THE PROCESS OF IDENTIFYING A DEVICE on a network (or the user behind the device) is called fingerprinting. As the name suggests, the process involves identifying some set of characteristics that uniquely identifies one device or user.
This chapter looks at the fingerprinting of mobile devices both directly (that is, devices connecting to a network) and indirectly (that is, devices connecting to one or more Web sites). Given the nature of mobile devices, you’ll find that the methods used to fingerprint stationary PCs do not work so well on mobile devices. However, some characteristics of mobile devices lend themselves to new and somewhat daunting fingerprinting capabilities.
Chapter 14 Topics
This chapter covers the following concepts and topics:
• What the nature of device fingerprinting is
• What the types of fingerprinting are
• What fingerprinting methods exist
• How unique device identifiers work
• How spyware for mobile devices works
When you complete this chapter, you will be able to:
• Define fingerprinting
• Describe the nature of device fingerprinting
• List the two types of fingerprinting
• Discuss the various fingerprinting methods
• Understand how unique identifiers are collected
• Describe how sensors and components are used to fingerprint devices
• Discuss the difference between device fingerprinting, spyware, and spy software
Is Fingerprinting a Bad or a Good Thing?
As mentioned, fingerprinting is the process of identifying a device on a network or the user behind the device. There is a common point of confusion regarding the nature of fingerprinting and whether it is good or bad. The broad assumption among the general public (and the media) is that it is both new and bad—a sinister plot cooked up on the Internet to violate the privacy of unsuspecting victims. The reality is that while there are new methods of doing so, fingerprinting of devices and users has been around for about as long as networks. Similarly, while there are ways in which fingerprinting can be (and is) abused, a lot of good can come from it, too. Like many technologies, whether fingerprinting is “good” or “evil” depends on users and their intent rather on the nature of the technology itself.
On the good side of the ledger, fingerprinting can help network administrators understand what (and who) is on the network. This can improve both performance and security. Fingerprinting also makes for a richer user experience online, allowing sites to offer customized content and more convenient consumer transactions.
One the bad side, fingerprinting can be used as a means to aggressively target users with unwanted advertisements and pop-ups. This is problematic for users who have visited sites that they would prefer were kept private, as ads associated with those sites can pop up any time the browser is active. Fingerprinting can also be used by cyberstalkers, who can literally track a person’s every move. (Of course, this is a positive for law enforcement.)
The increased potential for wrongdoing that results from the fingerprinting of mobile devices is a legitimate concern. While standard computers might contain financial or potentially embarrassing information about a user, mobile devices—a constant companion for many people—hold deeply private details about people’s lives, making them even more attractive for fingerprinting. Imagine if you were asked to take part in a program where someone could have access to the following:
• Your location at all times
• Private photographs (which are stamped with time and location)
• Private correspondence (e-mails and texts)
• Online browsing and shopping history
• Audio and video at any given time
• Banking and credit card details
• Security and convenience systems in your home
• Names, pictures, and contact information for your spouse, children, friends, and employer
It’s doubtful that anyone would ever subject themselves to that level of tracking, but this is pretty much what’s available on most people’s phones today.
This is not a problem in and of itself. Apart from some rare cases (the tracking of suspected terrorists, for example), people are not typically subject to this extreme level of tracking. However, the mere existence of this type of access creates the potential for some very serious privacy problems. So while fingerprinting is not inherently bad, the significant consequences of fingerprinting when used for nefarious aims require increased attention and caution on the part of both security professionals and individual users.
Types of Fingerprinting
There are two general categories of fingerprinting. These categories pertain more to where fingerprinting is done than to how it is done. (There are various methods.) They are as follows:
NOTE
The distinction between proximity and remote fingerprinting is more pronounced with wireless-enabled mobile devices than with fixed equipment. This is because the unique characteristics of radio transmitters are one method by which a mobile device can be uniquely identified.
• Proximity fingerprinting—Fingerprinting that occurs on a network is called proximity fingerprinting.
