BIB-VERSION:: CS-TR-v2.0
ID:: ncstrl.dartmouthcs//TR2008-610
ENTRY:: May 28, 2008
ORGANIZATION:: Dartmouth College, Computer Science
TITLE:: Active Behavioral Fingerprinting of Wireless Devices
TYPE:: Technical Report (paper)
REVISION:: 1
AUTHOR:: Bratus, Sergey
AUTHOR:: Cornelius, Cory
AUTHOR:: Peebles, Daniel
AUTHOR:: Kotz, David
DATE:: March 2008
RETRIEVAL:: For a paper copy, email <reports@cs.dartmouth.edu>
RETRIEVAL:: For a paper copy, write to
       Technical Report Librarian
       Department of Computer Science
       Dartmouth College
       6211 Sudikoff Laboratory
       Hanover, NH 03755-3510
       USA
RETRIEVAL:: PDF at http://www.cs.dartmouth.edu/reports/TR2008-610.pdf
ABSTRACT:: 
We propose a simple active method for discovering facts about the
chipset, the firmware or the driver of an 802.11 wireless device by
observing its responses (or lack thereof) to a series of crafted
non-standard or malformed 802.11 frames. We demonstrate that such
responses can differ significantly enough to distinguish between a
number of popular chipsets and drivers. We expect to significantly
expand the number of recognized device types through community
contributions of signature data for the proposed open fingerprinting
framework. Our method complements known fingerprinting approaches, and
can be used to interrogate and spot devices that may be spoofing their
MAC addresses in order to conceal their true architecture from other
stations, such as a fake AP seeking to engage clients in complex 
protocol frame exchange (e.g., in order to exploit a driver 
vulnerability). In particular, it can be used to distinguish rogue 
APs from legitimate APs before association.
NOTE:: 	 Short version presented at WiSec 2008, Alexandria, VA
END:: ncstrl.dartmouthcs//TR2008-610