Drivers Franklin Wireless

21-04-2021 by



15th USENIX Security Symposium

Pp. 167–178 of the Proceedings

Jason Franklin1,Damon McCoy2,Parisa Tabriz3,Vicentiu Neagoe4,Jamie Van Randwyk5,Douglas Sicker6

Abstract

If you cancel wireless svc., remaining balance on device becomes due. Additional services. Amazon Prime Offer: Avail. Content will vary. Streaming video content req. High-speed data connection. Data charges may apply. IPhone Forever: Does not guarantee mo. Payment amount, phone selection, or svc. Hyundai Driver Download for windows. Upgrade after 12 payments as long as. Franklin Wireless USB Drivers Download. In our share libs contains the list of Franklin Wireless USB drivers available for download. To download the proper driver by vender name. If not found in our garage driver you need, please contact us, we will help you in time, and updates to our website. The Franklin T9 Mobile Hotspot comes with everything customers need to get them started on their way to enjoying their new devices. Device; AC adapter with non-removable charging cable; Quick Start Guide. Buttons, icons & display. There's a lot customers can do with their new devices, so here's a quick glance of some basic items: Buttons.

Motivated by the proliferation of wireless-enabled devices and thesuspect nature of device driver code, we develop a passivefingerprinting technique that identifies the wireless device driverrunning on an IEEE 802.11 compliant device. This technique is valuable toan attacker wishing to conduct reconnaissance against a potentialtarget so that he may launch a driver-specific exploit.
In particular, we develop a unique fingerprinting technique thataccurately and efficiently identifies the wireless driver withoutmodification to or cooperation from a wireless device. We perform anevaluation of this fingerprinting technique that shows it both quicklyand accurately fingerprints wireless device drivers in real worldwireless network conditions. Finally, we discuss ways to preventfingerprinting that will aid in improving the security of wirelesscommunication for devices that employ 802.11 networking.

1 Introduction

Device drivers are a primary source of security holes in modernoperating systems [1]. Drivers experience error ratesof three to seven times higher than other kernel code, making themthe poorest quality code in most kernels [2]. Thereare a large number of different device drivers available, each being apotentially large body of code that is frequently modified to supportnew hardware features. These factors and the fact that drivers areoften developed by programmers who lack intimate knowledge of theoperating system kernel contribute to the disproportionately highnumber of bugs found in device drivers [3].
In general, device drivers execute in kernel space; hence, exploitinga vulnerable driver leads to compromise of the entire operatingsystem. This threat is somewhat tempered by the fact that interactingwith a driver typically requires physical access to a system. As aresult, most security holes in device drivers are difficult to exploitremotely. For instance, it is hard to remotely interact with, muchless exploit, a video or keyboard driver. Classes of drivers existwith which it is possible to interact without physical access to asystem. Drivers for network devices such as wireless cards, Ethernetcards, and modems are examples. In particular, wireless network devicedrivers are easy to interact with and potentially exploit if theattacker is within transmission range of the wireless device. Today,the single most common and widespread wireless devices are thoseconforming to the IEEE 802.11 standards [4]. The vastnumber of 802.11 devices, the ease with which one may interact withtheir drivers, and the suspect nature of driver code in general hasled us to evaluate the ability of an attacker to launch adriver-specific exploit by first fingerprinting the device driver.
Fingerprinting is a process by which a device or the software it isrunning is identified by its externally observable characteristics. Inthis paper, we design, implement, and evaluate a technique forfingerprinting IEEE 802.11a/b/g wireless network drivers. Our approachis based on statistical analysis of the rate at which common 802.11data link layer frames are transmitted by a wireless device. Sincemost wireless exploits are dependent on the specific driver beingused, wireless device driver fingerprinting can aid an attacker inlaunching a driver-specific exploit against a victim whose device isrunning a vulnerable driver.
Our technique is completely passive, meaning that a fingerprinter(attacker) needs only to be able to monitor wireless traffic from thefingerprintee (target, victim). This makes it possible for anyone withintransmission range of a wireless device to fingerprint the device'swireless driver. Passive fingerprinting techniques have the advantageover active approaches in that they do not transmit data, makingprevention of such techniques difficult. If an attacker can passivelydetermine which driver a device is using, he can successfully gaininformation about his victim without fear of detection.
Our fingerprinting technique relies on the fact that most stationsactively scan for access points to connect to by periodically sendingout probe request frames. The algorithm used to scan for access pointsis not explicitly defined in the 802.11 standard. Therefore, it is upto the developers of device drivers to implement their own method forprobing. This lack of an explicit specification for a probingalgorithm in the 802.11 standard has led to the development of manywireless device drivers that perform this function entirelydifferently than other wireless device drivers. Our fingerprintingtechnique takes advantage of these implementation-dependentdifferences to accurately fingerprint a driver. Specifically, ourmethod is based on statistical analysis of the inter-frame timing oftransmitted probe requests. A timing-based approach has a number ofadvantages over a content-based approach. Primary among these is thefact that coarse-grained timing information is preserved despite theencryption of frame content as specified by security standards such asWired Equivalent Privacy (WEP) or 802.11i [5].
Fingerprinting an 802.11 networkinterface card (NIC) is not a new concept. Many tools exist, such asEthereal [6], that usethe wireless device's Media Access Control (MAC) address to identifythe card manufacturer and model number. A MAC address is anostensibly unique character string that identifies a specific physicalnetwork interface. The IEEE Standards Association assigns each NICmanufacturer a special three-byte code, referred to as anOrganizationally Unique Identifier (OUI), which identifies aparticular manufacturer. While not part of the standard, mostmanufacturers use the next byte to specify the model of the NIC. Thereare a few notable advantages to using our method instead of relying onthe information contained in the captured MAC address. First, the MACaddress only identifies the model and manufacturer of the NIC. Ourtechnique fingerprints the device driver (which resides at theoperating system level), where the bulk of exploits rest. Second,some NICs can operate using multiple drivers, implying that the MACaddress would not be enough information to identify what driver theNIC was using. Finally, whereas the MAC address is easily alterablein most operating systems, the features used by our passive techniqueare not a configurable option in any of the drivers tested.
Our testing demonstrates an accuracy for our method in identifying the driverthat ranges from 77-96%, depending on the network setting. Our techniquerequires only a few minutes worth of network data to achieve this high level ofaccuracy.We also confirm that the technique can withstand realistic network conditions.
Contributions The main contributions of this paper is the design, implementation,and evaluation of a passive wireless device driver fingerprintingtechnique. Our technique is capable of passively identifying thewireless driver used by 802.11 wireless devices without specializedequipment and in realistic network conditions. In addition, wedemonstrate that our technique is accurate, practical, fast, andrequires little data to execute.
The remainder of the paper is organized as follows. Backgroundmaterial is presented inSection 2. Section 3 presents the design forour wireless device fingerprinting technique. Section 4describes the implementation of our fingerprinting technique andSection 5 presents our experimental results andevaluation of our technique under realistic networkconditions. Section 6 presents the limitations of ourtechnique and Section 7 discusses possibleways to prevent driver fingerprinting. Finally, Section 8examines related work and we conclude in Section 9.

