<p>In 2005 Kohno, Broido and claffy noticed that physical devices could be fingerprinted remotely by repeatedly quizzing them about their hardware clock time and calculating that clock's unique skew. They used ICMP timestamp requests, and showed than network latency interference could be overcome. However, this method requires Layer 3 connectivity, and isn't so useful with Wi-Fi: by the time a station associates with an "evil twin" AP and got an IP address, it can already be owned in several interesting ways.</p><p>APs' radio interfaces in master mode use their own microsecond-grained clocks, which put their timestamps in every beacon frame. Moreover,similar AP models appear to have similar clock skews, as we pointed out in our BlackHat '08 talk.</p><p>At about the same time at MobiCom '08, a group of researchers claimed a method for detecting rogue APs by observing the clock skew of their beacon timestamps.</p><p>We will show how a rogue laptop-acting-as-AP can synchronize its beacons with a legitimate access point's TSF timer and pass the clock skew test within its normal sensitivity, defeating the clock skew detection method. We will also show how to detect this behavior.</p>
<p>Sergey Bratus is a Research Assistant Professor of Computer Science atDartmouth College. He enjoys wireless and wired network hacking andtries to help fellow academics to understand its value and relevance.</p>
<p>Chrisil Arackaparambil is a graduate student at Dartmouth. After yearsof proving theorems about algorithms, he discovered the joy of Defcontalks and patching device drivers.</p>
<p>Anna Shubina chose "Privacy" as the topic of her doctoral thesis andwas the operator of Dartmouth's Tor exit node when the Tor network hadabout 30 nodes total.</p>