Wednesday, January 24, 2018

I Know What You Are by the Smell of Your Wi-Fi

In July 2017 gave a talk at DEFCON 25 describing a technique to identify the type of Wi-Fi client connecting to an Access Point. It can be quite specific: it can distinguish an iPhone 5 from an iPhone 5s, a Samsung Galaxy S7 from an S8, etc. Classically in security literature this type of mechanism would have been called "fingerprinting," but in modern usage that term has evolved to mean identification of a specific individual user. Because this mechanism identifies the species of the device, not the specific individual, we refer to it as Wi-Fi Taxonomy.

The mechanism works by examining Wi-Fi management frames, called MLME frames. It extracts the options present in the client's packets into a signature string, which is quite distinctive to the combination of the Wi-Fi chipset, device driver, and client OS.

The video of the talk has been posted by DEF CON:

Additionally:

  • The slides are available in PDF format from the DEFCON media server, and the speaker notes on the slides contain the complete talk.
  • The database of signatures to identify devices is available as open source code with an Apache license as a GitHub repository.
  • There is also a paper which describes the mechanism, and which goes a level of detail deeper into how it works. It is available from arXiv.