Wi-Fi Fingerprints -- the End of MAC Spoofing?

judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."

Cool hack, but who cares...

[nweaver]

Cool hack, but who cares. With proper authentication (eg, WPA), you don't need to worry about MAC spoofing as the packets won't authenticate right to the access point.

Re:Cool hack, but who cares...

[Bender0x7D1]

You are forgetting the insider threat. I might have the WPA key because I am an employee with my own laptop. However, if I spoof your MAC, then it looks like you are the one surfing /. (or porn sites) all day and not me.

Encryption is good, but it doesn't solve every security problem.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PCM2]

This is why you use WPA enterprise and not PSK.

Yeah, but let's face it ... you probably don't and neither do I.

Access control lists are a simple concept that administrators understand. It would be a good thing if they could be implemented reliably with ordinary Wi-Fi.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sancho]

I've never been able to get wpa_supplicant to work on a Linux client while using FreeRADIUS on the OpenWRT. Any secrets I'm missing?

Works fine with Windows. I sadly don't have a Mac to test it with.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[GlassWalkerTheurge]

With proper authentication? I hope you mean WPA2, because even the FBI can crack WPA in 20 minutes or less (with 2 computers). WPA2 Would just mean you need a more powerful computer to crack it. MAC spoofing combined with WPA crack means that your WAP is open to any hacker with a cd drive and the correct wireless card.

Re:

[Sethb]

I think you mean WEP, I haven't seen an FBI demo of someone breaking WPA-PSK in 20 minutes, assuming a decent passkey was used...

Re:

[Poltras]

WPA-PSK can be cracked in small time too. If you use a RADIUS it's a lot harder (which may be what you're thinking), but with PSK you are just step harder to crack than WEP, not more secure.

Re:

[dextromulous]

Stuff I saw at DEFCON 14 [personalwireless.org]

multi-fpga array + 4 million passwords + 2000 SSIDs + 2 days? = 40GB rainbow table = fast WPA cracking. USE FULL STRENGTH PASSWORDS!

Re:

[Sancho]

That still used a dictionary attack, I believe. A random string of characters shouldn't be as easily crackable, and using a non-precomputed SSID helps, too.

Also, WPA2 has the exact same vulnerability.

Re:

[btk667]

So what, this is still only brute force attacks.

What about vulnerabilities, according to:
http://www.informit.com/articles/article.asp?p=369 221&rl=1 [informit.com]

- One flaw allowed an attacker to cause a denial-of-service attack, if the attacker could bypass several other layers of protection.

-A second flaw exists in the method with which WPA initializes its encryption scheme. Consequently, it's actually easier to crack WPA than it is to crack WEP.

Now, IS WPA more secure than WEP?
Is it possible to have Secure WIFI ne

Re:

[Sancho]

I won't speak to the first flaw, as I didn't read it and it's just a DoS.

As to the second, you should have read the second part of that article:

The problem isn't directly related to the algorithm or WPA initialization process, but is instead tied to the simple fact that the process can be reproduced. This fact, combined with the reality that most users select poor passwords, provides an opportunity that can be exploited.
(emphasis mine).

They're just talking about brute-forcing the password. Rainbow tables s

Re:

[Znork]

I dont get the desire to treat wireless networks like an extension of the local wired ones. Treat the wireless like you treat any other insecure transport network; ie, firewalled away and with inwards access granted only via VPN tunnels, and you dont have to care about which wireless encryption gets broken by whom and who tries to spoof what.

Re:

[computational super]

Beyond that, what difference does it make if the computer is a real Apple computer or not?

the end of wireless mac spoofing?! no way

[Cybersonic]

Anyone seriously into wireless security / hacking probably has 20+ wireless cards. It is common knowledge that a wireless card can be identified by its traffic, so why not just buy one of each vendor's cards and use the relevent one during each hack?

I expect to see a high-end wireless card come out soon that will 'emulate' the hardware differences quite nicely :)

Re:the end of wireless mac spoofing?! no way

[ergo98]

Anyone seriously into wireless security / hacking probably has 20+ wireless cards. It is common knowledge that a wireless card can be identified by its traffic, so why not just buy one of each vendor's cards and use the relevent one during each hack?

If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.

Re:

[not-enough-info]

If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.

So, will this mean that if I buy a new antenna or break off my old antenna that my network will no longer recognize me?
How much variation will it handle? When my antenna heats up will it still have the same signature?

