ABSTRACT
We explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions - the inability to effectively detect Medium Access Control (MAC) address spoofing. We calculate the clock skew of an AP from the IEEE 802.11 Time Synchronization Function (TSF) timestamps sent out in the beacon/probe response frames. We use two different methods for this purpose - one based on linear programming and the other based on least square fit. We supplement these methods with a heuristic for differentiating original packets from those sent by the fake APs. We collect TSF timestamp data from several APs in two different residential settings. Using our measurement data as well as data obtained from a large conference setting, we find that clock skews remain consistent over time for the same AP but vary significantly across APs. Furthermore, we improve the resolution of received timestamp of the frames and show that with this enhancement our methodology can find clock skews very quickly, using 50-100 packets in most of the cases. We also discuss and quantify the impact of various external factors including temperature variation, virtualization, and NTP synchronization on clock skews. Our results indicate that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks.
- IEEE Standard 802.11 - wireless LAN medium access control (MAC) and physical layer (PHY) specifications. The Institute of Electrical and Electronics Engineers, Inc., 1999.Google Scholar
- AirDefense, wireless lan security, http://airdefense.net.Google Scholar
- AirWave management platform, http://airwave.com.Google Scholar
- Intel PRO/Wireless 3945ABG Driver for Linux, http://ipw3945.sourceforge.net/.Google Scholar
- MadWifi- multiband atheros driver for WiFi, http://madwifi.org/.Google Scholar
- Raw Fake AP, http://rfakeap.tuxfamily.org/.Google Scholar
- Raw Glue AP, http://rfakeap.tuxfamily.org/.Google Scholar
- AirMagnet, http://www.airmagnet.com.Google Scholar
- Broadcom Product Brief BCM-5354, http://www.broadcom.com/collateral/pb/5354-PB01-R.pdf.Google Scholar
- Cisco wireless LAN solution engine(WLSE), http://www.cisco.com.Google Scholar
- DD-WRT, http://www.dd-wrt.com.Google Scholar
- Network Time Protocol version 4 reference and implementation guide, http://www.eecis.udel.edu/ emills/database/reports/ntp4/ntp4.pdf.Google Scholar
- Linux kernel source code, http://www.kernel.org/.Google Scholar
- NetStumbler, http://www.netstumbler.com.Google Scholar
- Rogue access point detection: Automatically detect and manage wireless threats to your network, http://www.proxim.com.Google Scholar
- tcpdump, http://www.tcpdump.org/.Google Scholar
- A. Adya, P. Bahl, and R. C. et al. Architecture and techniques for diagnosing faults in IEEE 802.11 infrastructure networks. In MobiCom '04, pages 30--44, 2004. Google ScholarDigital Library
- P. Bahl, R. Chandra, and J. P. et al. Enhancing the security of corporate Wi-Fi networks using DAIR. In MobiSys '06, pages 1--14, 2006. Google ScholarDigital Library
- D. H. Ballard. Generalizing the hough transform to detect arbitrary shapes. Readings in computer vision: issues, problems, principles, and paradigms, pages 714--725, 1987. Google ScholarDigital Library
- R. Beyah, S. Kangude, and G. Y. et al. Rogue access point detection using temporal traffic characteristics. In Proceedings of IEEE GLOBECOM, December 2004.Google Scholar
- A. P. Dempster, N. M. Laird, and D. B. Rubin. Maximum likelihood from incomplete data via the EM algorithm. Journal of the Royal Statistical Society, 39(1):1--38, 1977.Google Scholar
- J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive data link layer 802.11 wireless device driver fingerprinting. In USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, pages 12--12, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- C. He and J. C. Mitchell. Security analysis and improvements for IEEE 802.11i. In NDSS, 2005.Google Scholar
- P. Hough. Method and means for recognizing complex patterns. U.S. Patent 3069654, 1962.Google Scholar
- T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. IEEE Trans. Dependable Secur. Comput., 2(2):93--108, 2005. Google ScholarDigital Library
- C. Mano, A. Blaich, and Q. L. et al. Ripps: Rogue identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning. ACM Transactions on Information and System Security, 2007. Google ScholarDigital Library
- S. B. Moon, P. Skelly, and D. Towsley. Estimation and removal of clock skew from network delay measurements. Technical report, Amherst, MA, USA, 1998. Google ScholarDigital Library
- S. J. Murdoch. Hot or not: revealing hidden services by their clock skew. In CCS '06, pages 27--36, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- A. Pásztor and D. Veitch. PC based precision timing without GPS. SIGMETRICS Perform. Eval. Rev., 30(1):1--10, 2002. Google ScholarDigital Library
- M. Rodrig, C. Reis, and R. M. et al. CRAWDAD data set uw/sigcomm2004 (v. 2006-10-17). http://crawdad.cs.dartmouth.edu/uw/sigcomm2004, Oct. 2006.Google Scholar
- W. Wei, K. Suh, and B. W. et al. Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs. In IMC, pages 93--108, 2007. Google ScholarDigital Library
- L. Xu and E. Oja. Randomized Hough transform (RHT): basic mechanisms, algorithms, and computational complexities. CVGIP: Image Underst., 57(2):131--154, 1993. Google ScholarDigital Library
Index Terms
- On fast and accurate detection of unauthorized wireless access points using clock skews
Recommendations
On the reliability of wireless fingerprinting using clock skews
WiSec '10: Proceedings of the third ACM conference on Wireless network securityDetermining whether a client station should trust an access point is a known problem in wireless security. Traditional approaches to solving this problem resort to cryptography. But cryptographic exchange protocols are complex and therefore induce ...
On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews
We explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing ...
Robust Detection of Unauthorized Wireless Access Points
Unauthorized 802.11 wireless access points (APs), or rogue APs, such as those brought into a corporate campus by employees, pose a security threat as they may be poorly managed or insufficiently secured. An attacker in the vicinity may easily get onto ...
Comments