2 Background: IEEE 802.11 Networks

Wireless technologies are encroaching upon the traditional realm of'fixed' or 'wired' networks. The most widely adopted wirelessnetworking technology thus far has been the 802.11 networkingprotocol, which consists of six modulation techniques,the most of common of which are the 802.11a, 802.11b, and 802.11gstandard amendments. The price erosion and popularity of 802.11capable hardware (especially 802.11b/g) has made wireless networksboth affordable and easy to deploy in a number of settings, such asoffices, homes, and wireless hot spots. Because of this, 802.11 iscurrently the most popular and common non-telephony communicationprotocol available for wireless communication [7].
The 802.11 standard defines a set of protocol requirements for awireless MAC, or medium access control, which specifies the behaviorof data link layer communication between stations in a wirelessnetwork. A station is simply a device with wireless capabilities, suchas a laptop or PDA with a wireless networking interface. Throughoutthis paper, we often refer to stations as clients. Most 802.11networks operate in infrastructure mode (as opposed to ad-hoc mode)and use an access point (AP) to manage all wireless communications; itis this type of network that is the setting for our fingerprintingtechnique. An example of a simple infrastructure network with threeclients and one access point is depicted in Figure 1.Drivers

Figure 1: An infrastructure mode IEEE 802.11 network.

A key component of the 802.11 standard is the MAC specification thatoutlines the function of various communication frames. The MACcoordinates access to the wireless medium between stations andcontrols transmission of user data into the air via control andmanagement frames. Higher-level protocol data, such as data producedby an application, is carried in data frames.
All 802.11 MAC frames include both a type and subtype field, which areused to distinguish between the three frame types (control,management, and data) and various subtypes. We consider onlymanagement frames in our passive fingerprinting technique, andspecifically focus on probe request frames. Because of this, weonly describe the most pertinent MAC frames communicated when a clientjoins a wireless network, and refer the reader to the IEEE 802.11standard specification [4] for a more detaileddescription of MAC framing.
Each mobile client must identify and associate with an access pointbefore it can receive network services. In a process called activescanning, clients use probe request frames to scan an area fora wireless access point, providing the data rates that the client cansupport inside fields of the probe request. If an access point iscompatible with the client's data rates, it sends a probe responseframe to acknowledge the request. Once a client identifies a networkand authenticates to the access point via an authentication requestand authentication response, the client can attempt to join thenetwork by issuing an association request. If the association issuccessful, the access point will respond to the client with anassociation response that includes a unique association ID for futurecommunications. At this point, all communication between a client andanother machine, whether it resides within the wireless network or islocated outside of it, is routed through and controlled by the accesspoint.

3 Fingerprinting Approach

Our fingerprinting technique is solely concerned with the active scanfunction in wireless clients. When actively scanning, clients sendprobe request frames to elicit responses from access points withintransmission range. The IEEE 802.11 standard describes the active scanfunction of a client as follows. For each channel, the clientbroadcasts a probe request and starts a timer. If the timer reachesMinChannelTime and the channel is idle, the client scans thenext channel. Otherwise, the client waits until the timer reachesMaxChannelTime, processes the received probe response framesand then scans the next channel. Further detailed specificationof the active scanning function is not provided in the IEEE 802.11standard. As a result, implementing active scanning within wirelessdrivers has become a poorly guided task. This has led to thedevelopment of many drivers that perform probing using slightlydifferent techniques. By characterizing these implementation-dependentprobing algorithms, we are able to passively identify the wirelessdriver employed by a device.
A number of factors affect the probing behavior of a client and makeaccurate fingerprinting without client cooperation a challengingtask. From the perspective of an external fingerprinter, the probingbehavior of a client is dependent on unobservable internal factorssuch as timers, and on uncontrollable external factors such asbackground traffic. A robust fingerprinting method cannot rely onclient cooperation or assume a static environment, hence our techniqueuses machine learning to develop a model of a driver's behavior. Thismodel is then used for future identification.

(a) D-Link driver for the D-Link DWL-G520 (802.11b/g) PCI wireless NIC

(b) Cisco driver for the Aironet AIR-CB21AG-A-K9 (802.11a/b/g) PCI wireless NIC

Figure 2: Plot of time delta from the previous arrival of probe request framestransmitted by two drivers.

Having explained the intuition behind our technique, we turn ourattention to two examples of representative probingbehavior. Figure 2(a) and Figure 2(b) are plots of thetime delta between arriving probe request frames as transmitted by twodifferent wireless drivers. Both figures clearly depict a distinctlyunique cyclic pattern. We further describe the pertinent features ofFigure 2(b) as a way to characterize the differences between theprobing patterns. Figure 2(b) is composed of a repeating pulsewith an approximate amplitude of 50 seconds. These large pulses areoccasionally preceded and/or followed by much smaller pulses rangingfrom 1-5 seconds. These pulses indicates that probing was occurring inbursts of probe request frames sent out, on average, every 50seconds.
Upon closer inspection, one notices that the cyclic pattern exhibitedby the driver probing is characterized by small variations. Ourobservations reveal there are two main reasons for this. The firstreason is due to loss caused by signal interference. A fingerprintercould significantly reduce this type of loss by using a higher gainantenna found on commercial grade wireless cards. The second sourceof variation comes from wireless drivers continuously cycling throughall eleven channels in the 2.4 GHz ISM band in search of other accesspoints. The channel cycling can be considered an additional source ofloss since probe request frames transmitted on unmonitored channelscannot be observed. Multiple wireless cards could be used to monitorall eleven channels simultaneously; however, we make the morerealistic assumption that a fingerprinter has a single wireless cardthat can only monitor a small portion (e.g. one channel at any pointin time) of the eleven channels. This loss indicates that some proberequests are missed, and statistical approaches are needed tocompensate for the lost frames. Given the data described above, wecharacterize the explicit probing behavior of a client by the sendingrate of probe request frames. In the next section, we show how toleverage this characterization to accurately identify wirelessdrivers.