Re:

[Chanc_Gorkon]

There are variations in radios even among the same model. You can uniquely identify 2 separate radios of the same model pretty easily. This is something we have done to combat the squirrels (slang for the idiots who think it's fun to screw a ham repeater up) on our ham repeaters in our area....that and triangulation of the perp's signal. Nothing new and about time.

Re:the end of wireless mac spoofing?! no way

[munpfazy]

Yup. Hams have been doing it for decades. (Well, most of us have just been talking about it - since actually doing it requires rather expensive gear and jammers troublesome enough to be worth the effort.) I can only imagine governments have been doing it for a lot longer than that.

But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.

Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.

Re:the end of wireless mac spoofing?! no way

[drinkypoo]

WiFi MAC spoofing will also remain useful on open unencrypted networks where it's not locked down by MAC, but you just don't want to be traceable.

I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.

Re:

[donutz]

I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.

What I gathered from the article is that (when this tech gets integrated into IDS) you can't pretend to be someone else on a network with only specific authorized MACs.

You could still hide your identity pretty well with a spoofed MAC on an open network. Do you think the manufacturers keep a database of RF signatures f

Re:

[drinkypoo]

You could still hide your identity pretty well with a spoofed MAC on an open network. Do you think the manufacturers keep a database of RF signatures for all their products, cross referenced with the MAC? I don't think so either.

Not yet, but when/if this technology becomes widespread, do you really think that some law won't be passed requiring just that?

The question isn't whether you're Paranoid, [Lenny], the question is whether you're paranoid enough. --strange days

Re:

[jacksonj04]

The way I see it, if you have anything on your network people are going to bother finding a MAC which is on your list to get to, then you should be implementing authentication security and not just relying on what is essentially a card going going "Hi, I really am this device."

Using WPA with Radius isn't that difficult :D

Re:

[NineNine]

The thing is, in practice, wireless networks are still *wide* open. There are tons and tons of free, public wireless networks going up (like the one in my town), with nobody thinking about the implications. Even with being able to determine that these two packets came from the same card, that still doesn't tell anybody anything about WHO that is. With public wireless networks, anybody can still do whatever they need to do (legal or illegal), and be completely anonymous.

The only thing that Big Brother wou

Re:

[Beryllium Sphere(tm)]

>will no longer be a valid method of protecting your identity
So swap in a different wireless card when you're emailing out dissident literature. You could use a new card every couple of weeks for less than your lunch budget.

Nice try, but...

[terrahertz]

Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks.
 
...and once the paquet warr10rz figure out how to arbitrarily generate and utilise "transceiver prints" it's the end of this method of IDS.

(any wagers on how many other "first comments" will say the same thing?)

Re:

[Smidge204]

Based on the description of the method, it is the physical characteristic fo the hardware itself that provides the "fignerprint" - not software. It it not something that you "generate" - is it based on the characteristics of the signal itself and not the information carried by the signal.

=Smidge=

Re:

[soft_guy]

it is the physical characteristic fo the hardware itself that provides the "fignerprint" - not software.

If I take a screwdriver and bend some of the metal around the shielding on the wifi unit, will it alter these characteristics?

Re:

[fatboy]

That's correct. The majority of what they see is the "ring" of the VFO when the radio transmits.

Re:

[fatboy]

That should read VCO, not VFO.

Der di Der, my bad

Re:

[networkBoy]

A couple of trim caps and a variable inductor or two and there is no issue anymore. ;-)
-nB

Re:

[Mister Whirly]

Yep, but at somepoint the "hardware fingerprint" gets translated to a digital version, or a "software fingerprint" to be processed by the wi-fi router. No routers are able to read "hardware anything" natively.

This is the same argument why fingerprint/retina scanners can also be hacked - at some point all data, no matter how it is gathered, is converted into 1s and 0s - and can be copied/spoofed.

Nothing new.

[Anonymous Coward]

This has been in the HAM community for years.

    http://www.motron.com/TransmitterID.html [motron.com]

Re:

[Mister Whirly]

And now it has finally reached the SPAM community.

You can even do it by ear

[Clueless Moron]

Some years back when mayhem was happening to a local 2m NBFM repeater, I got into the habit of leaving an allmode radio monitoring the input, in USB mode. That lets you hear exactly what the FM carrier is doing.

All FM radios have a different keyup chirp. That is, when you key up they start on some frequency and drift off to their final frequency over a short period of time. Some do it quickly, some slowly, but all start off on and end on a different pair of frequency. Some would also have a tendency to

The sample was 15 devices

[giafly]

As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer. Using "transceiverprints," Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers submitted to various conferences, including IEEE events on wireless and security.

