Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

Published byGilbert Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle."— Presentation transcript:

1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle 3 USC,MIT 4 University of Washington Mobicom ‘07 Some slides borrowed from the Mobicom 07 presentation by the owners of the paper 1

2 Introduction Measurement based paper Tracking is worrisome to people, especially the ubiquitous 802.11 network devices. Location Privacy in danger because wireless devices disclose our location or identities or both. Many other technologies like RFID pose similar threats. Inspite of changing parameters, 802.11 devices emit characteristics that make the devices trackable. Pseudonyms, temporary unlinkable names were proposed to use to prevent tracking. But the results in the paper shows theyre not enough. 2

3 Motivation: The Mobile Wireless Landscape A well known technical problem – Devices have unique and consistent addresses – e.g., 802.11 devices have MAC addresses  fingerprinting them is trivial! MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:0E:35:CE:1F:59 Adversary tcpdump 3

4 Motivation: The Mobile Wireless Landscape The widely proposed techical solution – Pseudonyms: Change addresses over time 802.11: Gruteser ’05, Hu ’06, Jiang ’07 Bluetooth: Stajano ’05 RFID: Juels ‘04 GSM: already employed MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:AA:BB:CC:DD:EE tcpdump ? 4

5 Motivation: The Mobile Wireless Landscape The results show: Pseudonyms are not enough – Implicit identifiers: identifying characteristics of traffic – Parameters like IP address of your frequently used email – E.G., most users identified with 90% accuracy in hotspots 00:0E:35:CE:1F:5900:AA:BB:CC:DD:EE tcpdump Search: “Bob’s Home Net” Packets  Intel Email Server … Search: “Bob’s Home Net” Packets  Intel Email Server … 5

6 Contributions Four Novel 802.11 Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy 6

7 Implicit Identifiers netdest pairs SSID Broadcast packets MAC protocol fields 7

8 The Implicit Identifier Problem How significantly do implicit identifiers erode privacy?.......lets see by example…. A signal trace obtained at 2004 SIGCOMM conference is used. MAC address is hashed to provide anonymity…… equivalent to a pseudonym 8

9 A device automatically searches for preferred networks first and hence from the SSID users could be identified. For example, a user’s laptop searched for network names like “MIT”, “roofnet”…. The user must be from Cambridge,MA!! SSID probes with unique names make the job easier. E.g. “therobertmorris” Another user used BitTorrent to download. The MAC address in the data packets was hashed but he accessed the same SSH and IMAP server every hour and was the only one to do so at SIGCOMM….hence IDENTIFIED!! 9

10 Implicit identifiers are many times exposed by design flaws Identifying information is exposed at the higher layers of network stack as they are not adequately masked Identifying information during service discovery is not masked Rectifying these shortcomings will come at a high cost. 10

11 Experimental Setup The Adversary – Service providers and large monitoring networks are the biggest threat. – Network monitoring softwares like “tcpdump” enables any lay man to track with just an 802.11 device like laptop. The Environments – Public networks such as hot spots. Unencrypted link layer Access control employed at higher layers with MAC address filtering Identifying features in network link layer and physical layer are visible to the eavesdropper – Home networks High density of access points in urban areas Employ link layer encryption Authorized users are known and small in number Eavesdropper can still view the payloads of data packets, frame sizes, timing – Enterprise networks Devices authorized Less diversity in the behavior of wireless cards 11

12 Monitoring scenario – Assume that users use different pseudonyms for each session in each of the networks – Hence explicit identifiers cannot link their sessions – The authors define a traffic sample to be one user’s network traffic observed during one hour – Assume that the adversary is able to obtain training samples either before or during the monitoring period from the person being tracked. 12

13 Evaluation Criteria – Did this traffic sample come from user U? – Was user U here today? Wireless Traces – “sigcomm” a 4 day trace from monitoring point in 2004 SIGCOMM conference – “ucsd” a trace of all 802.11 traffic in U.C Sand Diego’s computer science building during one day – “apt” a 19 day trace monitoring all networks in an apartment building 13

14 Implicit identifiers Results show: – Many identifiers are effective at distinguishing users while others are useful for distinguishing groups of users – A non-trivial fraction of users are trackable using one highly discriminating identifier – On an average only 1 to 3 samples are enough to leverage identifiers to full effect – At least one implicit identifier accurately identifies users over multiple weeks 14

15 Network destinations “netdests” is a set of IP pairs that are known to be common to all users This set is unique to each user. An adversary can obtain network address in any wireless network inspite of link layer encryption or VPN. No application or network layer security mechanism such as IPSec would mask this identifier 15

