Device Fingerprinting for Authentication

Zulfidin KhodzhaevIstanbul Technical University

Istanbul, Turkeykhodzhaev@itu.edu.tr

Cem AyyildizGOHM North Campus Technopark

Bogazici Universityca@gohm.com.tr

Gunes Karabulut KurtIstanbul Technical University

Istanbul, Turkeygkurt@itu.edu.tr

Abstract —Device fingerprinting is a technique that is used toidentify and authenticate a device. Different methods are usedfor this purpose; imperfections of built-in components of thedevice and radio frequency (RF) emissions of the device canbe used for authentication. The device can be tested internallyor externally; externally is more reliable. Transmission controlprotocol is a preferred method of authentication due to itsreliability in precision which is intrinsic for device functionalityand has unique characteristics for every device. In this paper,different techniques on device fingerprinting was analyzed, thetechnique based on Transmission control protocol with datatransfer rates was tested and the comparison between differentmobile devices was visualized.

Keywords—Fingerprint, MAC, timestamps, TCP.

I. INTRODUCTION

Device fingerprinting is a technique used to identify anddistinguish one brand or model of device from another brandor model by means of device’s hardware and software config-uration [1]. Usually, tiny differences in the electronic parts ofa device is called fingerprints and those components can beused for the identification of a mobile phone. It is possible toanalyze those parts if they can generate observable characteris-tics that can be collected and analyzed with a reasonable levelof precision. Analyzing digital outputs of these differences indevices such as a mobile phone, gives a way to authenticatethe device; it can also be used to track the device and its userwhich is a privacy risk for an individual using that device [2].

Authentication is the process of verifying the identity of adevice and built-in accelerometer or RF emission can be usedfor this matter. The most secure methods of authenticationis by investigating fingerprints of the device’s componentswhich are hard to clone. Device authentication is needed tobe secure from counterfeiting and intellectual property rightsviolation of electronics devices [3]. Fingerprints produced bythe components of the device can be obtained internally orexternally. In the former case, the counterfeited device cancreate fabricated fingerprints; the latter case is more effectivewhile analyzing compromised device.

Components that can be used to identify and analyze devicefingerprint are: RF components for sending and receivingdifferent cellular communication standards and short rangecommunication such as GSM, UMT, LTE, Bluetooth and Wi-Fi; digital cameras that exist in every modern cellular phone;Global Navigation Satellite Systems (GNSS) receiver whichis used to process signal from GPS, GLONAS, Galileo and

others; accelerometers, gyroscopes and magnetometers whichare called as MEMS components; LCD screen, microphoneand loudspeaker [2].

There are privacy risks based on these techniques and theywill be discussed in the next section. Techniques that areused in device fingerprinting by analyzing these componentsare discussed in the next section. Mobile phones and otherdevices can be investigated and authenticated using differenttechniques based on extraction and analysis of the signalobtained from a device either externally or internally.

One of the ways of analyzing signal obtained from adevice is using display of the device,and for this purposecapacitive touchscreen can be used with 99.5 % precision inidentification [4]; radio frequency emission of the screen canbe used with the best performance shown by Support VectorMachine (SVM) with 98.9 % accuracy on classification ofdevices [5]. Another way of device fingerprinting is usingemissions generated by the components of the device andunauthorized devices that try to connect to a network canbe identified by Radio Frequency-Distinct Native Attribute(RF-DNA) information of malicious device; signal can beclassified using Fisher based Multiple Discriminant Analysisand by using Maximum Likelihood with 85 % success rate [6]and spoofing attacks can be prevented by using GeneralizedRelevance Learning Vector Quantization-Improved (GRLVQI)classifier with 100 % accuracy [6].

There is also another approach on device fingerprintingusing an external system - medium access control and TCPlayer testing. For the former case, difference in timing likeclock skews over Wireless Local Area Network (WLAN) isused to identify and validate a device which can pose a threadto user since it doesn’t require any permission. For the lattercase, timestamps of Transport Communication Protocol fromRFC 1323 is analyzed for fingerprinting and it also createsprivacy risks since there is no cooperation with the device orany permission from the device.