• Remote fingerprinting—Fingerprinting that is done online is called remote fingerprinting.
Network Scanning and Proximity Fingerprinting
Proximity fingerprinting is typically performed by administrators to identify devices found during network scans. By scanning the wireless network using tools such as inSSIDer, the administrator can scan, discover, and visualize the network topology. Visualizing Wi-Fi networks and their devices can reveal ad hoc networks and unauthorized connections. In this case, the purpose of fingerprinting a device is to reveal the type, manufacturer, operating system (OS) version, and any other information that the scanning application will retrieve through the discovery process.
Visualizing and fingerprinting network topology are helpful from a security and administrative perspective. Doing so lets the administrator see everything on the wireless network, which can then be compared against a baseline of known and authorized devices.
Wireless Anonymity
Any device connecting to a wireless network, whether authorized or not, must communicate and associate with an access point. As a result of this process, the access point will have a record of the media access control (MAC) address of the device with which it is communicating. That means all devices can easily be detected. However, detecting a device and identifying it are two different things. This is because most hackers strive for wireless anonymity.
For example, suppose a hacker occasionally initiates a malicious attack from within the wireless network, such as a denial of service (DOS) attack against an external target. Suppose, too, that this is done for a brief period of time, and that the hacker wants to remain anonymous. When the attack begins, the security administrator is alerted via the WIPS and attempts to identify the anonymous device that appears and disappears in bursts. To identify the attacker’s device, the administrator must first fingerprint it. Meanwhile, the attacker tries to avoid being fingerprinted so that he or she can remain anonymous and continue with the attack.
To remain anonymous, the attacker’s device must constantly change its MAC and Internet Protocol (IP) addresses. It must also clear any cookies on the device. (Cookies are files that contain a unique user identifier that a Web site creates when a user first visits.) Clearing cookies prevents a captive portal on the access point from retrieving a cookie that would identify the device. Alternatively, the attacker might masquerade as another legitimate user by forging that user’s MAC and IP addresses and using his or her cookie as a false identifier.
Whichever strategy the attacker adopts, it is clear that he or she can easily change the device’s identity by altering three of the most common identifiers: the MAC address, the IP address, and a cookie. This makes it necessary to find other characteristics or indicators of identity—at least in the cases where there is evidence or suspicion of unauthorized anonymous access.
In the case of authorized users and devices, this is a pretty straightforward exercise. It’s not as simple to detect and locate attackers, however. Rogue access points in particular are notoriously difficult to locate because they are typically not on all the time. (Hackers prefer to lay dormant for long periods, becoming active only for short spells.) A wireless intrusion prevention system (WIPS) can detect these intruders as they work using the same principles as fingerprinting, but it does not always help in pinpointing a location. There is also an issue with anonymity, as it’s in an attacker’s interest to remain anonymous by avoiding fingerprinting.
Online or Remote Fingerprinting
The type of fingerprinting that most people are familiar with (and have been subjected to) is remote or online fingerprinting. This type of fingerprinting plays a significant role in e-commerce and search analytics. In this case, remote fingerprinting is beneficial to users, but there are controversial uses as well. These tend to garner headlines, given the concern for online privacy.
One of these controversial uses involves Internet marketing firms who collect personal information via both fixed and mobile Web browsers, then collate and sell that information to other marketing firms. Some of those third-party firms then use hyper-aggressive tactics aimed at classes of users based on the users’ Web-browsing habits.
It’s important to note that this is not spyware. Spyware is malicious software that enables a user to covertly obtain information about another user’s computer activities. In remote fingerprinting, no software is loaded onto the device. Rather, remote fingerprinting is the act of identifying a device based on a collection of common characteristics shared by all devices of a certain type. For example, when fingerprinting an Apple iPhone, the goal for the administrator or hacker would be to find a unique characteristic that could be used to identify the device when compared to all other smartphones. To achieve this, the fingerprint technique must work across Web browsers.