4 Device Driver Fingerprinting

The fingerprinting technique proceeds in two stages: trace capture andfingerprint generation. During trace capture, a fingerprinter withinwireless transmission range of a fingerprintee captures 802.11traffic, hereafter referred to as the trace. During fingerprintgeneration, the captured trace is analyzed using a supervised Bayesianapproach to generate a robust device driver fingerprint.

4.1 Trace Capture

To begin the trace capture phase, we first consider how afingerprinter might obtain a trace of probe request frames from awireless device using widely available hardware and software. Weassume a one-to-one mapping of MAC addresses to wireless devices, andbelieve this to be a reasonable assumption. Because each wireless NICis assigned a unique MAC address by its manufacturer, the only causefor duplicate MACs on a network would be the result of a userreassigning his MAC address independently. However, as there aretheoretically 2Drivers Franklin Wireless48 acceptable MAC addresses, the probability of auser choosing an existing MAC on the network is negligible7. In Section 7,we address the effects that violating this assumption has on ourfingerprinting technique.
The fingerprinter can use any device that is capable of eavesdroppingon the wireless frames transmitted by the fingerprintee. Therefore,the fingerprinter must be within receiving range of thefingerprintee's wireless transmissions. We assume the fingerprinter isusing a single, high-gain, COTS (commercial off-the-shelf) wirelesscard. Next, the fingerprinter must configure their wireless card tooperate in monitor mode; this mode allows the wireless card to captureframes promiscuously (e.g. whether they are specifically addressed tothat wireless card or not). The fingerprinter must prevent their cardfrom associating with an access point or sending its own probe requestframes so collection is completely passive. This allows thefingerprinter to capture all frames sent on the current channel,including probe request frames, without interfering with the network'snormal operation. We assume that the fingerprinter's machine isrunning an OS and driver combination that supports a wireless card inmonitor mode. This can be easily done in Linux, FreeBSD, and Mac OS X.Finally, the fingerprinter can use a network protocol analyzer, suchas Ethereal [6], to record the eavesdropped frames andfilter out all irrelevant data. After following the above steps, thefingerprinter should have sufficient data to construct graphs similarto Figures 2(a) and 2(b).

4.2 Fingerprint Generation

After a trace has been captured, the data must be analyzed tocharacterize the probe request behavior. Previous work has shown thata simple supervised Bayesian approach is extremely accurate for manyclassification problems [8]. We chose to employa binning approach to characterize the time deltas between proberequests because of the inherently noisy data due to frame loss.
Binning works by translating an interval of continuous data pointsinto discrete bins. A bin is an internal value used in place of thetrue value of an attribute. The binning method smooths probabilitiesfor the continuous attribute values by placing them intogroups. Although binning causes some loss of information forcontinuous data, it allows for smooth probability estimates. Somenoise is averaged out because each bin probability is an estimate forthat interval, not individual continuous values. We chose to useequal-width binning where each bin represents an interval of the samesize. While more sophisticated schemes may be available, this simpleapproach generated distinct fingerprints of probe inter-arrival timesand provided a successful means for driver identification.
After performing a number of data analysis tests, we isolated twoattributes from the probing rate that were essential to fingerprintingthe wireless driver. The first attribute was the bin frequency ofdelta arrival time values between probe request frames. The secondattribute was the average, for each bin, of all actual (non-rounded)delta arrival time values of the probe request frames placed in thatbin. The first attribute characterizes the size of each bin and thesecond attribute characterizes the actual mean of each bin. Our nextstep was to create a signature (Bayesian model) for each individualwireless driver that embodies these attributes. Building models fromtagged data sets is a common technique used in supervised Bayesianclassifiers [9].
Bin Percentage Mean
0 0.676 0.16
1.2 0.228 1.72
50 0.096 49.80

Table 1: Sample signature for the Cisco Aironet 802.11 a/b/g PCI driver

We now describe the process used to transform raw trace data into a devicesignature. To calculate the bin probabilities, we rounded the actual deltaarrival time value to the closest discrete bin value. For example, if the binswere of a fixed width of size 1 second, any probe request frames with a deltaarrival value in (0, 0.50] seconds would be placed in the 0 second bin,any probe request frames with a delta arrival value in (0.51, 1.50]seconds would be placed in the 1 second bin, and so forth. Based on empiricaloptimization experiments presented in our results section, we use an optimal binwidth size of 0.8 seconds. The percentage of the total probe request framesplaced in each bin is recorded along with the average, for each bin, of allactual (non-rounded) delta arrival time values of the probe request framesplaced in that bin. These values comprise the signature for a wireless driverwhich we add to a master signature database containing all the tagged signaturesthat are created. An example of a signature created from the probe requestframes in Figure 2(b) is shown in Table 1. New signatures canbe inserted, modified, or deleted from the database without affecting othersignatures. This allows collaborative signature sharing, similar to how Snort [10] intrusion detection signatures are currently shared.
Once the master signature database is created, a method is required tocompute how 'close' an untagged signature from a probe request traceis to each of the signatures in the master signature database.

4.3 Calculating Closeness

Let us now assume that an attacker has obtained a trace and created asignature T of the probe request frames sent from thefingerprintee. Let pn be the percentage of probe request frames inthe nth bin of T and let mn be the mean of all proberequest frames in the nth bin. Let S be the set of all signaturesin the master signature database and let s be a single signaturewithin the set S. Let vn be the percentage of probe requestframes in the nth bin of s and let wn be the mean of all proberequest frames in the nth bin of s. The following equation wasused to calculate the distance between the observed, untaggedfingerprintee signature, T, and all known master signatures,assigning to C the distance value of the closest signature in themaster database to T:
(1)

Our technique iterates through all bins in T,summing the difference of the percentages and mean differences scaledby the percentage. The mean differences are scaled by the s binpercentage to prevent this value from dominating the bin percentagedifferences. We show in our results that the features included in asignature and our final method of calculating signature difference areeffective in successfully fingerprinting wireless device drivers.