Another approach on device fingerprinting targets measur-ing clock drift of a device compared to GNSS and one way isto use Georgia Tech ID (GTID) method which processes signalcoming from a device using statistical techniques by analyzingthe network in time; another way is by using radio frequency(RF) oscillator of a device, variations in phased locked loops’phase noise is used to extract device fingerprint and analyzethem as a reliable method since the user can not modify it.

The proposed approach is based on performance of theTCP layer of mobile phones against the data transfer. Theperformance of each device will be uniquely characteristic

193

ELECO 2018, Elektrik-Elektronik ve Biyomedikal Mühendisliği Konferansı 30 Kasım-1 Aralık 2018

978-605-01-1240-5/sk 2018 722

and the difference will be graphed for visual representation.In our method, the Transmission Control Protocol (TCP) withdata transfer rates were tested and the obtained data was fedinto a k-nearest neighbors algorithm. The difference betweendifferent devices was visualized.

II. DEVICE FINGERPRINTING TECHNIQUES

Device can be analyzed by using digital output of compo-nents of the device. Signal obtained from an analysis of devicecomponents can be processed by an external or an internalsystem. External system uses RF emissions that comes fromcomponents of a device, to analyze and process the signal. Onthe other hand, internal system will be connected to the deviceand data will be extracted from a device and then it will beprocessed. Privacy risks that arise from outside analysis of adevice are mainly based on RF emissions; other componentsof the device i.e. screen, loudspeaker are difficult to track.

A. Device fingerprinting by using an external system

One of the techniques used in device fingerprinting isexecuted by an external system using display of the device.Display of a device can be used to authenticate the device bymeasuring amount of the pressure that a person delivers tothe capacitive touchscreen panel thus identification based onfeatures of the body will be achieved; device fingerprintingtechnique based on capacitive touchscreen panel using anexternal system in display of the device is a method thatidentifies users with 99.5 % of precision [4].

Fingerprinting technique using display of the device alsomakes possible for a device to be identified by their screens’Radio Frequency emissions; there is a possibility of usingArtificial Neural Network and SVM for identification of radiofrequency emission of the devices’ screen since electricaldevices radiate emission and it is possible to measure them.Liquid-crystal display characteristics between different mobilephones models differ and liquid-crystal displays of the laptopsare different too. The characteristics difference between liquid-crystal displays can be used to identify a device. In one study,the output signal of printed circuit board is acquired usingantenna to use as an input for SVM and Artificial NeuralNetwork in order to identify Liquid-crystal displays. Radiationemitted from displays of one Samsung SyncMaster E1920,twoLG L1753s and one laptop ACER Aspire 5542 were used trainusing machine learning to classify the devices. The signalswere captured by running monitors and performance of SVMwas better. Based on the classification of the devices, SVMclassified devices with 98.9 % accuracy [5].

Another technique that is used for device fingerprinting isusing emission of components of the device. For this purpose,Radio Frequency of components of the device can be used toidentify and validate a machine. To authenticate a device usingthis technique, communication components of the devicescan be exploited. Devices use these wireless technologies tocommunicate with other devices i.e. send or receive a message,send or receive a voice message, send or receive a video,send or receive a data to enter world wide web. Commu-nication components of the device that are placed inside ofa machine uses different communication standards includingBluetooth, ZigBee, Wireless Local Area Network standards,

Global System for Mobile Communication, Universal MobileTelecommunication System. Each component or communica-tion standard has its own imperfections and tiny differenceswhich can be intrinsic or can be observed while performingany task; these small variations present a distinction betweencomponents or communication standards available in a device.Component imperfections can be used to classify or distinguishbetween devices. Gaussian Minimum Shift Keying is usedin Global System for Mobile Communication networks andsignals coming from Gaussian Minimum Shift Keying canbe used as a Radio Frequency fingerprint of a device; theseemitted signals can be classified to identify a device which inturn can provide physical layer security [7].

