Detection of rogue access points using clock skews: does it really work?

<p>In 2005 Kohno, Broido and claffy noticed that physical devices could be fingerprinted remotely by repeatedly quizzing them about their hardware clock time and calculating that clock's unique skew. They used ICMP timestamp requests, and showed than network latency interference could be overcome. However, this method requires Layer 3 connectivity, and isn't so useful with Wi-Fi: by the time a station associates with an "evil twin" AP and got an IP address, it can already be owned in several interesting ways.</p><p>APs' radio interfaces in master mode use their own microsecond-grained clocks, which put their timestamps in every beacon frame. Moreover,similar AP models appear to have similar clock skews, as we pointed out in our BlackHat '08 talk.</p><p>At about the same time at MobiCom '08, a group of researchers claimed a method for detecting rogue APs by observing the clock skew of their beacon timestamps.</p><p>We will show how a rogue laptop-acting-as-AP can synchronize its beacons with a legitimate access point's TSF timer and pass the clock skew test within its normal sensitivity, defeating the clock skew detection method. We will also show how to detect this behavior.</p>

Presented by

Links