5 Evaluation

We tested our fingerprinting technique with a total of 17 differentwireless interface drivers in their default configurations. Wecharacterized wireless device drivers for the Linux 2.6 kernel,Windows XP Service Pack 1 and Service Pack 2, and Mac OS X 10.3.5. Themachine we used to fingerprint other hosts' wireless drivers was a 2.4GHz Pentium 4 desktop with a Cisco Aironet a/b/g PCI wireless card,running the Linux 2.6 kernel and the MadWifi wireless NIC driver [11]. Various Pentium III class desktop machines and oneApple PowerBook laptop were used as fingerprintee machines.
We address five primary characteristics that we expect anyfingerprinting technique to be evaluated against. First, weinvestigate the resolution of our method. Specifically, we evaluateour identification granularity between drivers for different NICs,different drivers that support identical NICs, and different versionsof the same driver. Second, we evaluate the consistency of ourtechnique. We measure how successful our fingerprinting technique isin a variety of scenarios and over multiple network sessions, afteroperating system reboot, and when using the same driver to controldifferent NICs. Third, we test the robustness of our technique. Weconduct our experimentation in realistic network settings thatexperience loss rates similar to other wireless infrastructurenetworks. Fourth, we analyze the efficiency of our technique withrespect to both data and time. Finally, we evaluate the resistance ofour technique to varying configuration settings of a driver andevaluate the potential ways one might evade our fingerprintingtechnique.
To address these issues, we conducted a number of experiments usingdifferent wireless drivers and cards across a number of differentoperating system environments. In all cases, our techniquesuccessfully fingerprinted the wireless driver in at least oneconfiguration. While the amount of time needed to collect the datavaried across drivers and configurations, we required only a smallamount of captured wireless traffic to fingerprint drivers accurately.
From our initial observations, we identified two properties of adevice and driver that altered their signatures. The first propertyconcerned whether the wireless device was unassociated or associatedto an access point. Our initial experiments revealed that, by default,all wireless drivers transmit probe request frames when disassociatedfrom an access point. Additionally, many continue to send proberequests even after association to an access point, though often notas frequently. The second property (only applicable to Windowsdrivers) concerns how the driver is managed. For many drivers, theWindows operating system can manage the configuration of the networksettings for the wireless device instead of having a standalone(vendor provided) program perform those functions. The standaloneprogram is provided by the manufacturer of the wireless device andoften supports more configuration options for the specific driver,though also requires more user interaction to manage the device. Wenoticed slight differences in the behavior of probing depending onwhich option a user chose to manage their device. Due to thesedifferences, we treated each of these property scenarios uniquely andcreated signatures to identify a driver under any of the appropriatecases.

(a) Test set 1 and master signature experimental setup.

(b) Test set 2 experimental setup.

(c) Test set 3 experimental setup.
Figure 3: Our test scenarios. R is the fingerprinter.

5.1 Building the Master Signatures

We collected trace data and constructed individual signatures with thesame structure as the example signature in Table 1. This was repeatedfor all 17 wireless drivers in every configuration known to affect thesignature and supported by the wireless driver. Drivers from Apple,Cisco, D-Link, Intel, Linksys, MadWifi (for Atheros chipset-basedcards running under Linux), Netgear, Proxim, and SMC were included inour testing. A majority of the drivers included in our tests were forWindows; therefore most of the drivers initially had four individualsignatures. We will refer to the four different configurations asfollows: (1) unassociated and controlled by Windows, (2) unassociatedand controlled by a standalone program, (3) associated and controlledby Windows, (4) associated and controlled by a standalone program.Three drivers did not support networking control by Windows (options 1and 3), and four of the drivers tested did not transmit probe requestframes when associated. This meant that initially, 57 signatures werecompiled in the master signature database. We collected foursignatures at a time and each signature trace contained a minimum of12 hours worth of data points. A 30 minute portion of each trace wasset aside and not used in signature training. This data was used astest set 1, which we further describe in the next section. As can beseen from Figure 3(a), the observing machine's antenna wasplaced approximately 15 feet from the fingerprintee machines, and nophysical obstructions were present between the machines. Also, no802.11 wireless traffic was detected besides the traffic generated bythe fingerprintees.
After analyzing these signatures, we noted that changing configurations for somedrivers had little impact on the probe request frame transmission rate andconsequently, the generated signatures were indistinguishable from one another.We considered these signatures to be duplicates and removed all but one from themaster signature database. This process could be automated by eliminatingsignatures that are insufficiently different from others with respect to somesimilarity threshold. There was only a single case where two of the driversfrom the same manufacturer (Linksys) had indistinguishable signatures. For thiscase, we again left only a single signature in the master signature database.After pruning the database of all duplicate signatures, there remained 31 uniquesignatures. Each signature was tagged with the corresponding driver('s) name andconfiguration(s). The entire master signature database is included as AppendixA.

5.2 Collecting Test Data

We used the unused 30 minute trace from each of the 57 raw signaturetraces collected during master signature generation as test set1. This scenario verifies that our signature generation adequatelycaptures the probing behavior of the driver and that signatures canidentify their associated drivers with a limited amount of traffic.To demonstrate that our technique is repeatable and still accurate inconditions other than where the signature data was originallycollected, we repeated the 57 half hour experiments in two differentphysical locations. Using multiple environments helps to validate theconsistency and robustness of our technique and suggests that it workswell outside of lab settings. The arrangement for test set 2, as shownin Figure 3(b), was as follows: we placed thefingerprinter's antenna 25 feet from the fingerprintees with oneuninsulated drywall placed in between the machines. As inFigure 3(a), no 802.11 wireless traffic was detectedbesides that generated by the fingerprintees. For test set 3, depictedin Figure 3(c), the observer's antenna was placed ten feetfrom the fingerprintees with two desks and other miscellaneous objectsphysically located between the machines. At this location, four totwelve other wireless devices were communicating during our datacollection. Test set 2 might represent a wireless network in asemi-isolated setting, such as a hotel room with wireless access.Test set 3, on the other hand, represents a more congested wirelessnetwork, such as a network located in a coffee shop or airport.
Test Set Successful Total Accuracy
1 55 57 96%
2 48 57 84%
3 44 57 77%

Table 2: Accuracy of fingerprinting technique by scenario.

5.3 Fingerprinting Accuracy

The accuracy of our technique in correctly identifying the wirelessdriver operating a NIC for the three test scenarios is shown in Table2. These results use the full half hour of data points.Later in this section, we will explore the effects of using less datapoints on the accuracy of our technique. The results also differedbased on location. As expected, our technique is the most accurate fortest set 1 (originally taken from the large signature traces) at96%. The second most accurate test set was test set 2 (with only asingle wall and no other 802.11 traffic) at 84%, and the lastlocation had a 77% identification accuracy. These results indicatethat different environments affect the accuracy of our technique.However, our technique remains reliable in all the the environments inwhich we tested.