Web sites need some mechanism to identify and remember users from one visit to the next. This is necessary because Hypertext Transfer Protocol (HTTP) is stateless—that is, it has no way to “remember” users from one transaction to the next, as multiple users access the site simultaneously. Session IDs are therefore essential to maintain state and assist Web sites with identifying users. With session IDs, Web sites can track and collate each unique user’s actions into seamless transaction streams on a per-user basis. Session IDs last only as long as the user remains on the site, however. Sessions are deleted when the user ends the session or after some predetermined time of inactivity. Therefore, while session IDs are unique fingerprints, they are of no use for remembering the user’s device from one visit to another. The solution was, and remains, the humble cookie.
NOTE
Fingerprinting PCs as they browse the Internet is nothing new. Indeed, it is viewed as a necessary part of the service that many Web sites provide. Without fingerprinting, it would be much more difficult to navigate the Internet. In addition, e-commerce would be much less convenient.
As noted, a Web site creates a cookie when a user first visits. When a device returns to the Web site, it passes along the cookie for that site. The Web site then recognizes the cookie’s unique identifier, which identifies the user.
The cookie itself is a simple file containing information stored as sets of name-value pairs—for example, userID/A9CF87546ABC, where the name of the pair is userID and the value is A9CF87546ABC. Most Web sites create cookies that store this information and nothing else. This is not because they care about the user’s privacy, but because it isn’t practical to store the user’s information on the user’s device. That’s mostly because Web sites store a lot more about the user than just the name-value pair. Some common information includes the user’s browsing history, what pages or advertisements the user clicked on, what preferences the user has configured, his or her shopping cart status, and his or her sales history. The list is endless.
This critical information is stored in the Web site’s own database and referenced when the user visits the Web site. When the user clicks a link or types a URL to visit the site, the cookie is passed to the site and is used to look up this key user data. This is how Web sites such as Amazon.com remember their customers and are able to provide useful shopping hints based on previous sales or browsing activity. They can also remember and maintain the customer’s shopping cart over multiple visits, as this information is stored on their databases. This is a simple solution to providing state information over the stateless Internet, and it’s worked well for years.
Unfortunately, this system has its flaws. The biggest one, from the Web site’s perspective, is that a user can delete the cookie file when clearing his or her temporary Internet files folder. (Incidentally, this happens to be the first step technical support asks the user to take when troubleshooting browser issues.) This is not a major problem, but it will be inconvenient when the user returns to his or her favorite Web site. Because the cookie file has been deleted, the site will no longer recognize the user. Instead, the Web site will consider him or her a new user and create a new cookie. Fortunately, the user’s original information will still be in the Web site’s database. The user can use his or her login credentials to retrieve that information and reassociate his or her new cookie with the previously collated information stored in the Web site’s database. This is a primary reason Web sites store only the name-value pair on the customer’s device.
Despite the benefits that cookies provide, they’ve developed a bad reputation. Some say they invade users’ privacy. As a result, many users now disable cookies as the default setting, enabling them only for specific reputable sites on a per-use basis. This is not a bad strategy, because a Web site should only store information relevant to its specific domain, not from third-party sites. Nevertheless, the real issue is not with cookies, but with browsers that allow cross-site profiling.
Cross-site profiling occurs when a browser accepts cookie requests from third-party advertisers on the Web site the user is visiting. Most browsers allow third-party cookies by default, although Safari on the iPhone browser does not. (It must be specified in the Preferences screen.) Cross-site profiling is a problem because it allows advertisers and giants like Google to track users across many sites. Google, for example, advertises on many sites, and can track the customer’s movements by collecting third-party cookies via JavaScript that runs in the ads on the host Web site. Although the information is anonymous, over time, with enough data, advertisers can profile the customer’s interests and preferences, and through cookies uniquely identify the customer’s device. Once that has been done, they can focus their advertising based on the user’s Web-browsing habits. That’s why, when you visit a site you’ve never been to before, you might see ads for products that are similar to ones you’ve purchased on other sites.
