Tracking PCs anywhere on the Net

Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."

The potential applications for Kohno's technique are impressive. For example, "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."

NAT (network address translation) is a protocol commonly used to make it appear as if machines behind a firewall all retain the same IP address on the public Internet.

Kohno seems to be aware of the interest from surveillance groups that his techniques could generate, saying in his paper: "One could also use our techniques to help track laptops as they move, perhaps as part of a Carnivore-like project". Carnivore was Internet surveillance software built by the United States' Federal Bureau of Investigation. Earlier in the paper Kohno overshadowed possible forensics applications, saying that investigators could use his techniques "to argue whether a given laptop was connected to the Internet from a given access location".

Another application for Kohno's technique is to "obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device."

The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

Kohno goes on to say: " Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall."

And the paper stresses that "For all our methods, we stress that the fingerprinter does not require any modification to or cooperation from the fingerprintee." Kohno and his team tested their techniques on many operating systems, including Windows XP and 2000, Mac OS X Panther, Red Hat and Debian Linux, FreeBSD, OpenBSD and even Windows for Pocket PCs 2002.

"In all cases," the paper says, "we found that we could use at least one of our techniques to estimate clock skews on the machines and that we required only a small amount of data, although the exact data requirements depended on the operating system in question."

Putting the techniques to the test with a wider test also proved fruitful for the researchers. "We also measured the clock skews of 69 (seemingly identical) Windows XP SP1 machines in one of our institution's undergraduate computing facilities. The latter experiment, which ran for 38 days, as well as other experiments, show that the clock skew estimates for any given machine are approximately constant over time, but that different machines have detectably different clock skews," said the paper.

Although the paper says that "It has long been known that seemingly identical computers can have disparate clock skews," it goes on to conclude that "the main advantage of our techniques ... is that our technique can be mountable by adversaries thousands of miles and multiple hops away."

Information about the technique came to light when KC Claffy, principal investigator for the Cooperative Association for Internet Data Analysis (CAIDA) forwarded information about the project to a mailing list, "in the interest of full and early disclosure". However Claffy also said in her email: "Please don't forward to any bad guys." Kohno is also associated with CAIDA.

Kohno's research is due to be presented at the Institute of Electrical and Electronics Engineers Symposium on Security and Privacy to be held in California in May.

Advertisement

Print feature brought to you by Hewlett Packard

Talkback 24 comments

  1. I'm impressed - didn't understand a word of it, but sounds impressive! Anonymous -- 04/03/05

    I'm impressed - didn't understand a word of it, but sounds impressive!

  2. still won't uncover criminals - they'll just figure out a way to change clock skew. tcp/ip stacks can be rewritten to remove the timestamps from the header, so tracking by that won't last for long. And the whack-a-mole trip goes on... Anonymous -- 05/03/05

    still won't uncover criminals - they'll just figure out a way to change clock skew. tcp/ip stacks can be rewritten to remove the timestamps from the header, so tracking by that won't last for long. And the whack-a-mole trip goes on...

  3. Great! Now the CRIMINALS of the world can practice their new enhanced hacking skills (thanks to this article broadcast everywhere) to everybody connected to the net. Now there is even LESS privacy for all of us at a time when we need it more than ever. Anonymous -- 05/03/05

    Great! Now the CRIMINALS of the world can practice their new enhanced hacking skills (thanks to this article broadcast everywhere) to everybody connected to the net. Now there is even LESS privacy for all of us at a time when we need it more than ever.

  4. So, we malform the header with a bit of randomization for the cost of some minimal performance degradation? By the way, it's not "criminal" to seek anonymity. The human right of Free Speech, in any country, is best served by the ability to spe Anonymous -- 05/03/05

    So, we malform the header with a bit of randomization for the cost of some minimal performance degradation? By the way, it's not "criminal" to seek anonymity. The human right of Free Speech, in any country, is best served by the ability to speak anonymously. One could imagine this being used by a government to track dissedent voices on the Web -- not just unethical hackers and pirates.

  5. while it may be used to confirm that two IP addresses are effectively one, I don't see how it can be used to actually track anything. 1) i sign on with a different ISP, or even renew DHCP and the tracker would have to sift through billions of IP Anonymous -- 05/03/05

    while it may be used to confirm that two IP addresses are effectively one, I don't see how it can be used to actually track anything.

