An interesting research paper from Sandia Lab, presented at last month's USENIX Security Symposium in Vancouver, B.C., presents a new non-interactive WLAN driver fingerprinting method.

This research is primarily of interest because device drivers are becoming a primary source of security holes in modern operating systems. Sandia security researcher Jamie Van Randwyk and a research team last year set out to design, implement, and evaluate a technique that has proved capable of passively identifying a wireless driver used by 802.11 wireless devices without specialized equipment and in realistic network conditions.

The passive approach demonstrates that a fingerprinter (attacker) need only be in relatively close physical proximity of a target (victim) in order to monitor his or her wireless traffic. Anyone within transmission range of a wireless device, therefore, can conceivably fingerprint the devices wireless driver. Reconnaissance of this type is difficult to prevent since the attacker is not transmitting data, making the attack invisible and hard to detect.

Sandias fingerprinting technique relies on the fact that computers with wireless configurations actively scan for access points to connect to by periodically sending out probe request frames, of which there are no standard 802.11 specifications. Consequently, developers have created a multitude of wireless device drivers that each performs the probe request function differently than other wireless device drivers. Sandias fingerprinting technique demonstrates the inherent vulnerabilities in this situation through statistical analysis of the inter-frame timing of transmitted probe requests.

Fingerprinting an 802.11 network interface card (NIC) is nothing new but fingerprinting the device driver is. This is a superior technique because it directly leads to where most exploits are effective, right in the kernel of the operating system. Additionally, the features used by the Sandia passive technique are not a configurable option in any of the drivers tested, unlike the MAC address in most operating systems.

The technique has proven to be quite reliable, achieving an accuracy rate ranging from 77 to 96 per cent, depending on the network setting. Furthermore, the technique requires that only a few minutes worth of network data be collected, and tests confirm that it can withstand realistic network conditions.

This is obviously an exploitable technique and the Sandia researchers field a range of suggestions indicating how drivers may be redesigned to counter this type of attack.

The paper is available through the link below.

Related links: (Open in a new window.)
www.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf

View printable version (opens in new window)
Back