Also, there is a security concern on wireless applicationprotocols access points; unauthorized devices can try to con-nect to the network or a device can try to masquerade asanother device by falsifying data. Devices that try to connectto a network without authorization can be identified by RadioFrequency-Distinct Native Attribute (RF-DNA) informationcoming from unauthorized machine. Radio Frequency-DistinctNative Attribute fingerprint is specific to a device due toimplementation of the hardware or component type; thesefingerprints can be classified using Fisher based MultipleDiscriminant Analysis and by using Maximum Likelihood.Classification of the fingerprint of a device gives an approachto compare the received Radio Frequency-Distinct Native At-tribute with the stored reference information; this comparisongives out the device that is included in to the dataset which inturn provides authentication of a device. By using GeneralizedRelevance Learning Vector Quantization-Improved (GRLVQI)classifier, spoofing attacks were detected with 100 % successrate and when Fisher based Multiple Discriminant Analysisand Maximum Likelihood was used to detect unauthorizeddevices, the success rate of detection was 85 % [6].

There is also another approach on device fingerprintingusing an external system and it is Medium Access Control.Medium Access Control layer is one of two sublayers thatmake up the Data Link Layer of the Open System Intercon-nection (OSI) model. It plays a role of moving data packetsbetween one Network Interface Card to another across acommon channel.

One way, is to use difference in timing like clock skewsover WLAN to identify and validate a device; distinctionof a clock with one part-per million with Internet ControlMessage Protocol timestamps gives information about a devicewhich in turn can be used to distinguish between devices.This physical characteristics is unique for each device and itprovides a secure identification which can not be physicallycopied. Using Internet Control Message Protocol timestampscan pose a threat for users since the permission of the device isnot requested while analyzing the device and it is not possibleto block Internet Control Message Protocol by default. Thesetimestamps can be used to locate a user in any hotspot or toidentify a data that was downloaded in a device. [8].

Another way of device fingerprinting using an externalsystem is Transport Communication Protocol layer testing;timestamps of Transport Communication Protocol from RFC1323 or from chips of computers which are very small,can be analyzed to determine clock skew of a device andconsequently, fingerprint a machine. To estimate clock skew

194

ELECO 2018, Elektrik-Elektronik ve Biyomedikal Mühendisliği Konferansı 30 Kasım-1 Aralık 2018

of a device, linear programming based algorithm is used;the algorithm used for device fingerprinting from TransportCommunication Protocol gives a fast and robust performancein addition to being a simple to use algorithm [9]. Devicefingerprinting using timestamps of Transport CommunicationProtocol can be a privacy risk for user of a device since thismethod doesn’t require any permission from a device nor doesit cooperate with a device [10].

Clock drift can be used for device fingerprinting by anexternal system. Devices have a very precise clocks. Thisprecision gives out slight variations in clock when it is notsynchronized with GNSS. The slight difference in clock of adevice can be used to differentiate between devices and theirmodels in various protocols. It is possible to identify a deviceand classify the device based on its type; for identificationand classification of a device, information that is leaked from anetwork of a device is used. Information emitted from a deviceis released from its components e.g. processor, Direct memoryAccess (DMA) controller, memory. Released information isprosecuted by Georgia Tech ID (GTID) method; it is a tech-nique for physical device and device type fingerprinting. Out-puts of components of the device is processed using statisticaltechniques by analyzing the network in time i.e. processinginformation which its characteristics depend explicitly upontime. GTID collects information by locating between AccessPoint and point of destination. Gathered information from adevice is fed into an Artificial Neural Network (ANN) and thisalgorithm processes the data. Processed data from an ArtificialNeural Network gives the type of a device and identifiesa device; the technique extracts features from a network,measures traffic properties and gives the feature vector to time-series analysis which in turn generates a signature. Generatedsignature from time-series analysis contains patterns that wereembedded into the network, and these signatures are classifiedusing Artificial Neural Network which gives a type of adevice and identifies a device. Artificial Neural Networks(ANN) are the system that takes a data and outputs a trainedalgorithm. Artificial Neural Network resemble a human brainneural system; it consists of a collection of interconnectedcomputational units that are called neurons. These neuronsare sending data to each other and they form layers. Layersformed in Artificial Neural Network play an important role inidentifying a pattern inside a data and the resultant data fromeach neuron is between zero and one i.e. zero meaning nomatch, one meaning perfect match. Artificial Neural Networkslearn better when more data is provided; by giving moresignatures to the Artificial Neural Network, the classificationof the device will be more accurate. When the new signatureis given to a trained neural network, it will compare it withthe trained dataset signatures and give the appropriate result.