For advertisers, this is of course a wonderfully rich set of data. Advertising networks sell advertising to their clients that can specifically target users who have browsed similar products or clicked similar ads. By using third-party cookies, they can fingerprint the user’s device. This is neither good nor bad in and of itself. Supporters claim that it enhances the browsing experience and drives commerce. Detractors, however, say it is an unethical breach of privacy. This is a tough case to make unless the advertising network (or some other entity) makes a connection between the user name, address, and browsing history, and then chooses to exploit that information.
Developers, advertisers, and cybercriminals are searching for new ways to fingerprint mobile devices. They seek an alternative to cookies, which users can disable. As always, it is vital to educate mobile users to be cautious about which information they enter into untrusted Web sites, especially with a device that is also used for work purposes. As mentioned, even if a technology is developed for positive aims, it can still be twisted into something sinister.
FYI
Fortunately, the big three mobile device providers—Apple, Google, and Microsoft—are moving toward device diversity. With device diversity, a user can work on any device with his or her data stored in the cloud, using workflows that follow him or her from one device to another. This greatly mitigates fingerprinting performed via browsers because the user can easily switch back and forth between devices. This makes the task of fingerprinting more difficult.
The problem with fingerprinting a mobile device is that to be effective, fingerprinting characteristics must be diverse enough to be unique. Uniqueness based on diversity is the best way to ensure that no two devices have the same fingerprint. This is not always an easy thing to achieve, however—especially with iPhones, which are closed systems with factory-set configurations.
NOTE
Diversity and stability tend to work against each other. As diversity increases (through the use of multiple parameters), fingerprint stability decreases. This is because there is a higher chance that one or more characteristics will be changed.
A mobile device must also be stable. That is, its fingerprint must remain unique over time. Some sets of identifiers may be unique at any given time, but if the characteristics can be easily changed by a user, then they cannot be considered stable. If a fingerprint is not stable, then it cannot be used to track a user over time, which is the whole point of fingerprinting. An example of this is the Apple iOS IdentifierForVendor tag. A collection of these may be unique, but the tag persists only as long as the application remains on the phone. Therefore, it is not stable.
Many characteristics can be collected. Generally speaking, however, the more distinctive a characteristic is, the harder it is to obtain. The two general categories of fingerprinting—proximity fingerprinting and remote fingerprinting—relate to where fingerprinting is done. Beyond that, there are two types, or methods, of fingerprinting: passive and active.
Passive Fingerprinting
Passive fingerprinting occurs without querying the client device. Instead, it analyzes information supplied by the device itself. On mobile devices, passive analysis typically focuses on certain protocols, including HTTP headers, TCP/IP headers, 802.11 Wi-Fi settings, and OS parameters.
Depending on the purpose of the fingerprinting, some of these protocols will be more useful than others. For example, if a network administrator wanted to fingerprint devices on the network, he or she might set up a laptop as an access point and use Wireshark to intercept the traffic on the Wi-Fi interface in promiscuous/monitor mode. Using Wireshark to decode the packets, the administrator would be able to determine the MAC and IP addresses of all the devices communicating on the segment. From the headers, device type, and OS, the administrator could create a reasonable set of device fingerprints on the network.
Examining TCP/IP Headers
Another approach to passive fingerprinting is to examine the TCP/IP headers. These headers contain very important data. For example, a device’s IP and MAC addresses could help identify it as a smartphone. However, using IP and MAC addresses is not a great way to identify a device because they are not stable. IP addresses are easily changed with Dynamic Host Configuration Protocol (DHCP) and MAC addresses are easily altered through MAC spoofing.
