[>Htech] Tracking a Specific Machine Anywhere On The Net

Eugen Leitl eugen at leitl.org
Fri Mar 4 09:28:27 PST 2005 

Link: http://slashdot.org/article.pl?sid=05/03/04/1355253
Posted by: Zonk, on 2005-03-04 16:45:00

   from the not-the-sandra-bullock-movie dept.
   An anonymous reader writes "An article on ZDNet Australia tells of a
   new technique developed at CAIDA that involves using the individual
   machine's clock skew to [1]fingerprint it anywhere on the net."
   Possible uses of the technique include "tracking, with some
   probability, a physical device as it connects to the Internet from
   different access points, counting the number of devices behind a NAT
   even when the devices use constant or random IP identifications,
   remotely probing a block of addresses to determine if the addresses
   correspond to virtual hosts (for example, as part of a virtual
   honeynet), and unanonymising anonymised network traces."


References

   1. http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm

----- End forwarded message -----

How to track a PC anywhere it connects to the Net

Renai LeMay, ZDNet Australia
March 04, 2005
URL: http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm


Anonymous Internet access is now a thing of the past. A doctoral student at
the University of California has conclusively fingerprinted computer hardware
remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno
said: "There are now a number of powerful techniques for remote operating
system fingerprinting, that is, remotely determining the operating systems of
devices on the Internet. We push this idea further and introduce the notion
of remote physical device fingerprinting ... without the fingerprinted
device's known cooperation."

The potential applications for Kohno's technique are impressive. For example,
"tracking, with some probability, a physical device as it connects to the
Internet from different access points, counting the number of devices behind
a NAT even when the devices use constant or random IP identifications,
remotely probing a block of addresses to determine if the addresses
correspond to virtual hosts (for example, as part of a virtual honeynet), and
unanonymising anonymised network traces."

NAT (network address translation) is a protocol commonly used to make it
appear as if machines behind a firewall all retain the same IP address on the
public Internet.

Kohno seems to be aware of the interest from surveillance groups that his
techniques could generate, saying in his paper: "One could also use our
techniques to help track laptops as they move, perhaps as part of a
Carnivore-like project". Carnivore was Internet surveillance software built
by the United States' Federal Bureau of Investigation. Earlier in the paper
Kohno overshadowed possible forensics applications, saying that investigators
could use his techniques "to argue whether a given laptop was connected to
the Internet from a given access location".

Another application for Kohno's technique is to "obtain information about
whether two devices on the Internet, possibly shifted in time or IP
addresses, are actually the same physical device."

The technique works by "exploiting small, microscopic deviations in device
hardware: clock skews." In practice, Kohno's paper says, his techniques
"exploit the fact that most modern TCP stacks implement the TCP timestamps
option from RFC 1323 whereby, for performance purposes, each party in a TCP
flow includes information about its perception of time in each outgoing
packet. A fingerprinter can use the information contained within the TCP
headers to estimate a device's clock skew and thereby fingerprint a physical
device."

Kohno goes on to say: " Our techniques report consistent measurements when
the measurer is thousands of miles, multiple hops, and tens of milliseconds
away from the fingerprinted device, and when the fingerprinted device is
connected to the Internet from different locations and via different access
technologies. Further, one can apply our passive and semi-passive techniques
when the fingerprinted device is behind a NAT or firewall."

And the paper stresses that "For all our methods, we stress that the
fingerprinter does not require any modification to or cooperation from the
fingerprintee." Kohno and his team tested their techniques on many operating
systems, including Windows XP and 2000, Mac OS X Panther, Red Hat and Debian
Linux, FreeBSD, OpenBSD and even Windows for Pocket PCs 2002.

"In all cases," the paper says, "we found that we could use at least one of
our techniques to estimate clock skews on the machines and that we required
only a small amount of data, although the exact data requirements depended on
the operating system in question."

Putting the techniques to the test with a wider test also proved fruitful for
the researchers. "We also measured the clock skews of 69 (seemingly
identical) Windows XP SP1 machines in one of our institution's undergraduate
computing facilities. The latter experiment, which ran for 38 days, as well
as other experiments, show that the clock skew estimates for any given
machine are approximately constant over time, but that different machines
have detectably different clock skews," said the paper.

Although the paper says that "It has long been known that seemingly identical
computers can have disparate clock skews," it goes on to conclude that "the
main advantage of our techniques ... is that our technique can be mountable
by adversaries thousands of miles and multiple hops away."

Information about the technique came to light when KC Claffy, principal
investigator for the Cooperative Association for Internet Data Analysis
(CAIDA) forwarded information about the project to a mailing list, "in the
interest of full and early disclosure". However Claffy also said in her
email: "Please don't forward to any bad guys." Kohno is also associated with
CAIDA.

Kohno's research is due to be presented at the Institute of Electrical and
Electronics Engineers Symposium on Security and Privacy to be held in
California in May.

Copyright ) 2005 CNET Networks, Inc. All Rights Reserved.
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a
service mark of CNET NETWORKS, Inc.

--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net



----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list