    1) i sign on with a different ISP, or even renew DHCP and the tracker would have to sift through billions of IP addresses and billions^billions conversations, comparing each one to my fingerprint, in order to identify me. Unlike a fingerprint database, IP information is dynamic and thus you cannot simply do a static comparison against a data bank.

    2) to get the timestamp a "tracker" would have to either establish a TCP connection with the machine being tracked, break into existing TCP connection, or obtain permission to monitor on the server.

  6. adjust system clock minutely before you connect to defeat this Anonymous -- 05/03/05

    adjust system clock minutely before you connect to defeat this

  7. A surveillance agency (or criminal organization) could start building a database of machine signatures by p****ively tapping a major Internet peering point. The computer's IP address would not be the database record key. The key would be derived Anonymous -- 05/03/05

    A surveillance agency (or criminal organization) could start building a database of machine signatures by p****ively tapping a major Internet peering point.

    The computer's IP address would not be the database record key. The key would be derived from the unique and persistent timing skew in the packet timestamps, e.g., "ontime, ontime, little-late, ontime, way early -- ahah, that's that computer in Perth again."

    The database could include current and historical IP addresses that have been ****ociated with that machine.

    Some simple statistical analysis of the entire database might easily reveal users of anonymous proxies or mixnets, ****uming the packet timestamps are not altered at the anonymizing proxy.

    Texas Analyst: the anonymization you refer to can be done at the firewall with a barely detectable performance penalty. Anonymizers should immediately add this feature to defeat the kind of profiling described in the article. The signatures imposed on the outgoing packets should come from a small list of known artificial ones, and should rotate at short intervals.

    Vancouver Law: the hypothetical spying tool could capture the signatures in realtime, and sift billions of records later at leisure to match possible IP addresses. The technology is within the reach of many small IT consulting companies (or criminal gangs).

    The hardest part of doing this is tapping the large traffic stream. I would not use a remote exploit to accomplish this. I would get a job as a janitor at a data center, or just bribe an underpaid network admin if I were in a hurry.

    That said, it will be quite difficult to audit peering points to prevent this exploit.

    -Samsa G.

  8. If you dont have to provide "proof" when authenticating to a wireless network via credit card and even then that could be fake then how would you track a computer? If your online for 2 minutes, long enough to send a long message, all you c Anonymous -- 05/03/05

    If you dont have to provide "proof" when authenticating to a wireless network via credit card and even then that could be fake then how would you track a computer?
    If your online for 2 minutes, long enough to send a long message, all you could do is map an IP to a MAC address and narrow it down to a locaton or ISP or whomever is providing the IP address and maintains the MAC table.
    In addition, alot of people run wireless at home, doing some war driving you can gain access to a home users network and the IP would trace back to that specific users home. MAC resolution would conclude that it wasnt this home user after any forensics were done.
    If a laptop user has multiple laptops or can manipulate their MAC address they can gain access to the internet indefinately without being caught.
    Similar to Carnivor, the only way to find a location and the hardware, you would have to be looking for a specific MAC, not IP and still, if its on a wireless "free" network or "home" user how do you find it physically?
    Only way i can think of is pin pointing a physical location, not a logical IP address schema is GPS so to me, its all theory and wont work via an application. If your smart about it, Carnivor cant catch you either.

  9. For those who didn't read or understand the article or the paper, changing your clock will not prevent this at all, and the technique is not useful for randomly picking your computer off the internet. It can only confirm that two compared samples of cloc Anonymous -- 05/03/05

    For those who didn't read or understand the article or the paper, changing your clock will not prevent this at all, and the technique is not useful for randomly picking your computer off the internet. It can only confirm that two compared samples of clock DRIFT - the error RATE of your clock which is always constant because it is controlled by a quartz crystal - are the same or statistically-similar. In other words, they have to already be watching or comparing known traffic to get such a sample. Either they would sample a known block of IPs, or a known site you access. In this way it is no different than using a recorded phone tap to prove that the same person is speaking on two different calls.

  10. I call rubbish on this research. Clock drift affects tcp sequencing numbers, protocols such as NTP affect sequencing numbers and the exact timing that a machine will send out packets. Different network load between varying points on th Anonymous -- 05/03/05

    I call rubbish on this research.