So I'm convinced.

Re:The sample was 15 devices

[slew]

Okay, a show of hands, how many folks use centrino wireless vs buying a wireless card for their old computer? Now how many will buy a computer in the next year which has integrated wireless. How many of those will buy centrino wireless?

Does anyone remember the good old days when your garage remote control that you just bought from sears would open the door down the street? That's why they had to put in the codes. Just relying on a "fingerprint" when the majority of devices are from the same manufacturer is just a false sense of security.

However, if you really want to be scared, just google "bump key"...

Re:

[Bender0x7D1]

From the article, (emphasis mine):

As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer.

So it doesn't matter if everyone uses Centrino - they can still tell them apart. The key point is that no two devices are identical - there are always differences in the manufacturing process that makes them behave differently. Sure, at 10 or 54 Mbps they look the same but w

your paper is about 10baseT

[slew]

FWIW, the paper your reference seems to be circa 2004 and used a Gigahertz scope on 10Mb wired ethernet. Even so, they didn't think they could use the same technique on 100Mb ethernet.

Initial work has already begun on attempting to profile 100Mb Ethernet signals. Preliminary results indicate that the aforementioned techniques will be adequate for discriminating between different model devices; however, a deeper investigation into the signaling characteristics of 100Mb Ethernet devices may be required in or

Re:

[Chanc_Gorkon]

Fingerprint technology is NOT what they used for garage door openers. They had basically no security on garage door openers for many years. The opener remote used to just send out a signal at a certain frequency that the opener was set to receive. If it received a signal within tolerance, it opened. Now they not only send it out at a pre determined frequency, each remote has codes pre programmed in it that it sends out. You stand on a ladder in your garage and press the remote after pressing the button

Re:

[tinkerghost]

Actually this is not just gross signal monitoring. The phone company does this with cell phones now. When you look at the signal as a matrix of about 6 to 8 things you can identify 2 cell phones that came off the assembly line sequentially. This type of signal monitoring is looking at things like micro-second variations in responce times, frequency modulation differences, and frequency stability. All of these things are unique to a specific phone, not a brand or model of phone.
The issue here is figuing out

Re:

[LostCluster]

The point of the article is that within supposedly identical devices, the individual electrical components are not exactly the same, and it's the minor faults in capacitors that they're picking up and calling a "transciever print".

Re:

[grasshoppa]

So I'm convinced

I think you might be missing the point; It's not that these things are unique, it's that they are semi-unique and hard to replicate.

Re:

[hey]

How do you get 95% out of 15.
14 right of 15 is 93.3333 percent.
So they did better than 14 but less than perfect - humm.

Re:

[BroncoInCalifornia]

This is a nice academic exercise. If I have an RF spectrum analyser or other very sophisticated equipement then I could do this. The crude RF reciever in my $40 wireless router is just marginally able to recieve and decode the signal. It will never have the capabilities of a rack of expensive RF test equipement. I do not think this capability will end up in any low cost equipement in the next few years.

Re:

[Mister Whirly]

I think they are talking using this in additon to MAC filtering, not in place of.

That is assuming...

[Crasoum]

When they develop the hardware that has all of that enabled it does not cost an insane amount over the cost of something without signal analyzation; when they could just use other security measures, or multiple security measures which are cheaper.

Albeit the military and security conscious would still buy it.

Old Idea

[Detritus]

They were doing this during World War II, using the unique characteristics and variations of transmitters to "fingerprint" them. Similar things were done with the way radio operators send morse code to help detect spies that had been compromised.

Re:

[VanillaBabies]

1) Take old idea
2) Apply to new technology
3) Patent (Optional)
4) Profit!

Sheesh, aren't even any unknowns in this one. Where are you confused?

Poor success rate

[glindsey]

95 percent is still far too low for a viable consumer product. Can you imagine if 5 percent of the folks buying something based on this technology found that it didn't work? The public outcry would be enormous.

Re:

[Bender0x7D1]

Yes, that 5% is definitely a problem. However, you could set the system to log a warning if the fingerprint doesn't match. If nothing else, this would give you a paper trail that you can follow if an incident occurs. Also, if you record the fingerprint and find that same fingerprint trying to be several different MAC addresses you could raise an alarm.

So, 5% is far too high to be used on its own, but it isn't completely useless.

Re:

[Mister Whirly]

"95 percent is still far too low for a viable consumer product. Can you imagine if 5 percent of the folks buying something based on this technology found that it didn't work? The public outcry would be enormous."

