Tuesday, March 08, 2005

Remote Fingerprinting Computer Hardware

A new step towards the end of anonymity: the remote fingerprinting of physical devices is introduced in this paper by (primary) author Yoshi Kohno: Remote Physical Device Fingerprinting. Making use of the clocks in for example computers connected to the internet these can be traced back through firewalls, anonymizers etc. Must be (too) useful for both public and private law enforcement on the net.

Here's the abstract:
We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device's system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

1 Comments:

Anonymous Anonymous said...

I'm only about half way through the paper, but one of the limitations of the technique may be that it can distinguish only a fairly small number of machines. They're measuring skew in parts per million. Assuming no clock has a skew worse than 7ms/sec (about 10 minutes per day, if I've done the math right), that means about 14,000 possible fingerprints. I'd be surprised if they could push to higher resolutions since skew may vary with the mother board's temperature. So you probably can't uniquely fingerprint every machine on the Internet, but you probably can count individual machines behind a firewall, isolate a particular machine if you know a set of sites it characteristically visits, or tell a jury "we think Alice was here on this date, and the clock skew matches her machine's".

31/3/05 07:04  

Post a Comment

<< Home