16 SSID Probes SSID of a netwoork is added to the networks list when a client first associates with the network. The client sends probe requests to find if it is in the vicinity of its preferred networks Probes are never encrypted because they occur before association and key agreement Some SSIDs are more distinguishing than others which makes it useful many times. 16

17 Broadcast packet sizes Many applications broadcast packets to advertise their existence to machines on the local network These packets contain naming information In the observed traces, NetBIOS advertisements and filemaker and Microsoft office bcasts were found DHCPP requests and power management beacons are common to all users hence not included in the bcasts set. 17

18 MAC protocol fields Specific combination of 802.11 protocol fields visible in the MAC header that distinguish a wireless users card, driver and configuration For example: – More fragments – Retry – Power management – Order bits – Authentication algorithms – Supported transmission rates 18

19 Implicit Identifier Summary 802.11 Networks: PublicHomeEnterprise Network destinations SSIDs in probes Broadcast pkt sizes MAC protocol fields Visible even with WEP/WPA TKIP encryption More implicit identifiers exist  Results presented establish a lower bound Identifying even if devices have identical drivers 19

20 Automated Identification Procedure Many potential tracking applications: – Was user X here today? – Where was user X today? – What traffic is from user X? – When was user X here? – Etc. Build a profile from training samples: First collect some traffic known to be from user X and from random others 20

21 Sample Classification Algorithm Core question: – Did traffic sample s come from user X? A simple approach: naïve Bayes classifier – Derive probabilistic model from training samples – Given s with features F, answer “yes” if: Pr[ s from user X | s has features F ] > T for a selected threshold T. – F = feature set derived from implicit identifiers 21

22 Deriving features F from implicit identifiers IR_Guest SAMPLE FROM OBSERVATION Sample Classification Algorithm linksys djw SIGCOMM_1 PROFILE FROM TRAINING Rare Common w(e) = low w(e) = high 22

23 Evaluating Classification Effectiveness Simulate tracking scenario with wireless traces: – Split each trace into training and observation phases 23

24 Question: Is observation sample s from user X? Evaluation metrics: – True positive rate (TPR) Fraction of user X’s samples classified correctly – False positive rate (FPR) Fraction of other samples classified incorrectly Pr[ s from user X | s has features F ] > T = 0.01 = ??? Fix T for FPR Measure TPR 24

25 Q: Did this sample come from user U? 25

26 26 Results: Individual Feature Accuracy TPR  60% TPR  30% Individual implicit identifiers give evidence of identity 1.0

27 Results: Multiple Feature Accuracy Users with TPR >50%: Public: 63% Home: 31% Enterprise: 27% We can identify many users in all environments PublicHomeEnterprise netdests ssids bcast fields 27

28 Results: Multiple Feature Accuracy Some users much more distinguishable than others Public networks: ~20% users identified >90% of the time PublicHomeEnterprise netdests ssids bcast fields 28

29 Question: Was user X here today? More difficult to answer: – Suppose N users present each hour – Over an 8 hour day, 8N opportunities to misclassify  Decide user X is here only if multiple samples are classified as his Revised: Was user X here today for a few hours? 29

30 Results: Individual Feature Accuracy Some users more distinguishable than others netdests: ~60% users identified >50% of the time ~20% users identified >90% of the time 30

31 Results: Tracking with 90% Accuracy Majority of users can be identified if active long enough Of 268 users (71%): 75% identified with ≤4 samples 50% identified with ≤3 samples 25% identified with ≤2 samples 31

32 32 Results: Tracking with 90% Accuracy Many users can be identified in all environments

33 Conclusions Implicit identifiers can accurately identify users – Individual implicit identifiers give evidence of identity – We can identify many users in all environments – Some users much more distinguishable than others Understanding implicit identifiers is important – Pseudonyms are not enough – a lower bound on their accuracy is established 33

34 Future – Uncover more identifiers (timing, etc.) – Take measures to resolve the issues regarding the implicit identifier problem and build a better link layer and to prevent detection from these identifiers. 34

35 THANK YOU… 35

Download ppt "802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle."

Similar presentations

Web Content Control Application Providing Secure & Reliable Internet Access December 2010.

Web Content Control Application Providing Secure & Reliable Internet Access December 2010.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
1 Understanding and Mitigating the Impact of RF Interference on 802.11 Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.

1 Understanding and Mitigating the Impact of RF Interference on Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.
Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598.

Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
1 Wireless LAN Security Presented by Vikrant Karan.

1 Wireless LAN Security Presented by Vikrant Karan.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

Similar presentations

Ads by Google