You mean like getting the cheap wireless card to work on my Linux laptop?

Welcome to the 80's!

[Keebler71]

On behalf of the DoD, I would like to welcome IT geeks to antiquated military technology! [google.com]

Sample size too small

[crush]

This is interesting but the sample size is too small to let us know how accurate this technique really is.
http://www.mathworks.com/company/user_stories/user story10433.html?by=company [mathworks.com]

Wi-Fi fingerprinting does not work

[Anonymous Coward]

Wi-Fi fingerprinting is nothing new and we have tried the various techniques at our university but it simply does not work because the number of false positives is way too high for it to be practical and to be deployed in an environment with many users. We had support from one of the developers of the technology and after looking at the data and the floods of user complaints he even admitted that Wi-Fi fingerprinting is not practical and we had to give up on it.

Just spoof the fingerprint

[llZENll]

Why would hackers not simply spoof the RF fingerprint. Some ideas come to mind. 1) dynamic adjust the outgoing signal digitally to imitate the fingerprint 2) add interference around the transmitter so the signal looks the same 3) use specialized analog electronics to imitate the fingerprint

Re:Just spoof the fingerprint

[Chanc_Gorkon]

Cuz you likely can't. To do so would require a microscope on alot of WiFi cards and even then it you likely won't come close enough. The fingerprint is possible because of minor variations in the signal that is caused by variations in the caps and resistors used. You don't really think they can create a 0% tolerance cap do you?? The tolerances on caps and resistors can be 0.05%...that is still not 0%. A 0% tolerance cap or resistor is not possible. Spoofing a RF fingerprint is practically impossible with today's technology.

Re:Just spoof the fingerprint

[robertjw]

OK, but will the variation on the caps and resistors remain consistent over the life of the WiFi card? Will an allowance be made for ongoing variations in the signal? If so, will it be exploitable?

Re:

[Have Blue]

And what allowances will be made for the ~5% of devices that according to this article will never pass the test?

Re:

[FuzzyDaddy]

Lifetime, heck - capacitor and resistor values can significantly drift over temperature.

Re:

[Hans Lehmann]

Cuz you likely can't. To do so would require a microscope on alot of WiFi cards and even then it you likely won't come close enough. The fingerprint is possible because of minor variations in the signal that is caused by variations in the caps and resistors used. You don't really think they can create a 0% tolerance cap do you?? The tolerances on caps and resistors can be 0.05%...that is still not 0%. A 0% tolerance cap or resistor is not possible. Spoofing a RF fingerprint is practically impossible with to

Re:Just spoof the fingerprint

[tppublic]

Trying to spoof using a hardcoded solution out of a fab is borderline impossible - I agree. However, you seem to presume that the only method of spoofing is to have (hardcoded) hardware that is identical. Given some (albeit not complete) knowledge of how analog electronics work, I'm not sure that is the only method of achieving such a result.

It seems to me one could build analog electronics that allows signal parameters (frequency, rise time, etc.) to be electronically tuned based on the detected signal... after all, if they can identify a signal with high accuracy, then the traits to be spoofed may be distinguishable enough to be accurately measured.

Given a sufficiently powerful software defined radio, a tunable amplifier and a tunable antenna, I don't think this is impossible. It's a heck of a lot more expensive than a WLAN card, for sure. It's also a problem that a neural network is used for identification, since neural networks are a notoriously poor analysis tool from which to extract usable rules. However, given their sample size and lack of other info in the article (of other methods of forecast analysis), it is difficult to say whether the required system is so complicated that it is an intractable problem to reverse engineer the measured characteristics. I'm not convinced it is.

Re:

[Shotgun]

Minor nit:

Those tolerances are more like 5 and 10%. At least that is what is guaranteed by the manufacturer. Actual tolerances are usually much closer.

A published .05% part will be a military grade part destined for the space shuttle.

Re:

[Chanc_Gorkon]

And thus, they exist. The fact is, once perfected, this method of aplying some sort of security can be done or it at least can tell you if the Mac on one particular radio is changing. I don't know that I would base a security system on this, but basing a intrusion detection system on this could probably work. You could even possibly lock out intruders for a 10-15 minute period or even longer.

Re:

[ratboy666]

Of course you can. The "fingerprint" is being measured -- somehow. So, the characteristic that IS the fingerprint must be resolvable. If its measurable in that sense, it can be generated. How else would the testing gear itself be tested?

