Device Tracking via Linux's New TCP Source Port Selection Algorithm (Extended Version)

TL;DR

This paper presents a novel device tracking method exploiting a Linux TCP port selection algorithm, demonstrating its effectiveness across various networks and proposing security improvements after discovering vulnerabilities.

Contribution

We introduce a new tracking technique based on detecting hash collisions in Linux's TCP port selection algorithm, revealing a security flaw and suggesting mitigations.

Findings

Effective device tracking across networks and privacy modes

High success rate and long dwell time in real-world tests

Security patch introduced to mitigate the vulnerability

Abstract

We describe a tracking technique for Linux devices, exploiting a new TCP source port generation mechanism recently introduced to the Linux kernel. This mechanism is based on an algorithm, standardized in RFC 6056, for boosting security by better randomizing port selection. Our technique detects collisions in a hash function used in the said algorithm, based on sampling TCP source ports generated in an attacker-prescribed manner. These hash collisions depend solely on a per-device key, and thus the set of collisions forms a device ID that allows tracking devices across browsers, browser privacy modes, containers, and IPv4/IPv6 networks (including some VPNs). It can distinguish among devices with identical hardware and software, and lasts until the device restarts. We implemented this technique and then tested it using tracking servers in two different locations and with Linux devices on various networks. We also tested it on an Android device that we patched to introduce the new port selection algorithm. The tracking technique works in real-life conditions, and we report detailed findings about it, including its dwell time, scalability, and success rate in different network types. We worked with the Linux kernel team to mitigate the exploit, resulting in a security patch introduced in May 2022 to the Linux kernel, and we provide recommendations for better securing the port selection algorithm in the paper.