Figure 4: Number of individual drivers achieving an interval ofaccuracy over all test sets.

Figure 4 demonstrates that our technique is perfectlyaccurate at fingerprinting nine of the wireless drivers and over 60%successful at identifying the other eight drivers. The accuracy of ourmethod at identifying a particular driver is largely dependent on howdissimilar the driver's signature(s) are from other signatures in themaster signature database. If the correct signature is similar toanother in the database, noise such as background traffic may lead toour technique incorrectly fingerprinting a wireless driver. Theseresults show that the majority of wireless drivers do have a distinctsignature. It is important to note that even with drivers that haveless unique fingerprints, we still correctly identify the driver for amajority of the test cases.
It is also relevant to note that in cases where the technique cannotuniquely identify a driver, it was able to narrow the possibilitiesdown to those drivers that have similar signatures. Though notsupported in the current implementation of our technique, it isconceivable to list the signatures in the master signature databasethat are close to the unidentified observed signature.

5.4 Empirical Bin Width Tuning

The bin width for signatures was empirically optimized during ourexperimentation on test set 1 by varying the size in testing andselecting an optimal width based on fingerprinting accuracy. Thisoptimization began by starting with a bin width of 0.1 seconds andincrementally increasing the bin width by 0.1 seconds up to a binwidth of 5.0 seconds. Figure 5 reveals that a binwidth of 0.8 seconds produced the highest accuracy (96%) in test set1, and thus, was the bin width used for the rest of our experiments.

Figure 5: Empirical bin width tuning. Shows that 0.8 second wide bins generate thehighest accuracy (96%) for test set 1.

5.5 Time Required to Fingerprint Driver

To address our technique's efficiency, we investigated the data andtime thresholds required to accurately fingerprint a driver. Ideally,a fingerprinter would be able to identify a wireless driver in realtime after only a small traffic trace. We measured the fingerprintingaccuracy of our method in each test scenario with one minute ofcollected data and increased the amount of data in one minuteincrements until the full thirty minute trace from each setting wasused. Figure 6 illustrates the accuracy of ourtechnique in each of the three test cases corresponding to the amountof trace data used for fingerprinting.

Figure 6: Effects of trace duration on fingerprinting accuracy.

Since the rate of probe request frames is different for most wireless drivers,it is difficult to estimate how many probe request frames will be recordedduring one minute of observation, though for statistical interest, the averagenumber of probes detected during one minute of observation was 10.79 across allof our testing scenarios. The accuracy of our technique is at least 60% in eachof the three test cases after only one minute of traffic. These resultsshow that our method successfully converges relatively fast on the correctwireless driver and needs only a small amount of communication traffic to do so.

6 Limitations

In the course of our evaluation, we discovered a few limitations ofour fingerprinting technique. We discuss these in detail below.

6.1 Driver Versions

One of the original questions we posed concerned the resolution of ourtechnique. We have shown that our technique is capable ofdistinguishing between different drivers the vast majority of thetime. We are also interested in whether our method can distinguishbetween two different versions of the same wireless driver. A numberof wireless card manufactures have released new versions of theirwireless drivers to support new features. We tested our fingerprintingtechnique on six wireless drivers, with multiple driver versionsavailable to determine if it was possible to distinguish betweendifferent versions of the same wireless driver. Our technique wasunsuccessful in distinguishing between different versions of the samedriver. This is a limitation of our fingerprinting technique since anew version of a driver might patch previous security vulnerabilitiesin the driver. However, even without the ability to distinguishbetween versions, our fingerprints greatly reduce the number ofpotential wireless drivers that a target system is running.

6.2 Hardware Abstraction Layer

Another unexpected limitation was found when testing the MadWifidriver for Linux. This driver works with most wireless cardscontaining the Atheros chipset because of the inclusion of a HardwareAbstraction Layer (HAL). This creates a more homogeneous driverenvironment since a majority of wireless cards currently available usethe Atheros chipset. The side effect is that the lack of driverdiversity reduces the appeal of fingerprinting wirelessdrivers. However, one drawback of a single (or relatively small numberof) hardware abstraction layer(s) is that it magnifies any securityvulnerability identified.

7 Preventing Fingerprinting

Several methods can be used to prevent our technique from successfullyfingerprinting drivers. These methods include configurable probing,standardization, automatic generation of noise, driver codemodification, MAC address masquerading, and driver vulnerabilitypatching.

7.1 Configurable Probing

One solution to prevent our fingerprinting technique is for devicedrivers to provide the option to explicitly disable or enable proberequest frames. It makes sense for this to be a configurable optionnot only to prevent fingerprinting but also to conserve power andbandwidth. Probe request frames are used to find networks matching theavailable data rates on the client device [7]. The SSID ofthe desired network can be specified or can be set to the broadcastSSID when probing for any available networks. By default, accesspoints transmit beacon frames, which announce the access point'spresence and some configuration information8. Thus, passively listening forbeacons (i.e., turning off probe request frames) could be an effectivemethod of discovering access points. Another solution would be toconfigure wireless device drivers, by default, to passively listen forbeacons and only send probe requests for available networks whenmanually triggered by the user.

7.2 Standardization

An effective, but potentially difficult to implement solution forpreventing driver fingerprinting is to specify the rate at which proberequest frames are transmitted in a future IEEE standard for the802.11 MAC. Another step towards standardization could result if acorporate body or open source consortium was formed to develop astandard agreed upon by all driver manufactures. If all drivermanufactures adhered to such a standard, the described fingerprintingmethod would be rendered useless. Unfortunately, there are manyobstacles preventing such a standard, the major factor being that somedevice manufacturers will not want to design devices that expend thepower or bandwidth necessary to transmit probe requests at a standardrate. Due to this reason alone, it is doubtful that there will be anystandardization agreed upon and followed by every driver manufactureconcerning the rate of probe request frame transmission.