Now the COST of the generating gear may be prohibitive, but it certainly MUST be practical.

Ratboy

Re:

[theLOUDroom]

Cuz you likely can't. To do so would require a microscope on alot of WiFi cards and even then it you likely won't come close enough.

You are WAY out in left field man.

Doing so requires adding a digital filter to the digital output of the DSP that is the matched filter of the difference between your card and their card.

It doesn't matter what in the RF section is different because you will be compensating for that digitally.
The are going to be cases where the filter can't adjust enough, but for practic

Yeah, right. Sure. Uh-huh. What a dolt.

[postbigbang]

Given:

1) MAC addresses are easily cloned; it's child's play
2) Spoofing above the MAC layer is difficult
3) This methodology produces no false positives
4) The hacker community will find what the characterizations are then
5) Find nice and easy ways of memorizing the characterizations so that
6) They can continue to spoof whatever they want, whenever they want.

So, yes, there is are additional authentications that make things easier to secure-- but changing the character of a card isn't difficult to do as today,

Re:

[flynns]

Spoken like someone who's never touched a radio outside of the one GM sold him with his car.

Each radio in existence has a unique signal generated, mostly due to component variation in each production run. Resistors and capacitors in circuits are designed to tolerate a certain amount of variation in resistance, capacitance, etc etc. It's difficult to replicate - and by 'difficult', I mean an electrical engineer with a laboratory full of equipment and a team working for him would find it difficult. A signal

Really: Think about this.

[postbigbang]

These are cookie cutter devices. Their deltas are uber-thin. You'd need to resolve various characteristics to the femto-side of things. I'm sure that there's a lot of demand for high-resolution characterization gear out there that will slice things into ultra-tiny pieces, then have the ability to keep them in a useful db, then use that db to effectively serve as the gate of admittance control.

I don't think so.

Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engi

I don't think so.....

[postbigbang]

Here's what you can make in terms of a signature:

1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.

And the success is 95%. That's wonderful. Bring it on.

In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.

the only way

[User 956]

the End of MAC Spoofing?

Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.

wow, lots of work

[Geekboy(Wizard)]

for no benifit. I have a 100% solution with no false positives. it's called 'VPN'.

Nothing new

[Knightman]

This is really nothing new. A friend did something similair in the early 90's to catch a guy that was spoofing false calls on the police band.

He had a very (VERY) expensive reciever that had a built in spectrum analyzer, and they logged all calls with a timestamp and the frequency drift (stored as a 512 bit word) of the transmitter currently using the channel. Each time the operator suspected that he/she had a spoofed call they pushed a button that activated 4 direction finders that logged the timestamp and

Neural Net?

[rspress]

Hell, they could just download this program.

http://xmit.penguinman.com/xmit_id.html [penguinman.com]

This is old tech that Amateur radio users have had for 10 years now.

Seen it before

[tsotha]

The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives.

I'm sure it works great in her lab, but here in the real world...

I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.

The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.

Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.

Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.

acoustic fingerprinting on AMPS

[NynexNinja]

This technology has been used successfully on AMPS (analog cellular network) to get rid of ESN/MIN spoofing and it for the most part works. The result is that when spoofing calls with acoustic fingerprinting enabled, the call will get torn down if a fingprint for that cell phone exists in HLR (Home Location Register -- the central database that authenticates the subscriber).

Is this similar to Van Ecks??

[soft_guy]

Is this type of thing similar to Van Ecks effect?

Reading between the lines...

[ameline]

95%, no false positives -- == 5% false negatives. It also doesn't clearly define positive and negative in this context. Does this mean that 1 time in 20 when a valid card attempts a connection, it is refused? or that 1 time in 20, a spoofer gets in?

The End of MAC Spoofing?

[Yvan256]

Apple will be glad to hear that. I think they're getting tired of people making fun of their ads.

Re:

[Mister Whirly]

What? Making fun of the Apple ads? But they so accurately depict the state of computing circa 1997 so well...

"Peabody, set the wayback machine to the time of rampant computer viruses in the wild..."

Truism

[Compulawyer]

Quoth the posting:

"... it's the end of MAC spoofing on wireless networks ..."

If implemented, of COURSE it is the end of MAC spoofing. But it is only the BEGINNING of WiFi fingerprint spoofing ...

What's old is new again.

[Ancient_Hacker]

waay back at the very start of real "Wireless" communication, the transmitters were these hefty spark-gaps, often modulated by a spinning set of electrodes. And back then most houses had DC power, and unsteady power at that.

