An empirical study of passive 802.11 Device Fingerprinting

TL;DR

This study evaluates passive 802.11 device fingerprinting by analyzing global wireless network parameters, identifying transmission and inter-arrival times as the most effective features for device identification, influenced by hardware and software factors.

Contribution

It systematically assesses multiple passive network parameters for device fingerprinting, highlighting the effectiveness of transmission and inter-arrival times and their dependencies.

Findings

Transmission time and frame inter-arrival time are the most effective parameters.

Inter-arrival times depend on device hardware, drivers, and applications.

Passive fingerprinting can identify devices without active probing.

Abstract

802.11 device fingerprinting is the action of characterizing a target device through its wireless traffic. This results in a signature that may be used for identification, network monitoring or intrusion detection. The fingerprinting method can be active by sending traffic to the target device, or passive by just observing the traffic sent by the target device. Many passive fingerprinting methods rely on the observation of one particular network feature, such as the rate switching behavior or the transmission pattern of probe requests. In this work, we evaluate a set of global wireless network parameters with respect to their ability to identify 802.11 devices. We restrict ourselves to parameters that can be observed passively using a standard wireless card. We evaluate these parameters for two different tests: i) the identification test that returns one single result being the closest match for the target device, and ii) the similarity test that returns a set of devices that are close to the target devices. We find that the network parameters transmission time and frame inter-arrival time perform best in comparison to the other network parameters considered. Finally, we focus on inter-arrival times, the most promising parameter for device identification, and show its dependency from several device characteristics such as the wireless card and driver but also running applications.