A better option is to analyze the HTTP traffic that the device submits to a Web site, as it contains a lot of diverse options. This is how Panopticlick determines the distinctiveness of a browser. This Web site remotely checks for distinctiveness in browser characteristics by comparing the fingerprint of one browser against its database of more than 4 million samples (at time of this writing). It looks for characteristics such as the following:
• User agent
• HTTP_ACCEPT headers
• Browser plug-in details
• Time zone
• Screen size and color depth
• System fonts
• Whether cookies are enabled
Panopticlick shows that there are sufficient differences between PC browsers that PCs can be uniquely identified. Fortunately (or unfortunately, depending on one’s perspective), the same is not true for mobile devices, especially Apple iPhones. This is because PCs are readily customized with different browsers, plug-ins, and system fonts, which greatly aids the chances of a browser being identifiable. Apple iPhones, however, do not have that diversity. They are typically all configured alike.
Application Identification
One method for fingerprinting smartphones is to examine not just the browser fields, but also the applications residing on the device. This can be done through a port scan, using a tool such as Nmap, or passively, through application fingerprinting. Application fingerprinting looks more closely at the HTTP user agent headers for application-specific information. Many Web and cloud apps work in the background on smartphones even when they are not active, occasionally connecting and synchronizing or looking for updates. What is more, each mobile application sets its own user agent request header. Therefore, it is possible to tell which application on which mobile device originated the HTTP request. This is a passive way to determine the application set on a smartphone or tablet without using obtrusive queries or violating the user’s privacy. Additionally, by observing synchronization of applications between devices—for example, an iPhone, an iPad, and a PC—it can be inferred that they belong to the same owner. Of course, this will only work if the combination of applications is sufficiently diverse and if they remain installed.
Active fingerprinting differs from passive fingerprinting in that it queries the device in an invasive manner to access characteristics not readily obtained otherwise. For example, active queries attempt to find serial numbers and other unique characteristics that are both diverse and stable. An example of active scanning is using Simple Network Management Protocol (SNMP) to discover, map, and visualize a network. SNMP interrogates each device and retrieves information from agents to map the network.
The preceding section discussed the passive analysis of HTTP, which yields a number of parameters that could be used to fingerprint a browser. Active scanning can do the same, but it can dig deeper, interrogating the browser to obtain much more information. A typical technique used by Web site designers is to run JavaScript on an e-commerce Web page. When the browser loads the page, the JavaScript runs on the browser and requests additional information about the machine’s identity. This is how Google Analytics works.
Active scanning can also involve probing the network and recording the responses from devices. Vulnerability scanners such as OpenVAS can also be used to actively scan the network. This will return OS versions and patch profiles, which could be useful in fingerprinting network devices.
Unique Device Identification
The Holy Grail of fingerprinting is a unique identifier that is everywhere, accessible, and permanent. Ideally, when scanning a device, one would interrogate the device for a unique identifier such as its serial number. Application developers often try to obtain one of these hardware identifiers to use as a unique identifier in their apps. Other solutions are for developers to give the device their own identifier, like a cookie, and download a unique serial number with the application. This is how a lot of cloud-based mobile apps work. However, users can circumvent this tactic simply by deleting the application and downloading a new copy with a new identity. While these are certainly ways for developers to solve the identity problem from their application-centric perspective, none of them is a widely employed method of device identification and fingerprinting.
Apple iOS
Every device has its own unique identifier. For example, all Global System for Mobile Communications (GSM) phones have an International Mobile Station Equipment Identity (IMEI), while Apple and Android phones have a Unique Device Identifier (UDI). Access to these identifiers is tightly controlled. In the wrong hands, this information could lead to abuse such as fraud and identity theft.
Apple phones used to have two unique identifiers: the universal device identifier (UDID) and the IMEI, which all GSM phones have. Not surprisingly, Apple took a dim view of applications that tried to access these parameters, banning them from its App Store. Any potential vulnerability created from gaining access to the UDID was mitigated when iOS 5 was deprecated, and UDID is no longer obtainable on iPhones.