7.3 Automated Noise

Another strategy to prevent wireless driver fingerprinting is togenerate noise in the form of cover probe request frames. Covertraffic disguises a driver by masking the driver's true rate of proberequest transmission. Due to the fact that our technique usesstatistical methods to filter out noise, the cover traffic would needto be sufficiently random and transmit enough cover to confuse ourtechnique. A limitation of this approach is that the cover proberequest frames waste bandwidth the device would otherwise use forwireless traffic, and for devices with limited power supplies,transmitting cover traffic would reduce battery lifesignificantly. Also, given enough observation data, the fingerprintermight be able to filter away the noise and successfully fingerprintthe driver. Generating noise is a difficult problem as many datamining algorithms have been shown to be effective in filtering outsuch noise and recovering the originaldata [12,13,14].

7.4 Driver Code Modification

For open source drivers such as the Madwifi drivers, the driver codecould be modified to change the transmission rate of probe requestframes. This alteration would fool our fingerprintingtechnique. However, this is only possible for open source drivers andwould require a skilled programmer to alter the driver code. Thiswould not be possible for many windows drivers, since most do notprovide source code.

7.5 MAC Address Masquerading

Earlier, we made the assumption of a one-to-one mapping of MACaddresses to wireless devices. One method to prevent driverfingerprinting is to change the device's MAC address to match the MACaddress of another device within transmission range. This would foolour fingerprinting technique into believing probe requests from twodifferent wireless drivers are originating from the same wirelessdriver. There are a number of problems with this solution. First, thewireless device must make certain that the fingerprinter is withintransmission range of both wireless devices. If the fingerprinter onlyobserves probe request frames from one of the two devices, it will notbe deceived. Also, since our method uses statistical methods to filternoise, the wireless device needs to make certain that the other deviceis transmitting enough probe request frames to mask its signature.

Getting Started: Franklin T9 Mobile Hotspot | T-Mobile Support

7.6 Driver Patching

While driver patching is not a full solution, we feel the creation ofwell thought out driver patching schemes would improve the overallsecurity of device drivers as new driver exploits are found. Currentresearch is being conducted to improve the process of patchingsecurity vulnerabilities [15,16]. The device drivercommunity should leverage this research to create more robust patchingmethods, and improve the overall level of driver security.

8 Related Work

Various techniques for system and device level fingerprinting havebeen used for both legitimate uses, such as forensics and intrusiondetection, as well as malicious uses, such as attack reconnaissanceand user profiling. The most common techniques take advantage ofexplicit content differences between system and applicationresponses. Nmap [17], p0f [18], andXprobe [19] are all open source, widely distributed toolsthat can remotely fingerprint an operating system by identifyingunique responses from the TCP/IP networking stack. As the TCP/IP stackis tightly coupled to the operating system kernel, these tools matchthe content of machine responses to a database of OS specific responsesignatures. Nmap and Xprobe actively query the target system toinvoke these potentially identifying responses. In addition to thisactive probing, p0f can passively fingerprint an operating system bymonitoring network traffic from a target machine to some third partyand matching characteristics of that traffic to a signature database.Data link layer content matching can also be used to identify wirelessLAN discovery applications [20], which can be useful forwireless intrusion detection.
While datagram content identification methods are arguably the mostsimple, they are also limited to situations where datagramcharacteristics are uniquely identifiable across systems, as well asaccessible to an outside party. Except for a few unique instances,802.11 MAC-layer frame formatting and content is generallyindistinguishable across wireless devices; because of this, moresophisticated methods are oftenrequired. In [21], the authors present atechnique to identify network devices based on their unique analogsignal characteristics. This fingerprinting technique is based on thepremise that subtle differences in manufacturing and hardwarecomponents create unique signaling characteristics in digitaldevices. While the results of analog signal fingerprinting aresignificant, this method requires expensive hardware such as an analogto digital converter, IEEE 488 interface card, and digital samplingoscilloscope. Also, it is not clear from their analysis of wiredEthernet devices whether this method would be feasible in a typicalwireless network setting where noise from both the environment andother devices is a more pressing consideration.
A device's clock skew is also a target for fingerprinting. A technique presentedin [22] uses slight drifts in a device's TCP option clock to identifya network device over the Internet via its unique clock skew. Whereas ourtechnique fingerprints which driver a wireless device is running, time skewfingerprinting is used to identify distinct devices on the Internet. Concerningsecurity, unique device fingerprinting is often not as useful as driver andother types of software fingerprinting. As opposed to content based fingerprinting, bothanalog signal and time skew fingerprinting exploit characteristics of theunderlying system hardware, making these techniques much more difficult tospoof.
Identification via statistical timing analysis in the context ofcommunication patterns and data content has been especially studied inthe area of privacy enhancing technologies. While network securitymechanisms such as encryption are often utilized to protect userprivacy, traffic analysis of encrypted traffic has proven successfulin linking communication initiators and recipients participating inanonymous networkingsystems [23,24]. Traffic analysis hasalso been applied to Web page fingerprinting. In [25],the authors demonstrate a technique that characterizes theinter-arrival time and datagram sizes of web requests for certainpopular web sites. Using these web page characterizations, one canidentify which sites users on wireless LANs are visiting despite theseusers browsing the Internet via encrypted HTTP traffic streams.
The techniques described above serve as only a survey of existingfingerprinting techniques for systems, devices, and even staticcontent. The approaches vary from exploiting content anomalies in theTCP/IP stack to characterizing time-based system behavior at both thephysical and software layers of a system. While the approaches vary,these contributions bring to light the true feasibility offingerprinting via avenues otherwise assumed to be uniformlyimplemented across systems.

9 Conclusion

We designed, implemented, and evaluated a technique for passivewireless device driver fingerprinting that exploits the fact that mostIEEE 802.11a/b/g wireless drivers have implemented different activescanning algorithms. We evaluated our technique and demonstrated thatit is capable of accurately identifying the wireless driver used by802.11 wireless devices without specialized equipment and in realisticnetwork conditions.Through an extensive evaluation including 17 wireless drivers, wedemonstrated that our method is effective in fingerprinting a widevariety of wireless drivers currently on the market. Finally, wediscussed ways to prevent fingerprinting that we hope will aid inimproving the security of wireless communication for devices thatemploy 802.11 networking.

