Hardware Fingerprinting: Good but not quite Great

Last week, UCSD PhD student Tadayoshi Kohno and CAIDA associates Andre Broido and KC Claffy published a paper detailing the identification of unique pieces of hardware on a network. The basic assumption of the paper, titled Remote physical device fingerprinting, is that the system clock keeping time on every networked device is inaccurate in a unique way, slowly creeping ahead or behind time at a predictable rate. Mr. Kohno makes compelling arguments that this time skew can be identified across multiple hops, long distances, and high-latency links, even if the system in question is using NTP to synchronize its clock with a more accurate (presumably atomic) clock.

This influential and original research is just the kind of infusion of fresh ideas that the information security field needs; however, it isn't quite the remarkable feat that many have heralded it as. One of the fundamental assumptions of the research is that each system's clock skew is unique, but no data is provided, nor references cited, to back this claim. I would be interested to see some follow-up research in this field to show exactly how unique a clock skew can be. Even if the clock skew is found to be repeatable only once in every one million devices, the sheer size of the Internet means that this method could not alone uniquely identify systems. Furthermore, kernel modifications or system-level tools can defeat this process. These two observations do not diminish the value of the research, but are important points that some supporters seem to have glossed over.

This research will inevitably be added to the toolchest of reconnaissance techniques employed by COTS vulnerability assessment scanners, as well as open-source tools such as Fyodor's nmap. While it won't be used alone, when combined with other data collected by these tools, it will serve as the centerpiece to a set of data that will accurately identify a unique system anywhere on the Internet.


Pity the Consumer

Reports are now surfacing that, since a number of recent security problems at T-Mobile including the Paris Hilton fiasco, sales of T-Mobile's SideKick are going through the roof.

Excuse me?

Immediately after reading this, during a trip to the men's room, I found someone's PDA. My curious side insisted I at least turn it on long enough to see if there was any password protection or encryption software: there was not. I quickly sent out an APB, and of course left the device off and hidden to protect the owner's privacy, but not all PDA owners are so fortunate.

These two stories illustrate a profound misunderstanding by the general public of what personal security means. Many seem to believe that if your social security card, mother's maiden name, and wallet remain out of reach of thieves, they are safe. Nothing could be further from the truth. Personal data on a PDA, or even moreso on a service where you have no control over its security (like T-Mobile's SideKick), can be all an attacker needs to steal or sell a person's identity. Clearly, a lot of education needs to be done here, before more companies profit from poor security procedures, practices, and technologies that put their customers at risk.