In the place of the UDID, Apple introduced another identifier in iOS 6 aimed at advertisers: advertisingIdentifier. This identifier is unique to each device but can be removed if the device is wiped by the user. Another potential identifier is IdentifierForVendor, which is also available in iOS 6 and later. This identifier’s purpose is to link the device to the appropriate application vendor for analytics. There is a different identifier for each vendor with an installed application. This identifier is present only as long as an application from the vendor remains on the phone.
Application developers could use these identifiers to fingerprint devices, but it only works for devices on which the user has installed that vendor’s application. This is not a problem for the application developer, who only wants to be able to identify the device in his or her own application. However, for general fingerprinting, it has a major weakness—by design. If the user deletes the application, or simply does not run it, the identifier will not be available. Because of Apple’s sandbox functionality, the identifier is not available to other applications, so the fingerprint only works when the specific application is running—and then, only for the application’s developer.
Android
With Android phones, the IMEI can be used as a unique hardware identifier and is accessible through the getDeviceID method. Each device also has a device serial number and an Android ID. Both are unique numbers; the latter is a 64-bit number that is randomly generated on the device’s first boot and that remains constant for the device’s lifetime.
These numbers provide excellent means to identify an Android device in a specific application. For example, these identifiers could be used to fingerprint a device in a cloud service provider’s mobile application. However, just as with the iPhone, it is not feasible to create an application that can be loaded on all Android phones for the purpose of fingerprinting beyond a specific application. And just as with the iPhone, once the application is removed, the identifier is lost.
HTTP Headers
An alternative way to identify a device when the UDID and IEMI are not available to the application is to create data sets and then use the information contained in each set to create a unique fingerprint for the device. For this to work, the browser must be actively scanned and queried for the following information:
• Device brand
• Device model
• Device carrier
• IP address
• Language
• OS name
• OS version
• User agent
• Timestamp
This information returned can then be used to create a data set by aggregating all the attributes and applying weighting to fingerprint the device. Some of these characteristics are not unique and can be collected passively, but the aggregation of all the attributes will provide a fingerprint that is approximately 94 percent unique. Unfortunately, this data set is considered stable for only 24 hours. In other words, this solution has diversity-based uniqueness but lacks stability.
New Methods of Mobile Fingerprinting
In addition to the fingerprinting methods mentioned earlier—which, for mobile devices, are less than ideal—researchers have developed new methods that do a better job of finding characteristics that are both unique and stable. It turns out that with mobile devices, each device’s physical features may yield sufficient, if not ideal, characteristics for fingerprinting.
An example of this type of research, carried out and published by Stanford University, involves detecting tiny differences in the manufacturing tolerance of the subcomponents embedded in mobile devices. Specifically, the research focused on finding unique identifiers by measuring the performance of the microphone and the accelerometer (a sensor that detects and measures motion, used to recognize screen tilt for displays and games). By using JavaScript running on a Web page, researchers interacting with the browser could accurately measure the tiniest defects in these components. What they discovered was that each accelerometer was predictably different, and that readings could be used as a fingerprint to uniquely identify devices.
This method of analyzing the flaws in sensors in a device to create a unique digital fingerprint has a lot of potential. No active software needs to be loaded on the device. Moreover, every smartphone, regardless of make or state (jailbreak or rooted or not), can be scanned to produce a fingerprint with a unique ID. Vendors, marketers, and even law enforcement could use that ID to positively identify individual users. For advertisers, this could be a windfall.
Running JavaScript on a Web site is an excellent way to actively fingerprint devices. By running JavaScript, the Web site can probe and retrieve many more attributes from the device than can be obtained by passively scanning the HTTP headers. For example, the Augur.js JavaScript library can identify and fingerprint devices using unique identifiers that provide a stable fingerprint of devices browsing the Web site. Augur.js can do this for both anonymous and registered users. Moreover, this active method is transparent to the device because JavaScript interacts with the device’s browser. This is one of the reasons some smartphone manufacturers do not support JavaScript in their default browsers.