10 Acknowledgments

Some of this work was performed while the authors were at Sandia NationalLaboratories - California. Sandia is a multiprogram laboratory operated bySandia Corporation, a Lockheed Martin Company, for the United States Departmentof Energy's National Nuclear Security Administration under ContractDE-AC04-94AL85000. The authors greatly appreciate the staff of Sandia NationalLaboratories for their assistance. The authors would like to thank JohnBethencourt, Nikita Borisov, Frank Hemingway, Adam Lee, Kristen Pelon, AmandaStephano, and the anonymous reviewers for their useful suggestions. This workwas partially supported by NSF Grant ITR-0428887 (Spectrum Management TowardSpectrum Plenty) and the University of Colorado. Jason Franklin performed thisresearch while on appointment as a U.S. Department of Homeland Security (DHS)Fellow. The views expressed in this paper do not necessarily reflect thepolicies and views of DHS, DOE, or affiliated organizations.

References

[1]
Ken Ashcraft and Dawson R. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
[2]
Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, and Dawson R. Engler. An Empirical Study of Operating System Errors. In Proceedings of Symposium on Operating Systems Principles (SOSP 2001), October 2001.
[3]
Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of Symposium on Operating Systems Principles (SOSP 2003), October 2003.
[4]
IEEE-SA Standards Board. IEEE Std IEEE 802.11-1999 Information Technology - Wireless LAN Medium Access Control (MAC) And Physical Layer (PHY) Specifications. IEEE Computer Society, 1999.
[5]
IEEE-SA Standards Board. Amendment 6: Medium Access Control (MAC) Security Enhancements. IEEE Computer Society, April 2004.
[6]
Ethereal: A network protocol analyzer. Web site, 2006.https://www.ethereal.com.
[7]
Matthew S. Gast. 802.11 Wireless Networks: The Definitive Guide. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 2nd edition, 2005.
[8]
Nir Friedman, Dan Geiger, and Moises Goldszmidt. Bayesian Network Classifiers. Machine Learning, 29(2-3):131-163, 1997.
[9]
T. Hastie, R. Tibshirani, and J. H. Friedman. The Elements of Statistical Learning. Springer, 2001.
[10]
Snort Intrusion Detection and Prevention system. Web site, 2006.https://www.snort.org/.
[11]
Madwifi: Atheros chip set drivers. Web site, 2006.https://sourceforge.net/projects/madwifi/.
[12]
D. Agrawal and C. C. Aggarwal. On the Design and Quantification of Privacy Preserving Data Mining Algorithms. In Proceedings of Symposium on Principles of Database Systems, 2001.
[13]
R. Agrawal and R. Srikant. Privacy-preserving data mining. In Proceedings of ACM SIGMOD, May 2000.
[14]
B. Hoh and M. Gruteser. Location Privacy Through Path Confusion. In Proceedings of IEEE/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm 2005), 2005.
[15]
Gautam Altekar, Ilya Bagrak, Paul Burstein, and Andrew Schultz. OPUS: Online Patches and Updates for Security. In Proceedings of 14th USENIX Security Symposium, Aug 2005.
[16]
John Dunagan, Roussi Roussev, Brad Daniels, Aaron Johnson, Chad Verbowski, and Yi-Min Wang. Towards a Self-Managing Software Patching Process Using Black-Box Persistent-State Manifests. In First International Conference on Autonomic Computing (ICAC'04), 2004.
[17]
Nmap: a free network mapping and security scanning tool. Web site, 2006.https://www.insecure.org/nmap/.
[18]
Project details for p0f. Web site, 2004.https://freshmeat.net/projects/p0f/.
[19]
Arkin and Yarochkin. Xprobe project page. Web site, August 2002.https://sourceforge.net/projects/xprobe.
[20]
Joshua Wright. Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection. Web site, 2002.https://www.polarcove.com/whitepapers/layer2.pdf.
[21]
Ryan Gerdes, Thomas Daniels, Mani Mina, and Steve Russell. Device Identification via Analog Signal Fingerprinting: A Matched Filter Approach. In Proceedings of the Network and Distributed System Security Symposium Conference (NDSS 2006), 2006.
[22]
Tadayoshi Kohno, Andre Broido, and K. C. Claffy. Remote Physical Device Fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (SP 2005), Washington, DC, USA, 2005.
[23]
Jean-François Raymond. Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. In Proceedings of Privacy Enhancing Technologies Workshop (PET 2000), May 2000.
[24]
Mathewson and Dingledine. Practical Traffic Analysis: Extending and Resisting Statistical Disclosure. In Proceedings of Privacy Enhancing Technologies Workshop (PET 2004), May 2004.
[25]
George Dean Bissias, Marc Liberatore, and Brian Neil Levine. Privacy Vulnerabilities in Encrypted HTTP Streams. In Proceedings of Privacy Enhancing Technologies Workshop (PET 2005), May 2005.
[26]
Mike Kershaw. Kismet. Web site, 2006.https://www.kismetwireless.net/

