Hardware Fingerprinting: Good but not quite Great

Last week, UCSD PhD student Tadayoshi Kohno and CAIDA associates Andre Broido and KC Claffy published a paper detailing the identification of unique pieces of hardware on a network. The basic assumption of the paper, titled Remote physical device fingerprinting, is that the system clock keeping time on every networked device is inaccurate in a unique way, slowly creeping ahead or behind time at a predictable rate. Mr. Kohno makes compelling arguments that this time skew can be identified across multiple hops, long distances, and high-latency links, even if the system in question is using NTP to synchronize its clock with a more accurate (presumably atomic) clock.

This influential and original research is just the kind of infusion of fresh ideas that the information security field needs; however, it isn't quite the remarkable feat that many have heralded it as. One of the fundamental assumptions of the research is that each system's clock skew is unique, but no data is provided, nor references cited, to back this claim. I would be interested to see some follow-up research in this field to show exactly how unique a clock skew can be. Even if the clock skew is found to be repeatable only once in every one million devices, the sheer size of the Internet means that this method could not alone uniquely identify systems. Furthermore, kernel modifications or system-level tools can defeat this process. These two observations do not diminish the value of the research, but are important points that some supporters seem to have glossed over.

This research will inevitably be added to the toolchest of reconnaissance techniques employed by COTS vulnerability assessment scanners, as well as open-source tools such as Fyodor's nmap. While it won't be used alone, when combined with other data collected by these tools, it will serve as the centerpiece to a set of data that will accurately identify a unique system anywhere on the Internet.

No comments: