Tracking PCs anywhere on the Net

A University of California researcher says he has found a way to identify computer hardware remotely, a technique that could potentially unmask anonymous Web surfers by bypassing some common security techniques.

Tadayoshi Kohno, a doctoral student, wrote in a paper on his research: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting...without the fingerprinted device's known cooperation."

The potential applications for Kohno's technique are far-reaching. For example, it could be possible to track "a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts."

NAT, or network address translation, is a protocol commonly used to make it appear as if machines behind a firewall all retain the same IP address on the public Internet.

Kohno's research is likely not the last word in Net anonymity, but simply the latest escalation in the arms race between snoopware and anonymity developers. Possible countermeasures include masking time skews with better random number generation techniques, for example.

Carnivore-like project?
Kohno appears to be aware of the interest from surveillance groups that his techniques could generate, saying in his paper: "One could also use our techniques to help track laptops as they move, perhaps as part of a Carnivore-like project." Carnivore was Internet surveillance software built by the Federal Bureau of Investigation. Earlier in the paper Kohno mentioned possible forensics applications, saying that investigators could use his techniques "to argue whether a given laptop was connected to the Internet from a given access location."

Another application for Kohno's technique could be to "obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device."

The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

Kohno goes on to say: "Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall."

And the paper stresses that "the fingerprinter does not require any modification to or cooperation from the fingerprintee." Kohno and his team tested their techniques on many operating systems, including Windows XP and 2000, Mac OS X Panther, Red Hat and Debian Linux, FreeBSD, OpenBSD and even Windows for Pocket PCs 2002.

"In all cases," the paper says, "we found that we could use at least one of our techniques to estimate clock skews on the machines and that we required only a small amount of data, although the exact data requirements depended on the operating system in question."

A wider test of the techniques also proved fruitful for the researchers. "We also measured the clock skews of 69 (seemingly identical) Windows XP SP1 machines in one of our institution's undergraduate computing facilities. The latter experiment, which ran for 38 days, as well as other experiments, show that the clock skew estimates for any given machine are approximately constant over time, but that different machines have detectably different clock skews," the paper said.

The paper concludes that "the main advantage of our techniques...is that our technique can be mountable by adversaries thousands of miles and multiple hops away."

Information about the technique came to light when KC Claffy, principal investigator for the Cooperative Association for Internet Data Analysis (CAIDA) forwarded information about the project to a mailing list, "in the interest of full and early disclosure." However Claffy also said in her e-mail: "Please don't forward to any bad guys." Kohno is also associated with CAIDA.

Kohno's research is expected to be presented at the Institute of Electrical and Electronics Engineers Symposium on Security and Privacy in California in May.

Renai LeMay of ZDNet Australia reported from Sydney.