Tracking Internet Computers
Stephen Ryan
stephen.p.ryan at dartmouth.edu
Sat Mar 5 22:14:01 EST 2005
On Fri, 2005-03-04 at 13:02 -0500, Jim Kuzdrall wrote:
> Greetings,
>
> An article today on CNET says "A doctoral student at the University
> of California has conclusively fingerprinted computer hardware
> remotely, allowing it to be tracked wherever it is on the Internet."
>
> http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm
>
> The explanation is:
>
> 'The technique works by "exploiting small, microscopic deviations in
> device hardware: clock skews." In practice, Kohno's paper says, his
> techniques "exploit the fact that most modern TCP stacks implement the
> TCP timestamps option from RFC 1323 whereby, for performance purposes,
> each party in a TCP flow includes information about its perception of
> time in each outgoing packet. A fingerprinter can use the information
> contained within the TCP headers to estimate a device's clock skew and
> thereby fingerprint a physical device."'
>
> Of course, I don't mind the FBI or DOD tracking my computer's
> Internet presence to keep the US safe and to remind me if I
> inadvertently do something "Un-American". But there are evil people
> out there who might wish to steal from me, force me to comply with
> their wishes against my will, or interfere with my ability to
> communicate with others.
>
> Could one add a random, zero averaged offset to the computer clock
> using hwclock? The offset might be changed every hour, perhaps. Would
> that alter the skew derived from the TCP stack?
One thing I'm surprised that no-one has commented on yet is that there
simply aren't enough bits of precision in the clock skew to be able to
conclusively "identify" much more than a lab full of computers. While
there may be some usefulness to this technique in some limited
circumstances, it is *not* useful for tracking any particular device
across the wilds of the Internet or even for identifying devices among a
small-ish set; there are simply too many other devices out there and too
few unique clock skews for it to work as a unique identifier (not to
mention the fact that the Birthday Paradox would screw it up as well).
More information about the gnhlug-discuss
mailing list