The disadvantage of device fingerprinting using variationsin clock in GTID method is that it can not be reliable whenused across Internet. The method relies on packet timing andbecause of buffering in switches and routers, timing will belost. On the other side, when the technique is used in localnetwork, it achieved high accuracy in identification of a deviceand in classifying the type of a device. This achievementin device fingerprinting was accomplished with 400 hoursand 300 GB of data gathered from 37 different devices withdifferent operating system and types of a traffic. [11].

Another way of analyzing the component of the mobilephone that emits signal by using clock difference of thedevice is Radio Frequency oscillator; it is one of the types ofelectronic oscillators and this feature has a unique character-istic which is found in wireless devices. Electronic oscillatorsare electronic circuits that generate periodic and oscillatingsignal as a sine or square wave. These circuits play a bigrole in conversion of direct current into an alternating currentfrom power supply to the electronic circuit. Radio frequencyoscillators generates signals from 100kHz up until 100GHzin the radio frequency rang; they have imperfections such asphase noise that can be used to analyze the signal and identifythe wireless device. Phase noise is inherently produced byoscillators and the intensity of the noise elevates at rangesclose to the oscillation frequency of radio frequency oscillators;it is a short term and rapid with random fluctuations inphase and waveform. Radio frequency oscillators are typicallyimplemented as phased locked loops (PLLa) and the variationsin phased locked loops’ phase noise is used to extract devicefingerprint which is caused by the differences in phased lockedloops circuit components and autocorrelation function is usedto identify a device accurately. This method ensures a reliablemeasurement of the signal and identification of the device sincephased locked loops’ phase noise can not be modified by theuser [12].

III. PROPOSED APPROACH

The approach based on Transmission Control protocol(TCP) seems more plausible. TCP is a network communicationprotocol - transport protocol which is defined from Requestfor Comment (RFC) standard by Internet Engineering TaskForce. It is a part of Internet protocol suite; TCP and Internetprotocol (IP) are another name for Internet protocol suitethat is a set of protocols related to communication and usedin Internet or other computer networks. When applicationprograms try to exchange data, they create a network and TCPmaintains this network connection until the data transmissionis completed between two sides of the network - connectionoriented protocol; the method of transmitting packets of databetween two sides is defined by Internet Protocol suite i.e.TCP, IP. TCP and IP are the simple rules of Internet. In additionto keeping the network connection, TCP is responsible forbreaking application data into packets, managing incoming andoutgoing packets, flow control management, retransmissionprocess of damaged packets and confirmation of packet arrivalover the network; when a web browser is making requestsfor pages on the web, a server sends requested HypertextMarkup Language (HTML) file to a client-web browser viaHypertext Transfer Protocol (HTTP) which in turn asks theTCP to establish a connection and send the file.

TCP prepares a file for delivery by dividing the file intopackets with individual numbers and sends them one byone to the IP layer, then transmission of the packets willcommence. To make transmission process efficient, it maysend each packets along a different route; although, they mayhave individual source and IP address. Acknowledgement ofreceived data packets will be completed, once the receivingend of the network i.e. client, gets all the data packets anduntil confirmation of the received data packets is obtained,TCP layer of client will retain the connection; for packets thatare not received e.g. may be damaged, retransmission request

195

ELECO 2018, Elektrik-Elektronik ve Biyomedikal Mühendisliği Konferansı 30 Kasım-1 Aralık 2018

will be sent to get the missing data packets. At the end, all thepackets will be assembled, original file will be recreated andthe resultant file will be sent to the receiving application. Theneed for retransmission of data packets may result in latencyin TCP and the variations of latency is called jitter.

Our method is based on performance of the TransmissionControl Protocol layer of mobile phones against the datatransfer that will be tested; by using rate of latency withcombination of rate of data transmission from the server andrate of transmission of data from device to other devices, it willresult in distinction between different devices. Reorganizationof the packets will create a delay between two ends of thenetwork and the speed and processing of the data is uniquelycharacteristic to each device.