From the perspective of those looking to fingerprint and target users, this is a great method. Even if users were to detect the intrusion, they would not be able to adjust application privacy settings to mitigate the risk or delete the fingerprint ID. That is not to say users could not block the intrusion, however; simply disabling JavaScript would solve the problem. Unfortunately, this would have a negative impact on the overall browsing experience. The broader issue, however, is that a lack of user awareness will likely mean that the vast majority of users will be subjected to this type of fingerprinting when it becomes more popular with advertisers.
Similar to the research done at Stanford, a research team at the Technical University of Dresden, Germany, discovered that they could track smartphones using a variation in the radio signals emitted. Radio components such as amplifiers, mixers, and oscillators—due again to manufacturing tolerances and physical variations—can produce a predictable signature with which to identify the device. Similarly, researchers have found that the M7 co-processor chip may also provide a durable fingerprint for mobile devices. The M7 co-processor handles all the Quantified Self (QS) tracking (the voluntary tracking of movement and location use in many fitness and habit applications) of the motion sensor, including the device’s accelerometer, gyroscope, and compass. This processor frees up the main processor and takes up less battery. Unfortunately for those who want to protect their privacy, this co-processor in the iPhone stores seven days’ worth of data. Not only does it provide a unique fingerprint, it can also tell an accurate story of the user’s location at various times.
The main flaw in these high-tech solutions (from the fingerprinter’s perspective) is that to gather the fingerprinting information, the attacker must first get the user to visit a Web site running JavaScript. With user education on the dangers of fingerprinting and drive-by mobile malware, the chances of being subjected to this type of fingerprinting can be greatly reduced. Unfortunately, history suggests that even if privacy advocates push awareness, many users will unknowingly subject themselves to this type of fingerprinting and tracking.
Smartphones are set to become a useful device for law enforcement. Here, the goal is not to fingerprint the device, but to use the device to fingerprint a person. This will be done by providing police officers with a mobile system—a smartphone and a direct broadband connection—for scanning and processing fingerprints on the street. This allows police officers to be more productive by fingerprinting suspects in the field. The NYPD has already invested some $160 million in just such a system—to be released in 2015—which it paid for using funds received in bank settlements.
Using the fingerprint sensor on the smartphone, officers will be able to scan and fingerprint suspects at the scene. The smartphone will process the fingerprint scan and send the data via high-speed broadband to the police and FBI databases to check for a match. Worryingly, the fingerprint sensors installed on smartphones and top-end laptops have been less than stellar to date, but as the technology improves, the field prints should stand up to legal scrutiny.
This is good news for law enforcement, but it’s worrisome from a privacy perspective. It’s not unlikely that a fingerprinting form of malware could be used to constantly scan the phone for fingerprints. Worse, users would likely not be aware that their fingerprints were being scanned, shared, and possibly misused.
Spyware for Mobile Devices
Spyware is different from fingerprinting. Fingerprinting identifies a unique device, while spyware tracks specific (and private) information about what a user is doing—sites visited, location, and so on. Spyware comes in many forms. The most prevalent (and annoying) is potentially unwanted applications (PUAs). Not only do PUAs consume resources, including battery and bandwidth, but these applications also track information, including the user’s Web-browsing history, Global Positioning System (GPS) location, and contacts. Many developers fund their work by sharing the data they collect using these unwanted applications with third-party advertisers. PUAs can also change browser settings, opening the victim to further abuse.
NOTE
PUAs are a nuisance but are rarely malicious. In that respect, they’re not that much different from cross-site profiling, except that they pull information directly from the device rather than from what is available through the browser interaction.
It may seem a bit shocking that this goes on, but it’s perhaps even more shocking that developers are up front about it—which is why it works. All this activity is actually spelled out in the application’s terms and conditions, which makes it difficult for vendors such as Apple and Microsoft to block it. The problem, of course, is that very few people (even security experts) actually read these terms and conditions—typically consisting of pages of dense text filled with legalese. Essentially, these PUA developers are hiding in plain sight, taking advantage of the large population of mobile users who have yet to figure out that there is no such thing as a “free app.”
