Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben."— Presentation transcript:

1 802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben

2 Location Privacy is at Risk You “The adversary” (a.k.a., some dude with a laptop) Your MAC address: 00:0E:35:CE:1F:59 Usually < 100m

3 Are pseudonyms enough? MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:AA:BB:CC:DD:EE

4 Implicit Identifiers Remain Consider one user at SIGCOMM 2004 Visible in an “anonymized” trace MAC addresses scrubbed Effectively a pseudonym Transferred 512MB via bittorrent => Crappy performance for everyone else Let’s call him Bob Can we figure out who Bob is?

5 Implicit Identifier: SSIDs SSIDs in Probe Requests Windows XP, Mac OS X probe for your preferred networks by default Set of networks advertised in a traffic sample Determined by a user’s preferred networks list SSID Probe: “roofnet” Bob

6 What if Bob used pseudonyms? “roofnet” probe occurred during different session than bittorrent download Can no longer explicitly associate “roofnet” with poor network etiquette Can we do it implicitly?

7 Implicit Identifier: Network Destinations Network Destinations Set of IP pairs in a traffic sample In SIGCOMM, each visited by 1.15 users on average A user is likely to visit a site repeatedly (e.g., an email server) SSH/IMAP server: 159.16.40.45 Bob

8 What if network is encrypted? Can’t see IP addresses through link- layer encryption like WPA Is Bob safe now?

9 Implicit Identifier: Broadcast Packet Sizes Broadcast Packet Sizes Set of 802.11 broadcast packet sizes in a traffic sample E.g., Windows machines NetBIOS naming advertisements; FileMaker and Microsoft Office advertise themselves In SIGCOMM, only 16% more unique tuples than unique sizes Broadcast packet sizes: 239, 245, 257 Bob

10 Implicit Identifier: MAC Protocol Fields MAC Protocol Fields Header bits (e.g., power mgmt., order) Supported rates Offered authentication algorithms Mac Protocol Fields: 11,4,2,1Mbps, WEP, etc. Bob

11 David J. Wetherall Anonymized 802.11 Traces from SIGCOMM 2004 Search on Wigle for “djw” in the Seattle area Google pinpoints David’s home (to within 200 ft) A pseudonym What else do implicit identifiers tell us?

12 Automating Implicit Identifiers TRAINING: Collect some traffic known to be from Bob OBSERVATION: Which traffic is from Bob? ? ??

13 Methodology Simulate using SIGCOMM, USCD Split trace into training data and observation data Sample = 1hour of traffic to/from a user Assume pseudonyms “The adversary”

14 Did this traffic sample come from Bob? How to convert implicit identifiers into features? Naïve Bayesian Classifier: We say sample s (with features f i ) is from Bob if Pr[s from Bob | s has features f i ] > T

15 Did This Traffic Sample Come from Bob? Features: Set similarity (Jaccard Index), weighted by frequency: linksys IR_Guest djw SIGCOMM_1 PROFILE FROM TRAINING SAMPLE FOR VALIDATION Rare Common

16 Individual Feature Accuracy 60% TPR with 99% FPR Higher FPR, likely due to not being user specific Useful in combination with other features, to rule out identities

17 Multi-feature Accuracy Samples from 1 in 4 users are identified >50% of the time with 0.001 FPR bcast + ssids + fields + netdests bcast + ssids + fields bcast + ssids

18 Was Bob here today? Maybe… Suppose N users present Over an 8 hour day, 8*N opportunities to misclassify a user’s traffic Instead, say Bob is present iff multiple samples are classified as his

19 Was Bob here today? In a busy coffee shop with 25 concurrent users, more than half (54%) can be identified with 90% accuracy 4 hour median to detect (4 samples) 27% with two 9s.

20 Conclusion: Pseudonyms Are Insufficient 4 new identifiers: netdests, ssids, fields, bcast Average user emits highly distinguishing identifiers Adversary can combine features Future Uncover more identifiers (timing, etc.) Validate on longer/more diverse traces (SSIDs stable in home setting for >=2 weeks) Build a better link layer

Download ppt "802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben."

Similar presentations

Inktomi Confidential and Proprietary The Inktomi Climate Lab: An Integrated Environment for Analyzing and Simulating Customer Network Traffic Stephane.

Inktomi Confidential and Proprietary The Inktomi Climate Lab: An Integrated Environment for Analyzing and Simulating Customer Network Traffic Stephane.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps.

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.
802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.
Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598.

Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)

User Fingerprinting MobiCom 2007 (Sept Montreal, Quebec, Canada)

Similar presentations

Ads by Google