Appendix A

This appendix includes the entire master signature database from ourevaluation section. It is organized with the name of the wirelessdriver, if the driver was associated (assoc) or unassociated (unassoc),and if Windows (win) was configuring the wireless device, or astandalone program (native). The values after the driver name andconfiguration are a set of tuples ordered as follows: (Bin Value,Percentage, Bin Mean Value).
cisco-abg-assoc-native
(0.8,0.101,0.677)(1.6,0.108,1.450)(2.4,0.168,2.377)(3.2,0.021,2.928)(4,0.024,3.798)(4.8,0.028,4.691)(5.6,0.048,5.536)(6.4,0.034,6.303)(7.2,0.080,7.132)(8,0.032,7.830)(8.8,0.017,8.473)(9.6,0.044,9.607)(53.6,0.288,53.399)
cisco-abg-unassoc-native
(0,0.514,0.048)(0.8,0.285,0.749)(1.6,0.037,1.656)(2.4,0.028,2.373)(3.2,0.067,3.264)(4.8,0.041,4.981)(5.6,0.025,5.521)
cisco-abg-unassoc-win
(0,0.466,0.072)(0.8,0.126,0.720)(1.6,0.115,1.479)(2.4,0.056,2.345)(3.2,0.040,3.089)(4,0.025,3.843)(4.8,0.020,4.592)(5.6,0.019,5.415)(6.4,0.012,6.129)(8.8,0.013,8.554)(49.6,0.063,49.639)(50.4,0.026,50.146)
dwl-ag530-assoc-native
(0,0.420,0.032)(0.8,0.108,0.590)(1.6,0.043,1.358)(2.4,0.011,2.067)(4.8,0.113,4.470)(5.6,0.060,5.477)(6.4,0.039,6.192)(7.2,0.030,7.206)(8,0.011,7.630)(12,0.010,11.829)(51.2,0.144,50.995)
dwl-ag530-unassoc-native
(0,0.544,0.034)(0.8,0.052,0.597)(1.6,0.198,1.670)(6.4,0.053,6.659)(7.2,0.129,7.248)(8,0.012,7.806)
dwl-ag650-assoc-win
(0,0.392,0.008)(0.8,0.231,0.549)(1.6,0.049,1.481)(2.4,0.030,2.416)(3.2,0.045,3.250)(4,0.067,4.092)(4.8,0.021,4.687)(58.4,0.164,58.198)
dwl-ag650-unassoc-win
(0,0.606,0.084)(0.8,0.233,0.621)(1.6,0.090,1.689)(2.4,0.068,2.322)
dwl-g520-unassoc-native
(0,0.533,0.054)(0.8,0.246,0.674)(1.6,0.072,1.541)(2.4,0.035,2.539)(3.2,0.079,2.989)(4,0.026,3.706)
dwl-g520-unassoc-win
(0,0.527,0.055)(0.8,0.236,0.666)(1.6,0.134,1.523)(2.4,0.039,2.401)(3.2,0.044,3.109)(4,0.015,3.791)
engenuis-unassoc-win
(0,0.193,0.059)(0.8,0.104,1.188)(1.6,0.609,1.271)(2.4,0.082,2.529)(4,0.011,3.814)
intel2100-assoc-win
(0,0.766,0.019)(63.2,0.234,62.949)
intel2100-unassoc-win
(0,0.927,0.055)(30.4,0.073,30.132)
intel-2200-assoc-native
(0,0.591,0.107)(0.8,0.071,0.955)(1.6,0.079,1.495)(2.4,0.107,2.182)(120,0.050,120.254)(120.8,0.091,120.698)
intel-2200-unassoc-native
(0,0.659,0.078)(0.8,0.015,0.882)(32.8,0.031,33.063)(34.4,0.139,34.765)(35.2,0.142,34.853)
intel-2915-assoc-native
(0,0.659,0.080)(0.8,0.032,0.938)(1.6,0.037,1.426)(118.4,0.171,118.155)(119.2,0.076,119.193)
intel-2915-unassoc-native
(0,0.668,0.083)(32.8,0.331,32.868)
linksys-pci-unassoc-win
(0,0.348,0.165)(0.8,0.273,0.923)(1.6,0.032,1.262)(61.6,0.262,61.787)(62.4,0.027,62.270)(63.2,0.054,62.953)
madwifi-unassoc
(72.8,0.881,72.988)(133.6,0.119,133.978)
netgear-assoc-win
(0,0.423,0.001)(0.8,0.203,0.611)(1.6,0.038,1.552)(2.4,0.058,2.240)(3.2,0.037,3.206)(4,0.016,4.006)(4.8,0.060,4.731)(5.6,0.010,5.505)(57.6,0.149,57.498)
netgear-unassoc-win
(0,0.560,0.061)(0.8,0.135,0.652)(1.6,0.077,1.532)(2.4,0.018,2.340)(3.2,0.023,3.125)(4,0.106,4.035)(4.8,0.071,4.566)
osx-airportb-unassoc
(0,0.639,0.022)(10.4,0.361,10.295)
proxim-assoc-native
(0,0.035,0.396)(0.8,0.377,0.585)(1.6,0.133,1.376)(2.4,0.016,2.078)(4.8,0.168,4.523)(5.6,0.035,5.535)(55.2,0.087,55.400)(56,0.024,56.017)(56.8,0.084,56.836)(57.6,0.022,57.435)
proxim-assoc-win
(0,0.039,0.385)(0.8,0.329,0.585)(1.6,0.118,1.385)(2.4,0.020,2.055)(4.8,0.089,4.681)(5.6,0.089,5.500)(6.4,0.032,6.242)(7.2,0.013,7.167)(55.2,0.122,55.402)(56,0.036,56.037)(56.8,0.068,56.773)(57.6,0.012,57.466)
proxim-unassoc-win
(0,0.540,0.052)(0.8,0.229,0.660)(1.6,0.090,1.555)(2.4,0.012,2.328)(4.8,0.055,5.011)(6.4,0.040,6.479)
smc-2532w-assoc-native
(0,0.619,0.140)(0.8,0.028,0.477)(1.6,0.013,1.812)(60.8,0.013,60.907)(62.4,0.183,62.595)(63.2,0.118,62.899)
smc-2532w-unassoc-win
(0,0.065,0.140)(0.8,0.047,0.727)(1.6,0.880,1.681)
smc-2632w-unassoc-native
(0,0.511,0.083)(10.4,0.470,10.555)
smc-wpci-assoc-native
(0,0.461,0.001)(0.8,0.117,0.588)(1.6,0.139,1.678)(2.4,0.020,2.185)(4,0.021,3.915)(4.8,0.093,5.028)(56,0.127,55.708)
smc-wpci-unassoc-native
(0,0.563,0.038)(0.8,0.144,0.689)(1.6,0.014,1.790)(4,0.093,3.857)(4.8,0.079,4.952)(5.6,0.057,5.935)(6.4,0.026,6.178)
wpc54g-assoc-win
(0,0.633,0.038)(0.8,0.114,0.437)(62.4,0.148,62.550)(63.2,0.105,62.981)
wpc54g-unassoc-native
(0,0.623,0.054)(0.8,0.151,0.633)(62.4,0.172,62.299)(63.2,0.055,62.960)

Footnotes:

1Carnegie Mellon University,jfrankli@cs.cmu.edu2University of Colorado, Boulder, damon.mccoy@colorado.edu3University of Illinois, Urbana-Champaign, tabriz@uiuc.edu4University of California, Davis,vneagoe@ucdavis.edu5Sandia National Laboratories,jvanran@sandia.gov6University of Colorado, Boulder,douglas.sicker@colorado.edu7Itis important to note that some attackers will sniff the MAC addressesof other users on a wireless network to use as their own, giving themthe ability to steal a connection or hide their maliciousactions. Although we acknowledge that this scenario would bring aboutduplicate MAC addresses on a network, we believe it is far from thecommon case in most network settings.8This is incontrast to disabling the SSID broadcast function. Disabling SSIDbroadcast simply forces an AP to send a string of spaces or a nullstring in the SSID field of the beacon frame. Kismet [26]reports this SSID as <no ssid>

USB Modems | Franklin Wireless

.



Focusrite Sound Cards & Media Devices Driver
Flepo Driver Download For Windows

Comments are closed.