    Clock drift affects tcp sequencing numbers, protocols such as NTP affect sequencing numbers and the exact timing that a machine will send out packets.

    Different network load between varying points on the larger internet will also affect both the unwilling server and the client receiving these packets.

    Work has also been done on random initial sequencing ( see http://kerneltrap.org/node/4654 ) on the Linux kernel, making it harder again to trace a machine, it wont be able to "predict" an expected timestamp.

    Interesting expirement when you control the network, although I doubt that the accuracy of the experiment would play out when you do not control the remote machines.

  11. Hopefully this could be used to track stolen laptops. Anonymous -- 05/03/05

    Hopefully this could be used to track stolen laptops.

  12. Two words: Address triangulation: Same thing, but better. Anonymous -- 06/03/05

    Two words: Address triangulation:
    Same thing, but better.

  13. wouldn't simply over clocking or under clocking my prosessor effect the tracking ability of this method? Anonymous -- 06/03/05

    wouldn't simply over clocking or under clocking my prosessor effect the tracking ability of this method?

  14. HOAX of the big brother TRON (read 1984 by Orson Welles)... they want us to fear, no, they are terribly wrong Anonymous -- 06/03/05

    HOAX of the big brother TRON (read 1984 by Orson Welles)... they want us to fear, no, they are terribly wrong

  15. Anyone who has had basic physics or electronics understands that ambient and working temp muck with everything. Pulse edges and durations change with the degrees. This is bull in the real world. OK.. its 72 degrees out today and 85 out tomorrow and someth Anonymous -- 07/03/05

    Anyone who has had basic physics or electronics understands that ambient and working temp muck with everything. Pulse edges and durations change with the degrees. This is bull in the real world. OK.. its 72 degrees out today and 85 out tomorrow and something as miniscule as clock skew is going to be unaffected by the system temp? Crap!!!!

  16. Sorry to poop someone's PhD thesis but a simple firewire rule will invalidate the whole concept: deny icmp from any to any out icmptypes 13, 14 Anonymous -- 07/03/05

    Sorry to poop someone's PhD thesis but a simple firewire rule will invalidate the whole concept:

    deny icmp from any to any out icmptypes 13, 14

  17. Quoted by PC Technician in Canada:"For those who didn't read or understand the article or the paper, changing your clock will not prevent this at all, and the technique is not useful for randomly picking your computer off the internet. It can only co Anonymous -- 07/03/05

    Quoted by PC Technician in Canada:"For those who didn't read or understand the article or the paper, changing your clock will not prevent this at all, and the technique is not useful for randomly picking your computer off the internet. It can only confirm that two compared samples of clock DRIFT - the error RATE of your clock which is always constant because it is controlled by a quartz crystal - are the same or statistically-similar. In other words, they have to already be watching or comparing known traffic to get such a sample. Either they would sample a known block of IPs, or a known site you access. In this way it is no different than using a recorded phone tap to prove that the same person is speaking on two different calls."

    Clock Drift Error is *not* constant because anyone who works in electronics knows that a crystal oscillator is only as stable as it's supply voltage. Any minute change in voltage is going to change the frequency (i.e. variances in power supply voltage due to accessing drives, spinning up CDROMS, etc.) The system clock is not solely controlled by the CMOS battery... only when the system is actually unplugged (in the case of ATX boards) is the clock truly running on the CMOS battery. So much for that theory. :-)

  18. It is simple enough to block. It is based off the fact that the clock is not adjusted more than once a day. If the clock is adjusted by a random number of +/- milliseconds every second for example, then the method won't work. That is a simple enough pr Anonymous -- 08/03/05

    It is simple enough to block. It is based off the fact that the clock is not adjusted more than once a day. If the clock is adjusted by a random number of +/- milliseconds every second for example, then the method won't work. That is a simple enough program to write too.

  19. Let the WAR on Spam begin, where is the US when you need them ;-) Anonymous -- 08/03/05

    Let the WAR on Spam begin, where is the US when you need them ;-)

  20. If I interpret the summary correctly they utilize microscopic differences in the onboard clock to identify a host. (hardware only?) The ****ertion seem to be that the difference (skew) between the system being ID'ed and the Identifier system res Anonymous -- 09/03/05

    If I interpret the summary correctly they utilize microscopic differences in the onboard clock to identify a host. (hardware only?)

