Wi-Fi Fingerprints -- the End of MAC Spoofing? 176
judgecorp writes, "Wireless devices can be identified by variations in their radio signaling, known as their 'transceiverprint,' according to research reported in Techworld. The Canadian researcher, Jeyanthi Hall, related the prints to MAC addresses and got a positive ID for devices connecting to a Wi-Fi network, claiming 95% success with no false positives. Once they work out how to do this without a dedicated signal analyzer and neural network processing, it's the end of MAC spoofing on wireless networks."
Cool hack, but who cares... (Score:5, Interesting)
Re:Cool hack, but who cares... (Score:5, Interesting)
Encryption is good, but it doesn't solve every security problem.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Yeah, but let's face it ... you probably don't and neither do I.
Access control lists are a simple concept that administrators understand. It would be a good thing if they could be implemented reliably with ordinary Wi-Fi.
Re: (Score:3, Insightful)
Re: (Score:2)
Works fine with Windows. I sadly don't have a Mac to test it with.
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Stuff I saw at DEFCON 14 [personalwireless.org]
multi-fpga array + 4 million passwords + 2000 SSIDs + 2 days? = 40GB rainbow table = fast WPA cracking. USE FULL STRENGTH PASSWORDS!
Re: (Score:2)
Also, WPA2 has the exact same vulnerability.
Re: (Score:2, Insightful)
What about vulnerabilities, according to:
http://www.informit.com/articles/article.asp?p=369 221&rl=1 [informit.com]
- One flaw allowed an attacker to cause a denial-of-service attack, if the attacker could bypass several other layers of protection.
-A second flaw exists in the method with which WPA initializes its encryption scheme. Consequently, it's actually easier to crack WPA than it is to crack WEP.
Now, IS WPA more secure than WEP?
Is it possible to have Secure WIFI ne
Re: (Score:2)
As to the second, you should have read the second part of that article:
The problem isn't directly related to the algorithm or WPA initialization process, but is instead tied to the simple fact that the process can be reproduced. This fact, combined with the reality that most users select poor passwords, provides an opportunity that can be exploited.
(emphasis mine).
They're just talking about brute-forcing the password. Rainbow tables s
Re: (Score:2)
Re: (Score:2)
Beyond that, what difference does it make if the computer is a real Apple computer or not?
the end of wireless mac spoofing?! no way (Score:2)
I expect to see a high-end wireless card come out soon that will 'emulate' the hardware differences quite nicely
Re:the end of wireless mac spoofing?! no way (Score:5, Informative)
If you RTFA, you would have seen that manufacturing variations yield differences even among the exact make and model -- e.g. that minor circuitry, amplifiers and antenna variations differences yield a unique signature.
Re: (Score:2, Interesting)
So, will this mean that if I buy a new antenna or break off my old antenna that my network will no longer recognize me?
How much variation will it handle? When my antenna heats up will it still have the same signature?
Re: (Score:3, Informative)
Re:the end of wireless mac spoofing?! no way (Score:4, Interesting)
But jumping from its use as forensic tool to something which could be used for authentication / spoofing detection on cheap networking gear is far from trivial. It's hard to imagine most wifi users paying to add the necessary gear to their access points. No matter how wonderful your pattern matching algorithm maybe, you still need a sensitive front end and a very fast sample rate to get the data in the first place. It's hard to imagine a scenario where the hardware needed to identify tiny perturbations on a signal wouldn't be a lot more expensive than the hardware needed to detect the signal itself.
Even as a forensic tool, the low cost of computer networking gear leaves an obvious out for savvy hackers: just load up on $5 wireless cards whenever you see them on sale, and throw each away after every successful use. It's a whole lot easier for most people to swap out networking hardware than to replace amateur radio transmitters. You could still use it to distinguish in real time between a particular legitimate user and an outsider, but that doesn't buy you very much unless it's cheap and robust enough to leave running at all times on every access point.
Re:the end of wireless mac spoofing?! no way (Score:4, Interesting)
I think the whole point of this article is that will no longer be a valid method of protecting your identity since you might be identified by your "radio fingerprint" or "footprint" or wtfever.
Re: (Score:2)
What I gathered from the article is that (when this tech gets integrated into IDS) you can't pretend to be someone else on a network with only specific authorized MACs.
You could still hide your identity pretty well with a spoofed MAC on an open network. Do you think the manufacturers keep a database of RF signatures f
Re: (Score:2)
Not yet, but when/if this technology becomes widespread, do you really think that some law won't be passed requiring just that?
The question isn't whether you're Paranoid, [Lenny], the question is whether you're paranoid enough. --strange days
Re: (Score:2)
Using WPA with Radius isn't that difficult
Re: (Score:2)
The only thing that Big Brother wou
Re: (Score:2)
So swap in a different wireless card when you're emailing out dissident literature. You could use a new card every couple of weeks for less than your lunch budget.