The measuring device will gather fingerprints from a devicewhile the device is operational and it is performing a task.The test is done on a network by measuring time it takesfor a server to respond to a request from a client and test isrepeated several times. The client will connect to a server with8080 port, and it will ask the server to send a data. Clientwill calculate transfer speed and adjust the data size as toincrease the network connection performance; it will continuerequesting data from server as it receives them. After receivingsome amount of data, client will create more connections todetermine additional threads and analyze network better. Then,some amount of data will be sent from client to server thistime, over established connections by client; it will measurenetwork performance and will adjust amount of data sent; asdata is received by server, client will send more chunk of datato server. After some amount of data sent to a server, clientwill establish more connections to server in order to measureperformance better.

All the processes described above will be performed inorder and they will reveal some characteristics of the deviceused. These characteristics will be apparent once it is visual-ized in a graph; the resulting individual values will be graphedto distinguish between devices.

The obtained data can be classified in order to identify andvalidate a device, one of which is feature based machine learn-ing and another approach is instance-based machine learning.Feature based learning statistical features of data; once they areobtained, the identification and classification of the data willbe more efficient. The disadvantage of feature based learningis that it requires significant amount of data [13] and since theradio frequency emissions are limited in our case, this methodseems not plausible for our analysis. On the other hand, forinstance-based machine learning limited amount of observablesfrom a device is sufficient to do classification.

A. Test Results

Visual imperfection of devices as a result of tests performedon NI PXI device presents a case where small variations onperformance of the device creates tool to classify a device. Forour approach, k-nearest neighbors algorithm (k-NN) is usedfor classification purposes which is a type of instance-basedlearning; an object is assigned to class of the nearest neighborand the classification is done by majority votes of its neighbors.Depending on the number of k, the class of he nearest neighbor

increases e.g. when k = 1, the data will be classified based onsingle nearest neighbor.

K-nearest neighbors algorithm (k-NN) assigns 1/k weightto k nearest neighbor and assigns 0 to other values. And theclass distribution has the following distribution:

Rr(Cwnnn )−Rr(C

Bayers) = (B1s2n +B2t

2n)(1 + o(1)) (1)

The equation states that asymptotically, dominant contributionto the regret over Rr of the weighted nearest neighbourclassifier can be shown as sum of two terms. Where nearestclassifier which is weighted is denoted as:

Cwnnn and the weight is represented as: (wni)

ni = 1n. (2)

Cwnnn w-nearest neighbour classifier based on a training set

of size n, wni is ith nearst neighbor weight, CBayers is theBayers classifier. Also, B1 and B2 are constants, other valuesare represented as:

s2n =n∑

i=1

w2ni (3)

tn = n−2/dn∑

i=1

wni(i1+2/d − (i− 1)1+2/d) (4)

where n is the sample size, wni is the ith nearest neighborweight, d is the dimension of the feature vectors and two terms,multiples of B1 and B2 represent variance and squared biascontributions to the regret.

The algorithm that was used in our tests consists ofsome steps: loading the data from a dataset that was createdfrom fingerprints of a device, calculating euclidean distancebetween each points of data, finding nearest neighbor pointsand summing the weight of those values, dividing the data intotraining set and testing set and performing the classificationand identification [14].

In device fingerprinting process, three models from differ-ent phone manufacturers were used: Samsung S6 edge, iPhone7 and Xiaomi Mi4. iPhone and Samsung seem to have similarradio frequency emission which is shown in Figure 1. Also,Xiaomi Mi4 seems to show different results which is shownin Figure 2.

Figure 1: iPhone 7 and Samsung Galaxy S6 edge

196

ELECO 2018, Elektrik-Elektronik ve Biyomedikal Mühendisliği Konferansı 30 Kasım-1 Aralık 2018

The results of the classification of the devices depended onk number. By increasing the value of k, the accuracy of theclassification increases by 3 to 4 % for each k increment untilk=6. Overall, the classification and authentication of device inour method using device fingerprinting reached 75 % accuracy,which is not significantly better than other methods. This canbe one way to authenticate a device and further improvementscan be done by using different algorithms.