    The ****ertion seem to be that the difference (skew) between the system being ID'ed and the Identifier system results in a unique 'fingerprint'. Need to see statistical sample data to determine how legitimate the claim is. If true it's pretty universal as it is taking advantage of the IP protocol standard.

    Wonder if it works for IPv6 as well as IPv4?

  21. This is just a simple observation, may be i am off base :-) Leaving aside the fact that most SAFE TCP/IP stacks do not send out timing information and that pretty much all of them can be rewritten to ensure that they don't; this approach - while Anonymous -- 29/03/05

    This is just a simple observation, may be i am off base :-)

    Leaving aside the fact that most SAFE TCP/IP stacks do not send out timing information and that pretty much all of them can be rewritten to ensure that they don't; this approach - while a fun little thing one can use to track naive users - is easily defeated when the target doesn't want to be tracked.

    Network address translation rewrites packets, and when implemented correctly, completely mask the IP headers behind the NATing firewalls.

    If any are interested, a simple countermeasure would be to use the firewall to re-rwrite the IP headers to mask any timing information, this fascility is available in various firewalls, under Linux netfilters it is called packet mangling, combine this with a queuing engine to counter any timing fingerprinting and you have created a certainty problem for the observer.

    Well these are just my thoughts.

    Any one who wants to further discuss this can contact me at my email.

    Cheers,
    Ahmed

    On a more personal note

    A tracking system like this can only gives malicious elements yet another way to invade someone's privacy.

    It'd be nice if as researchers we would actually go a step further and devise a proper counter-measures to tracking techniques that we develop.

  22. He is doing a thesis on something that is already in action,the clock pulse can carry an id bit. But it is where this information moves from the physical layer to the tx layer and through to the app layer and out into the ether(internet) Anonymous -- 05/04/05

    He is doing a thesis on something that is already in action,the clock pulse can carry an id bit.
    But it is where this information moves from the
    physical layer to the tx layer and through to the
    app layer and out into the ether(internet) that is the point.

    If some of us care to remember the intel cpuid
    and the operating system vendor who tracks your hardware ,has done for about five years or more.

    Some of us might remember the mainboard manufacturers (eg: gigabyte) who had transmission layer code in built into their rom chips so that
    when the os was fired up and accessed the internet without any egress filtering (outgoing data) the mainboard id and ip were logged on their database.

    Primarily (tongue in cheek) used for marketing research and dev.

    This information and the stored email accounts etc etc in your registry (winblows),can be or is tx
    when your alg layer is allowed to p**** through your firewall (app layer one ,if you have one).

    Or as soon as you update your winbloze machine,an dsend your registry to Bill,for marketing research purposes.(*)

    As far as the clock pulse theory,what a load sorry !.
    Any engineer will know that temperature,impedance power supply fluctuations,and rf interference and
    other factors WILL affect clock pulse timing generators,signal length and strength,and most hardare on specific system buses has a set clock so as to align with the bus controller.........

    The ability to predict these fluctuations borders
    on the insane.....!,especially over the internet.

    This theory sounds like a WMD ****umption,believe it or not........| grep -i "truth".

    $truth=0

    All your moves are logged anyway.

    ^ ^
    !
    (<>)------------*

  23. He is doing a thesis on something that is already in action,the clock pulse can carry an id bit. But it is where this information moves from the physical layer to the tx layer and through to the app layer and out into the ether(internet) Anonymous -- 05/04/05

    He is doing a thesis on something that is already in action,the clock pulse can carry an id bit.
    But it is where this information moves from the
    physical layer to the tx layer and through to the
    app layer and out into the ether(internet) that is the point.

    If some of us care to remember the intel cpuid
    and the operating system vendor who tracks your hardware ,has done for about five years or more.

    Some of us might remember the mainboard manufacturers (eg: gigabyte) who had transmission layer code in built into their rom chips so that
    when the os was fired up and accessed the internet without any egress filtering (outgoing data) the mainboard id and ip were logged on their database.

    Primarily (tongue in cheek) used for marketing research and dev.

    This information and the stored email accounts etc etc in your registry (winblows),can be or is tx
    when your alg layer is allowed to p**** through your firewall (app layer one ,if you have one).

