Infoz

 Who:Hackers Like You.
 What:ToorCon 12
 When:OCT 22rd-24th
 Where:San Diego Convention Center
 Why:What Could possibly go wrong?

Main Menu

Home
Registration
Venue
Conference
Workshops
Seminar
Sponsors
Contests
Crew

Login

Who's Online

No Users Online
Home arrow Conference arrow Talks arrow Fast and accurate detection of rogue access points using clock skews
Fast and accurate detection of rogue access points using clock skews Print E-mail

In 2005 Kohno, Broido, and claffy noticed that physical devices could be fingerprinted remotely by repeatedly quizzing them about their hardware clock time and calculating that clock's unique skew. They used ICMP timestamp requests and showed that even network latency variations could be overcome by the clock skew method.  However, this method required at least Layer 3 connectivity and so was of limited use with Wi-Fi: by the time a station associated with an "evil twin" AP and got an IP address, it could already be owned in a number of interesting ways.

However, APs' radio interfaces in master mode use their own microsecond-grained clocks, which put their timestamps in every beacon frame. Moreover, similar AP models appear to have similar clock skews, as we pointed out in our BlackHat '08 talk.

At about the same time a group of researchers presented a paper at the MobiCom '08 conference, claiming that they could detect a rogue AP by merely observing the clock skew of its beacon timestamps.

We will show how a rogue laptop can synchronize its beacons with a legitimate access point's TSF timer and pass the clock skew test well within its normal sensitivity, defeating the clock skew detection method.  We will also show how to detect this behavior, and what a wireless network operator can do to make it hard.

Sergey Bratus

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.

Chrisil Arackaparambil

Chrisil Arackaparambil is a graduate student at Dartmouth. After years of proving theorems about algorithms, he discovered the joy of Defcon talks and patching device drivers.

Anna Shubina

Anna Shubina chose "Privacy" as the topic of her doctoral thesis and was the operator of Dartmouth's Tor exit node when the Tor network had about 30 nodes total.

 
< Prev   Next >
© 2010 ToorCon, all bits reserved.