph Neumann and pals at the Technicolor Security and Content Protection Labs in Rennes, France, say they’ve developed a way of uniquely identifying a computer by the way it accesses Wi-Fi resources.
They point out that characteristics such as transmission rates and frame inter-arrival time, depend on the Wi-Fi card a computer uses as well as the drivers and the applications involved. The large number of permutations of these ensures that most computers have a “Wi-Fi fingerprint” that uniquely identifies them. And that could help distinguish an authorized user from a malicious one.
Neumann and co begin their work by analyzing all the wireless traffic broadcast on a particular Wi-Fi channel in a number of different environments. For example, they use a seven-hour recording of Wi-Fi signals collected at the 2008 Sigcomm conference and another six-hour recording collected at their office in France.
They began by dividing each recording into training and validation data sets. They then analyzed the training data set looking for the characteristics of the devices involved.
For example, the 802.11 protocol allows a Wi-Fi card to choose one of a number of predefined transmission rates; a Wi-Fi card transmits data packets, or frames, of a size that depends on the version of the IP and the applications involved; and the time between the arrival of successive frames depends on various factors such as their size.
However, Neumann and co deliberately avoided analyzing data that can be easily forged by a malicious attacker, such as frame headers. They do all this using a standard wireless card rather than bespoke listening equipment that would not be viable for ordinary users.
They say that certain parameters are much better than others at uniquely identifying devices. “We find that the network parameters transmission time and frame inter-arrival time perform best in comparison to the other network parameters considered,” they say.
Finally, they use these parameters to see if they can uniquely identify machines in the validation datasets.
And the results are pretty good. They say that in ordinary conditions such as their office network, they uniquely identify machines with an accuracy of up to 95 percent.
The most challenging conditions, though, occur during a conference when many users can be attempting to connect to a network at the same time. “In the most difficult testing conditions, the wireless traffic of a conference, the inter-arrival time renders the best identification ratios,” they say.
That’s because the inter-arrival time depends not only on the wireless card being used but also on the drivers installed and the software generating the data being sent. The combination of these is usually enough to generate a unique signature.
In these challenging conditions, Neumann and co can accurately identify up to 56 percent of the devices with a false positive rate of only 10 percent. That’s not perfect but it’s not bad either as a secondary security mechanism.
And there are ways they can improve the technique in future. This work focuses only on the signature of individual parameters such as frame inter-arrival time. But a better approach might be to come up with a fingerprint that depends on several different parameters. Neumann and co plan to look at this in future.
Wireless fingerprinting could be applied in a wide variety of situations. It uses a standard wireless card to do its job, making it relatively cheap. It’s also a passive technique that is difficult for malicious users to detect.
That’s important. It’s easy to forget how insecure password-protected networks can become. Think of your own home network and the number of friends, colleagues and family who you have given the network key. An important question is how secure this information is once it has left your home.
Wireless fingerprinting has other applications too. Not only can this approach identify malicious computers attempting to access your network, it can spot fake wireless access points that are designed to collect MAC addresses to spoof other networks. However, this requires the gathering of ground truth data of the original access point in a secure environment in advance.
Wireless fingerprinting is unlikely ever to be entirely foolproof but it does have the potential to be a useful addition to the armory of tools available for online security.
Ref: arxiv.org/abs/1404.6457: An Empirical Study Of Passive 802.11 Device Fingerprinting