Nice try, but... (Score:2, Insightful)
(any wagers on how many other "first comments" will say the same thing?)
Re: (Score:2)
=Smidge=
Re: (Score:2)
If I take a screwdriver and bend some of the metal around the shielding on the wifi unit, will it alter these characteristics?
Re: (Score:2)
Re: (Score:2)
Der di Der, my bad
Re: (Score:2)
-nB
Re: (Score:2)
This is the same argument why fingerprint/retina scanners can also be hacked - at some point all data, no matter how it is gathered, is converted into 1s and 0s - and can be copied/spoofed.
Nothing new. (Score:2, Informative)
http://www.motron.com/TransmitterID.html [motron.com]
Re: (Score:2)
You can even do it by ear (Score:2)
Some years back when mayhem was happening to a local 2m NBFM repeater, I got into the habit of leaving an allmode radio monitoring the input, in USB mode. That lets you hear exactly what the FM carrier is doing.
All FM radios have a different keyup chirp. That is, when you key up they start on some frequency and drift off to their final frequency over a short period of time. Some do it quickly, some slowly, but all start off on and end on a different pair of frequency. Some would also have a tendency to
The sample was 15 devices (Score:4, Insightful)
Re:The sample was 15 devices (Score:5, Insightful)
Does anyone remember the good old days when your garage remote control that you just bought from sears would open the door down the street? That's why they had to put in the codes. Just relying on a "fingerprint" when the majority of devices are from the same manufacturer is just a false sense of security.
However, if you really want to be scared, just google "bump key"...
Re: (Score:2)
As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer.
So it doesn't matter if everyone uses Centrino - they can still tell them apart. The key point is that no two devices are identical - there are always differences in the manufacturing process that makes them behave differently. Sure, at 10 or 54 Mbps they look the same but w
your paper is about 10baseT (Score:2)
Re: (Score:2)
Re: (Score:2)
The issue here is figuing out
Re: (Score:2)
Re: (Score:2)
I think you might be missing the point; It's not that these things are unique, it's that they are semi-unique and hard to replicate.
Re: (Score:2)
14 right of 15 is 93.3333 percent.
So they did better than 14 but less than perfect - humm.
Re: (Score:2)
Re: (Score:2)
That is assuming... (Score:2)
Albeit the military and security conscious would still buy it.
Old Idea (Score:5, Interesting)
Re: (Score:2, Funny)
2) Apply to new technology
3) Patent (Optional)
4) Profit!
Sheesh, aren't even any unknowns in this one. Where are you confused?
Poor success rate (Score:2)
Re: (Score:2)
So, 5% is far too high to be used on its own, but it isn't completely useless.
Re: (Score:2)
You mean like getting the cheap wireless card to work on my Linux laptop?
Welcome to the 80's! (Score:5, Funny)
Sample size too small (Score:3, Insightful)
http://www.mathworks.com/company/user_stories/use
Wi-Fi fingerprinting does not work (Score:3, Interesting)
Just spoof the fingerprint (Score:3, Interesting)
Re:Just spoof the fingerprint (Score:4, Informative)
Re:Just spoof the fingerprint (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Just spoof the fingerprint (Score:4, Insightful)
It seems to me one could build analog electronics that allows signal parameters (frequency, rise time, etc.) to be electronically tuned based on the detected signal... after all, if they can identify a signal with high accuracy, then the traits to be spoofed may be distinguishable enough to be accurately measured.
Given a sufficiently powerful software defined radio, a tunable amplifier and a tunable antenna, I don't think this is impossible. It's a heck of a lot more expensive than a WLAN card, for sure. It's also a problem that a neural network is used for identification, since neural networks are a notoriously poor analysis tool from which to extract usable rules. However, given their sample size and lack of other info in the article (of other methods of forecast analysis), it is difficult to say whether the required system is so complicated that it is an intractable problem to reverse engineer the measured characteristics. I'm not convinced it is.
Re: (Score:2)
Those tolerances are more like 5 and 10%. At least that is what is guaranteed by the manufacturer. Actual tolerances are usually much closer.
A published
Re: (Score:2)
Re: (Score:2)
Now the COST of the generating gear may be prohibitive, but it certainly MUST be practical.
Ratboy
Re: (Score:2)
You are WAY out in left field man.
Doing so requires adding a digital filter to the digital output of the DSP that is the matched filter of the difference between your card and their card.
It doesn't matter what in the RF section is different because you will be compensating for that digitally.
The are going to be cases where the filter can't adjust enough, but for practic
Yeah, right. Sure. Uh-huh. What a dolt. (Score:2)
1) MAC addresses are easily cloned; it's child's play
2) Spoofing above the MAC layer is difficult
3) This methodology produces no false positives
4) The hacker community will find what the characterizations are then
5) Find nice and easy ways of memorizing the characterizations so that
6) They can continue to spoof whatever they want, whenever they want.
