Remote Physical Device Fingerprinting
Published 03 Mar 2017
Fingerprinting of devices derives its name from the technique of fingerprinting of human beings to determine their identity. Just as every human being has a unique set of fingerprints, which are used to identify him or her correctly, electronic devices such as computers also have unique digital fingerprints, which can be used to identify them correctly. Fingerprinting of devices can be defined as a process by which a device or software that is being run on a device can be identified using characteristics that are observable externally. In this essay, I will discuss a paper presented in the IEEE Symposium on Security and Privacy in 2005 on remote physical device fingerprinting.
Currently, several effective techniques exist for identifying a computer connected to the Internet by fingerprinting its operating system. However, in this paper the authors have presented a new technique for fingerprinting a physical device or a class of devices remotely by using its clock skews. This technique to fingerprint physical devices remotely is based on utilizing minute microscopic deviations that exist in every device’s system or virtual clock, which are known as clock skews. This technique does not require any modifications in the fingerprinted device to be made or from any help by the fingerprintee. Through this technique, a fingerprinter, also known as adversary, can measure clock skews in a device when it is thousands of miles, several hops, and many milliseconds away from the person and also when the device is connected to the Internet from different locations and using different technologies. A remote device can be fingerprinted even when it is behind a firewall or Network Address Translation (NAT) (p. 1).
Remote physical device fingerprinting technique can be of three types ” active, passive, or semi-passive. For active fingerprinting, a fingerprinter must be able to communicate with the fingerprintee, for passive technique the fingerprinter must only be able to observe the fingerprintee, and in the semi-passive technique, a fingerprinter is able to communicate with the fingerprintee after the fingerprintee initiates communication at first (p. 1).
In the past, many researchers have worked on reducing or eliminating clock skews in devices. But, the experiment described in this paper utilizes the clock skews present in a device to determine its identity. Previous techniques used to fingerprint devices include a network card’s Media Access Control (MAC) address or cookies. However, the advantage of the technique presented in this paper is that it can fingerprint devices thousands of miles away. Cookie data has the drawback that it is not easily available to the fingerprinter (p. 3).
For remote fingerprinting, two types of clocks can be used ” the system clock and the clock in the device Transmission Control Protocol (TCP) network stack, which is called TSopt clock in this experiment. Fingerprinters can determine system clock skews if they know the clock times at different points of time. To measure system clock skews, the Internet Control Message Protocol (ICMP) Timestamp Request technique is used. The fingerprinter could be any website, which the fingerprintee surfs or any device on the Internet, which can issue ICMP Timestamp Requests to the fingerprintee. The fingerprinter must also be able to record the ICMP Timestamp Reply messages, which are then used to determine clock skews of the device (p. 6)
Using the TSopt clock, the clock skews are determined in the following way. A TCP flow uses the TCP timestamps option. This option is used in almost all modern operating systems. The header of each TCP packet in a TCP flow contains a 32-bit timestamp. These timestamps are taken from a virtual clock, which is independent of the system clock. If the fingerprinters are able to learn the values of the TSopt clock of a device at various points of time, then they will be able to determine the device’s TSopt clock skew. However, the TCP timestamp based fingerprinting option is used in most of the experiments mentioned in the paper (p. 4).
The paper also describes how a fingerprinter may obtain the values of the TSopt clock at different points of time and how this information can be used to fingerprint a device. The fingerprinter can be any person who is able to observe the TCP packets from the fingerprintee. It could be the Internet Service Provider of the fingerprintee, or any person who is able to tap the network over which the packets from the device travel, or any website which the fingerprintee accesses, such as Google or a news website (p. 5).
The authors of the paper have also conducted experiments in various settings to demonstrate that the clock skews remain stable in different conditions and can be used as a trustworthy tool to fingerprint a device remotely. Their findings demonstrate that the clock skews remains stable whether the access is active, passive, or semi-passive. Some experts might argue that since the experiments were conducted on a large variety of machines that ran on a wide variety of operating systems, the clock skews were obviously different. To disprove this, the authors also conducted experiments on a large variety of apparently homogenous machines, which also demonstrated measurably different clock skews. Experiments also demonstrated that the clock skews were independent of the fingerprintee’s access technology such as wired or wireless residential or commercial cable networks, dialup connections, topology, the machine used by the fingerprinter, and the distance. Clock skews measured by using all these different parameters were within a fraction of a ppm of each other. The clock skews were also independent of Network Time Protocol (NTP) usage (pp. 7, 8, 9, 10, 11).
The remote physical device fingerprinting technique can be used for a variety of purposes. It can be used to count the number of devices behind a NAT. It can also be utilized to remotely probe a block of addresses to determine if the addresses correspond to virtual hosts, such as a virtual honeynet. It is also immensely useful in forensics and criminal investigations. It can also be used to track individual devices. The skew estimates when used in addition to operating system fingerprinting can help in tracking a computer or a device used for criminal purposes, such as sending a threatening email. Using remote fingerprinting technique, anonymized IP addresses can be unanonymized (pp. 12, 13).
The paper also states that future security systems may try to devise means to resist this fingerprinting technique by masking TSopt clock values. It suggests the possibility of other aspects of a device that can be fingerprinted, such as processor speed or memory (p. 14).
The study by the authors also outlines the difficulty in achieving complete data security today since techniques such as these can be used to identify any computer remotely (p. 15).
Kohno, Tadayoshi, Broido, Andre, & Claffy, KC. (2005). Remote Physical Device Fingerprinting. IEEE Computer Society. Retrieved June 3, 2008 from http://www.caida.org/publications/papers/2005/fingerprinting/