And each transmitter was hand-built, using rather rough tools.

All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.

Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.

Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.

So nothing new here. Not by like, almost 100 years.

I don't think it can be trusted...

[TomRC]

If this is an analog fingerprint, there's a chance it'll change over time, under different conditions of heat, etc. Doesn't sound trustworthy.

people actually use MAC filtering?

[smcavoy]

Why would you rely on such a silly system?

Re:

[Shotgun]

Because, it is extremely simple and a very effective lock against 99.9% of the people out there. The time and energy needed to implement more advanced solutions are then balanced against the time and energy required to recover from a hack times the possibility of it occuring. The latter is generally found wanting.

Re:

[foreverdisillusioned]

...because I'm not particularly concerned about snooping and it's an easy way to keep out the casual leechers without affecting bandwidth in the slightest?

Re:

[izomiac]

You rely on it about as much as you would a lock on your door. Easily defeated, but it keeps honest people honest. I, for one, live on a college campus. I prefer using WPA, but one of my devices doesn't support it. Rather than memorize long WEP keys (as I inevitably have to re-enter them from time to time), I just use MAC filtering. It keeps clueless people off my router, and since there's one "linksys" network in range, I doubt anyone is going to bother trying to get onto mine. The lack of encryption

Nice

[Nom du Keyboard]

it's the end of MAC spoofing on wireless networks.

That would be nice. Wake me when it happens.

Of course, there goes your defense when the RIAA sues you for filesharing, and your defense is, "It musta been someone hacking into my wireless network."

Re:

[rspress]

Sounds like the same process that ham radio people have been using for at least 10 years now. Maybe they should check with the ham radio people before inventing a horse that has been in use for a while now.

Re:

[Mister Whirly]

Nah, we'll all go on just pretending the ham heads don't exist like we were doing before.

The first rule about ham radio is you don't talk about ham radio. (Especially ON a ham radio)

Re:

[rspress]

Well, those who don't learn from history are doomed to repeat it. A horse with no name, stop you'll go blind........er..

Here is the motron system:

http://www.motron.com/TransmitterID.html [motron.com]

Re:

[Bender0x7D1]

You can't change your fingerprint to match another signal. It is based on the minute physical differences between cards, not their firmware, so it wouldn't be possible. It would be possible to use specialized hardware to mimic a signal, but that would be orders of magnitude more expensive. (I think the equipment required is around US$100,000 so it is not accesible to the average attacker...)

As to making a completely erratic, changing print - sure. However, while this would prevent tracking it would me

Re:Moo

[Keebler71]

Not really - the fingerprinting is an artifact of the fabrication process. Manufacturing irregularities cause small and unique modulation errors on each pulse. It is these errors that allow the "fingerprinting". You can't correct for this in software - and good luck hacking your wireless board at the nano-component level.

This idea is more than sixty years old

[igb]

As well as analysis of individuals' style of morse, fingerprinting of the characteristics of individual transmitters was done during WW2. By following both equipment and personnel around networks it provided additional data for traffic analysis, which is both useful in its own right and useful as a source of cribs. In the case of U boats, it offered the chance to follow individual U boats from HF/DF fix to fix. Ralph Erskine wrote about this in Cryptologia, January 1999.

ian

Re:

[Keebler71]

It just seems to me that you should somehow be able to modulate a signal in such a way that a fingerprint would not be possible to extract.

In principle, yes this is possible, but not in practice. The error modulations color the smallest unit of modulation - the pulse. To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse. While there likely are are DSP chips fast enough to do this

Re:

[cnettel]

RTFAing is cheating, so take this with a grain of salt, but a simple neural network for this would be trained on a set of cards, then being capable of recognizing each and every one of them. It might reach a very good precision in doing that. However, it's much harder to also train it to discriminate against any previously unknown card, since there are no data on how that card relates to the properties of the training set. A somewhat absurd example would be that it would be totally fantastic in identifying

Re:

[Mister Whirly]

I don't think looking at the variances of radio signals would help on a wired card to much.

Re:

[cr0sh]

You obviously don't understand how wired ethernet cards work. What you are implying is the same thing as saying that "cable TV is different from broadcast because it uses a 'wire'". Let me let you in on a little secret - it's called a "shielded waveguide". In the case of cable TV, that shielded waveguide is the coaxial cable itself. In the case of ethernet, it is twisted pair. One wire of the pair is twisted around the other to act as a shield at the RF frequencies being used (it isn't a "perfect" shield -