Wi-Fi Fingerprints -- the End of MAC Spoofing?

judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."

Nice try, but...

[terrahertz]

Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
 
...and once the paquet warr10rz figure out how to arbitrarily generate and utilise "transceiver prints" it's the end of this method of IDS.

(any wagers on how many other "first comments" will say the same thing?)

The sample was 15 devices

[giafly]

As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer. Using "transceiverprints," Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers submitted to various conferences, including IEEE events on wireless and security.

So I'm convinced.

Re:The sample was 15 devices

[slew]

Okay, a show of hands, how many folks use centrino wireless vs buying a wireless card for their old computer? Now how many will buy a computer in the next year which has integrated wireless. How many of those will buy centrino wireless?

Does anyone remember the good old days when your garage remote control that you just bought from sears would open the door down the street? That's why they had to put in the codes. Just relying on a "fingerprint" when the majority of devices are from the same manufacturer is just a false sense of security.

However, if you really want to be scared, just google "bump key"...

Sample size too small

[crush]

This is interesting but the sample size is too small to let us know how accurate this technique really is.
http://www.mathworks.com/company/user_stories/user story10433.html?by=company [mathworks.com]

Re:Cool hack, but who cares...

[GlassWalkerTheurge]

With proper authentication? I hope you mean WPA2, because even the FBI can crack WPA in 20 minutes or less (with 2 computers). WPA2 Would just mean you need a more powerful computer to crack it. MAC spoofing combined with WPA crack means that your WAP is open to any hacker with a cd drive and the correct wireless card.

No false positives?

[Anonymous Coward]

[...]claiming 95% success with no false positives.

So... what was the 5% if they weren't false positives?

wow, lots of work

[Geekboy(Wizard)]

for no benifit. I have a 100% solution with no false positives. it's called 'VPN'.

Re:Just spoof the fingerprint

[tppublic]

Trying to spoof using a hardcoded solution out of a fab is borderline impossible - I agree. However, you seem to presume that the only method of spoofing is to have (hardcoded) hardware that is identical. Given some (albeit not complete) knowledge of how analog electronics work, I'm not sure that is the only method of achieving such a result.

It seems to me one could build analog electronics that allows signal parameters (frequency, rise time, etc.) to be electronically tuned based on the detected signal... after all, if they can identify a signal with high accuracy, then the traits to be spoofed may be distinguishable enough to be accurately measured.

Given a sufficiently powerful software defined radio, a tunable amplifier and a tunable antenna, I don't think this is impossible. It's a heck of a lot more expensive than a WLAN card, for sure. It's also a problem that a neural network is used for identification, since neural networks are a notoriously poor analysis tool from which to extract usable rules. However, given their sample size and lack of other info in the article (of other methods of forecast analysis), it is difficult to say whether the required system is so complicated that it is an intractable problem to reverse engineer the measured characteristics. I'm not convinced it is.

Re:Cool hack, but who cares...

[PCM2]

This is why you use WPA enterprise and not PSK.

Yeah, but let's face it ... you probably don't and neither do I.

Access control lists are a simple concept that administrators understand. It would be a good thing if they could be implemented reliably with ordinary Wi-Fi.

I don't think so.....

[postbigbang]

Here's what you can make in terms of a signature:

1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.

And the success is 95%. That's wonderful. Bring it on.

In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.

Re:Moo

[Keebler71]

Not really - the fingerprinting is an artifact of the fabrication process. Manufacturing irregularities cause small and unique modulation errors on each pulse. It is these errors that allow the "fingerprinting". You can't correct for this in software - and good luck hacking your wireless board at the nano-component level.

I don't think it can be trusted...

[TomRC]

If this is an analog fingerprint, there's a chance it'll change over time, under different conditions of heat, etc. Doesn't sound trustworthy.

Re:Yeah, right. Sure. Uh-huh. What a dolt.

[flynns]

Spoken like someone who's never touched a radio outside of the one GM sold him with his car.

Each radio in existence has a unique signal generated, mostly due to component variation in each production run. Resistors and capacitors in circuits are designed to tolerate a certain amount of variation in resistance, capacitance, etc etc. It's difficult to replicate - and by 'difficult', I mean an electrical engineer with a laboratory full of equipment and a team working for him would find it difficult. A signal generator designed to replicate a specific signal fingerprint would be (a) prohibitively large and (b) prohibitively expensive. Hundreds of thousands, maybe millions of dollars. NSA stuff.

This is a good idea, really, but I'm skeptical of the ability to pack that much sensing equipment into a consumer-portable wireless card.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Cool hack, but who cares...

[btk667]

So what, this is still only brute force attacks.

What about vulnerabilities, according to:
http://www.informit.com/articles/article.asp?p=369 221&rl=1 [informit.com]

- One flaw allowed an attacker to cause a denial-of-service attack, if the attacker could bypass several other layers of protection.

-A second flaw exists in the method with which WPA initializes its encryption scheme. Consequently, it's actually easier to crack WPA than it is to crack WEP.

Now, IS WPA more secure than WEP?
Is it possible to have Secure WIFI network without the big WPA2-Enterprise? (Certificate from cisco and such?)