    Or as soon as you update your winbloze machine,an dsend your registry to Bill,for marketing research purposes.(*)

    As far as the clock pulse theory,what a load sorry !.
    Any engineer will know that temperature,impedance power supply fluctuations,and rf interference and
    other factors WILL affect clock pulse timing generators,signal length and strength,and most hardare on specific system buses has a set clock so as to align with the bus controller.........

    The ability to predict these fluctuations borders
    on the insane.....!,especially over the internet.

    This theory sounds like a WMD ****umption,believe it or not........| grep -i "truth".

    $truth=0

    All your moves are logged anyway.

    ^ ^
    !
    (<>)------------*

  24. Rise of the BOTS! Milton Smith -- 09/04/08

    Fingerprinting computers by measuring clock skew is interesting and makes me a bit paranoid. However, it does not take a very big leap of creativity to imagine bots communicating information to bot herders using the similar mechanisms. The salient technique is hiding private information in public view.

    If it’s possible to fingerprint our computers, then it’s very likely the same mechanism can be leveraged to send information under the eyes of our best intrusion detection equipment. Encapsulation attacks are not new but most are at the Application Layer not Data Link (layer 2). Get ready for a new wave of BOTs.

Add your opinion


Latest Videos

ZDNet's CIO Vision Series

Department of Defence | Greg Farr, CIO (part two)

In the second part of his interview, Defence CIO Greg Farr talks about outsourcing, the skills crisis and reveals his most urgent IT priority.

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Jude Willis Why eBay tried to screw Aussie users
    Now that the bizarre ruckus over eBay's proposed PayPal monopoly appears totalled, it seems a good time to ponder why eBay chose Australia to risk its reputation on such a massively unpopular scheme.
  • Array The more things change…
    With all the excitement over the iPhone, few people have noticed that 1 July was the 11th anniversary of the deregulation of Australia's telecommunications market.
  • Array I'm a celebrity, don't back me up
    Celebrity comes with its perks — free alcohol, better-looking partners, lots of holiday time — and disadvantages — constant media intrusions, being forced to appear in films with Eddie Murphy for the long-term good of your career, and having to do mindless radio interviews with angry men who've been awake since 4am.
  • More blogs »

Tags

  1. 414 articles are tagged with 3g
  2. 221 articles are tagged with adobe
  3. 1098 articles are tagged with apple
  4. 162 articles are tagged with application
  5. 102 articles are tagged with ato
  6. 483 articles are tagged with australia
  7. 1131 articles are tagged with broadband
  8. 345 articles are tagged with browser
  9. 612 articles are tagged with business
  10. 476 articles are tagged with cio
  11. 91 articles are tagged with defence
  12. 285 articles are tagged with firefox
  13. 135 articles are tagged with fttn
  14. 294 articles are tagged with gartner
  15. 880 articles are tagged with google
  16. 800 articles are tagged with government
  17. 140 articles are tagged with green
  18. 679 articles are tagged with hp
  19. 1190 articles are tagged with ibm
  20. 926 articles are tagged with intel
  21. 1208 articles are tagged with internet
  22. 196 articles are tagged with iphone
  23. 59 articles are tagged with launch
  24. 11 articles are tagged with limo
  25. 2008 articles are tagged with linux
  26. 436 articles are tagged with mac
  27. 1161 articles are tagged with microsoft
  28. 987 articles are tagged with mobile
  29. 269 articles are tagged with mozilla
  30. 586 articles are tagged with network
  31. 293 articles are tagged with nokia
  32. 868 articles are tagged with open source
  33. 653 articles are tagged with optus
  34. 435 articles are tagged with phone
  35. 40 articles are tagged with photos
  36. 421 articles are tagged with privacy
  37. 29 articles are tagged with science
  38. 406 articles are tagged with search
  39. 2479 articles are tagged with security
  40. 1176 articles are tagged with software
  41. 681 articles are tagged with storage
  42. 112 articles are tagged with sydney
  43. 1824 articles are tagged with telstra
  44. 214 articles are tagged with virtualisation
  45. 400 articles are tagged with vista
  46. 235 articles are tagged with vodafone
  47. 35 articles are tagged with website
  48. 138 articles are tagged with wimax
  49. 1388 articles are tagged with windows
  50. 494 articles are tagged with yahoo

Back to top

Featured