Monday, August 14, 2017

Wi-Fi Taxonomy Talk at DEFCON25

I gave a talk at DEFCON 25 describing a technique to identify the type of Wi-Fi client connecting to an Access Point. It can be quite specific: it can distinguish an iPhone 5 from an iPhone 5s, it can tell a Samsung Galaxy S7 from an S8, etc. Classically in security literature this type of mechanism would have been called "fingerprinting," but in modern usage that term has evolved to mean identification of a specific individual user. Because this mechanism identifies the species of the device, not the specific individual, we refer to it as Wi-Fi Taxonomy.

The mechanism works by examining Wi-Fi management frames, called MLME frames. It extracts the options present in the client's packets into a signature string, which is quite distinctive to the combination of the Wi-Fi chipset, device driver, and client OS.

The slides are available in PDF format from the DEFCON media server, and the speaker notes on the slides contain the complete talk. At the time of this writing the video has not yet been posted, but will appear on the DEFCON Conference YouTube channel at some point. The database of signatures to identify devices is available as open source code with an Apache license as a GitHub repository.

There is also a paper which describes the mechanism, and which goes a level of detail deeper into how it works. It is available from arXiv.