So, yes, there is are additional authentications that make things easier to secure-- but changing the character of a card isn't difficult to do as today,
Re: (Score:2, Insightful)
Each radio in existence has a unique signal generated, mostly due to component variation in each production run. Resistors and capacitors in circuits are designed to tolerate a certain amount of variation in resistance, capacitance, etc etc. It's difficult to replicate - and by 'difficult', I mean an electrical engineer with a laboratory full of equipment and a team working for him would find it difficult. A signal
Really: Think about this. (Score:3, Informative)
I don't think so.
Instead, a few little twigs will be used, and those twigs will define what's going on. Call it engi
I don't think so..... (Score:4, Insightful)
1. Amplitude
2. Phase shift
3. Signal cadencing... e.g. micro-sliced events
4. Parasitics
5. Encoding profiling.
And the success is 95%. That's wonderful. Bring it on.
In terms of your supposition that it would have to be "100 percent atom for atom identical" is pure hubris. You obviously have little engineering training. Try again.
the only way (Score:4, Funny)
Nah, we'll only see the end of Mac spoofing when they stop making commercials with that goofball that looks like Bill Gates.
wow, lots of work (Score:3, Insightful)
Nothing new (Score:2, Interesting)
He had a very (VERY) expensive reciever that had a built in spectrum analyzer, and they logged all calls with a timestamp and the frequency drift (stored as a 512 bit word) of the transmitter currently using the channel. Each time the operator suspected that he/she had a spoofed call they pushed a button that activated 4 direction finders that logged the timestamp and
Neural Net? (Score:2)
http://xmit.penguinman.com/xmit_id.html [penguinman.com]
This is old tech that Amateur radio users have had for 10 years now.
Seen it before (Score:5, Interesting)
I work for Big Cellphone Company. We tried the same scheme in the mid '90s when analog phone cloning was all the rage (remember when it used to cost $1.50/minute? Ahhhhh, the good old days). It works, kind of.
The problem is you're not trying to decide whether or not to retry a packet, or what the transmit power should be. You're trying to decide whether or not to provide service, so you really can't afford to be wrong. We were never really able to get an acceptable reliablility in the wild.
Believe me, we had a huge incentive to roll this out to our network. The marginal bandwidth costs from fraud didn't hurt much, but when someone made a call to, say, Saudi Arabia on a cloned phone we got stuck with all the fees on the other end. A single cloning ring could cost millions, so Big Cellphone Company was willing to break the bank to get this to work.
Eventually we rolled out digital service, so the project got shut down. Cloning fraud was one of the reasons we were willing to give you a free phone if you switched over to digital. Well, that and the long-term contract.
acoustic fingerprinting on AMPS (Score:2)
Is this similar to Van Ecks?? (Score:2)
Reading between the lines... (Score:2)
The End of MAC Spoofing? (Score:2)
Re: (Score:2)
"Peabody, set the wayback machine to the time of rampant computer viruses in the wild..."
Truism (Score:2)
"... it's the end of MAC spoofing on wireless networks ..."
If implemented, of COURSE it is the end of MAC spoofing. But it is only the BEGINNING of WiFi fingerprint spoofing ...
What's old is new again. (Score:5, Interesting)
And each transmitter was hand-built, using rather rough tools.
All these things ensured that each signal had it's own quirks, in time, frequency, and temperature. Radio ops could often identify transmitters by thepaerticular yawps, swooshes, and zaps of the signal. ot to mention, identifing the morse code operator by his particular "fist", i.e. spacing and other personal quirks.
Then during WW2 our side started using spectrumanalyzers to categorize each model of German and Japanese radar. Here again each transmitter tended to have its own set of quirks.
Now, surprise, the same thing gets rediscovered. On some low level each wireless card has some (shuddrr) analog controlled oscillators, frequency dividers, duplexers, antennas, and amplifiers, each with it's own slight amplitude, frequency, and phase characteristics.
So nothing new here. Not by like, almost 100 years.
I don't think it can be trusted... (Score:3, Insightful)
people actually use MAC filtering? (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Nice (Score:2)
That would be nice. Wake me when it happens.
Of course, there goes your defense when the RIAA sues you for filesharing, and your defense is, "It musta been someone hacking into my wireless network."
Re: (Score:2)
Re: (Score:2)
The first rule about ham radio is you don't talk about ham radio. (Especially ON a ham radio)
Re: (Score:2)
Here is the motron system:
http://www.motron.com/TransmitterID.html [motron.com]
Re: (Score:2)
As to making a completely erratic, changing print - sure. However, while this would prevent tracking it would me
Re:Moo (Score:5, Insightful)
This idea is more than sixty years old (Score:5, Interesting)
ian
Re: (Score:3, Informative)
In principle, yes this is possible, but not in practice. The error modulations color the smallest unit of modulation - the pulse. To "hide" the fingerprint, we would need to have a modulation capability at least one (and probably more) order of magnitude faster than what is being used to generate the pulse. While there likely are are DSP chips fast enough to do this
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)