http://www.caida.org/outreach/papers/2005/fingerprinting/
Remote physical device fingerprinting
To be presented at the IEEE Symposium on Security and Privacy, May
8-11, 2005
Tadayoshi Kohno
Department of Computer Science and Engineering
University of California, San Diego
Andre Broido and kc claffy
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego
We introduce the area of remote physical device fingerprinting, or
fingerprinting a physical device, as opposed to an operating system or
class of devices, remotely, and without the fingerprinted device's
known cooperation. We accomplish this goal by exploiting small,
microscopic deviations in device hardware: clock skews. Our techniques
do not require any modification to the fingerprinted devices. Our
techniques report consistent measurements when the measurer is
thousands of miles, multiple hops, and tens of milliseconds away from
the fingerprinted device, and when the fingerprinted device is
connected to the Internet from different locations and via different
access technologies.
Further, one can apply our passive and semi-passive techniques when
the fingerprinted device is behind a NAT or firewall, and also when
the device's system time is maintained via NTP or SNTP. One can use
our techniques to obtain information about whether two devices on the
Internet, possibly shifted in time or IP addresses, are actually the
same physical device. Example applications include: computer
forensics; tracking, with some probability, a physical device as it
connects to the Internet from different public access points; counting
the number of devices behind a NAT even when the devices use constant
or random IP IDs; remotely probing a block of addresses to determine
if the addresses correspond to virtual hosts, e.g., as part of a
virtual honeynet; and unanonymizing anonymized network traces.
http://www.caida.org/outreach/papers/2005/fingerprinting/
Monty Solomon (monty@roscom.com)