Active 802.11 Fingerpinting: Gibberish And “Secret Handshakes” To Know Your Ap presented at ShmooCon 2008

by Sergey Bratus, Cory Corneilius, Daniel Peebles,

Tags: Security

Summary : Wireless devices that speak 802.11b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences can suffice to distinguish between APs and other devices from different vendors, and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore “noisy”, but works without either establishing or observing established associations. Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that it is what it claims to be. It will be useful when one does not trust the suspicious AP (or one’s own driver/OS) enough even to engage in a cryptographic exchange to authenticate it.
Bio - Sergey Bratus
Sergey Bratus is a post-doc research associate at the Institute for Security Technology Studies at Dartmouth College. His research is mostly related to application of various mathematical techniques to log and traffic analysis, and other security topics. Before that, he worked on systems and algorithms for extracting information from natural language at BBN Technologies.
Bio - Cory Cornelius:
Cory Cornelius is a recent graduate of Dartmouth College. Cory became interested in reverse engineering and security by way of emulating Blizzard’s He now works for ISTS on various projects related to security and privacy, and is planning to attend graduate school.
Bio - Daniel Peebles:
Daniel Peebles graduated from Dartmouth College in June 2007. He is an active member of the iPhone developer team and was a central contributor to the current jailbreak technique. He currently works for the Institute for Security Technology Studies at Dartmouth on various security projects.