Figure 2: iPhone 7, Samsung Galaxy S6 edge and Xiaomi Mi4

IV. CONCLUSION

In this paper, different techniques on analysis of a devicewas investigated, the device can be analyzed either internallyi.e. accelerometer or externally i.e. TCP. Obtaining devicefingerprinting using an external system and by manipulatinginternal components of the device is a plausible option. In ourmethod, the performance of TCP layer of a device with itsdata transfer rates were tested. Obtained data was split intotwo groups i.e. training and testing data parts. Training datawas feed into k-nearest neighbors algorithm and testing datawas used to test the trained algorithm. Using only k-nearestneighbors algorithm resulted in authentication of a device with75 % accuracy; with increased k number, accuracy increaseduntil k = 6. Using other algorithms and combining featurebased method with instance based method, better performancecan be achieved.

REFERENCES

[1] F. Alaca and P. C. van Oorschot, “Device fingerprinting for augmentingweb authentication: classification and analysis of methods,” in Proceed-ings of the 32nd Annual Conference on Computer Security Applications.ACM, 2016, pp. 289–301.

[2] G. Baldini and G. Steri, “Survey of techniques for the identification ofmobile using the physical fingerprints of the built-in components,” IEEECommunications Surveys & Tutorials, vol. 19, no. 3, pp. 1761–1789,2017.

[3] U. Guin, K. Huang, D. DiMase, J. M. Carulli, M. Tehranipoor, andY. Makris, “Counterfeit integrated circuits: A rising threat in the globalsemiconductor supply chain,” Proceedings of the IEEE, vol. 102, no. 8,pp. 1207–1228, 2014.

[4] C. Holz, S. Buthpitiya, and M. Knaust, “Bodyprint: Biometric useridentification on mobile devices using the capacitive touchscreen toscan body parts,” in Proceedings of the 33rd annual ACM conferenceon human factors in computing systems. ACM, 2015, pp. 3011–3014.

[5] F. Mo, Y.-H. Lu, J.-L. Zhang, Q. Cui, and S. Qiu, “A support vectormachine for identification of monitors based on their unintended electro-magnetic emanation,” Progress In Electromagnetics Research, vol. 30,pp. 211–224, 2013.

[6] D. R. Reising, M. A. Temple, and J. A. Jackson, “Authorized androgue device discrimination using dimensionally reduced RF-DNAfingerprints,” IEEE Transactions on Information Forensics and Security,vol. 10, no. 6, pp. 1180–1192, 2015.

[7] D. R. Reising, M. A. Temple, and M. J. Mendenhall, “Improvedwireless security for GMSK-based devices using RF fingerprinting,”International Journal of Electronic Security and Digital Forensics,vol. 3, no. 1, pp. 41–59, 2010.

[8] M. Cristea and B. Groza, “Fingerprinting smartphones remotely viaICMP timestamps,” IEEE Communications Letters, vol. 17, no. 6, pp.1081–1083, 2013.

[9] S. B. Moon, P. Skelly, and D. Towsley, “Estimation and removal ofclock skew from network delay measurements,” in INFOCOM, 1999,pp. 227–234.

[10] T. Kohno, A. Broido, and K. C. Claffy, “Remote physical device fin-gerprinting,” IEEE Transactions on Dependable and Secure Computing,vol. 2, no. 2, pp. 93–108, 2005.

[11] S. V. Radhakrishnan, A. S. Uluagac, and R. Beyah, “GTID: A techniquefor physical device and device type fingerprinting,” IEEE Transactionson Dependable and Secure Computing, vol. 12, no. 5, pp. 519–532,2015.

[12] A. C. Polak and D. L. Goeckel, “Wireless device identification basedon RF oscillator imperfections,” IEEE Transactions on InformationForensics and Security, vol. 10, no. 12, pp. 2492–2501, 2015.

[13] B. D. Fulcher and N. S. Jones, “Highly comparative feature-basedtime-series classification,” IEEE Transactions on Knowledge and DataEngineering, vol. 26, no. 12, pp. 3026–3037, 2014.

[14] J. E. V. Ferreira, C. H. S. da Costa, R. M. de Miranda,and A. F. de Figueiredo, “The use of the k nearest neighbormethod to classify the representative elements,” Educación Química,vol. 26, no. 3, pp. 195 – 201, 2015. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S0187893X15000312

197

ELECO 2018, Elektrik-Elektronik ve Biyomedikal Mühendisliği Konferansı 30 Kasım-1 Aralık 2018