A much more insidious and potentially damaging variety of spyware comes in the guise of legitimate applications. With this type of spyware, developers have again exploited the fact that few people read or care about the permissions they give smartphone applications. An example of this is a smartphone flashlight application, which, for no apparent reason, requests access to read and delete files on USB devices; switch on the microphone; access the camera, stored photos, and videos; and track the user via GPS. Again, the developers of this application may well have covered themselves by stating all this in the terms and conditions, but this type of intrusion is not so easily explained. This type of embedded spyware has potential for real spying, with malicious intent. Therefore, before you download any application onto a smartphone, you should vet its permissions.
Spy Software
One type of spyware that makes no attempt to hide its true nature (at least for the user) is spy software. Spy software is typically used by parents, employers, or other phone owners who wish to track a phone user’s activities. Questions of legality often arise, but this type of software is legal under certain conditions. These include the following:
• The person or entity installing the software and viewing the information must own or have legal authority over the target phone.
• The person or entity installing the software and viewing the information must inform any adult user of the target phone that he or she is being monitored.
The key point here is that it is legal to monitor a company-owned smartphone as long as the employee is informed that his or her activity will be monitored. This should be clearly stated and appear in the acceptable use policy. Typically, no such notification is required for minors under the care of an adult.
NOTE
These legal considerations are generalities. Laws differ from place to place, so it’s always best to verify the laws in effect in your location if you are asked to install this type of software in either a work or a private setting.
Despite these rules, it should be pretty obvious that loading spy software onto a smartphone has a real potential for misuse. Most spy software packages include the ability to monitor text messages, e-mails, Web history, call logs, and GPS location. Other more advanced functions can include monitoring chat services such as WhatsApp and Skype, recording calls, recording background sounds, and remotely controlling the smartphone’s features, such as the camera and microphone, without the user’s knowledge. That is, the camera would be active, but the “camera on” indicator would not light up.
Fortunately, there are some constraints. Spy software simply will not run on a secure or non-rooted iPhone. That is, the phone must be jailbroken. The same is true of Windows Phone 8.1. This is not an issue if the phone is rooted by a knowledgeable IT professional as part of a policy for company-owned phones. It is a significant problem, however, for average users who open themselves up to a great deal of abuse by jailbreaking their phone.
NOTE
There is a potential for irony if the IT department jailbreaks smartphones to enable tracking software (ostensibly to prevent employee misuse). Jailbreaking exposes the phone to myriad forms of malware, which could have far more damaging effects than employees taking extra-long lunches or checking Facebook throughout the workday.
It’s a bit different on Android smartphones. These phones support third-party apps, which can be side-loaded or downloaded from a Web site. Therefore, rooting is not essential, but may be required for some more-advanced spy software features.
An alternative approach for Apple devices—which does not involve jailbreaking the device—is to use an application on a PC, such as PhoneSheriff Investigator. This software, loaded on company-owned PCs, monitors the Apple iCloud backup rather than the phone itself. When the iPhone syncs with iCloud, it will back up everything. The spy software can then pull the data from the iCloud account without ever having to connect to the phone itself. The list of items that can be monitored includes text messages, iMessages, call history, GPS location, photos, contacts, Safari bookmarks, notes, and account details. It may not be as impressive as the spy software features loaded directly onto the mobile phone, but it is an elegant solution for iPhones that doesn’t compromise a phone’s security. That said, there is great potential for abuse of this software as well.
Spy Cells: Stingray
One method of spying on a phone is to use a spy cell—that is, to imitate a cell tower or base station, in much the same way an evil twin imitates a legitimate wireless access point. One well-known program that allows this is Stingray, which is essentially a fake tower used to intercept and perform man-in-the-middle (MITM) attacks on mobile networks. These spying base stations—sometimes called International Mobile Subscriber Identity (IMSI) catchers because they capture the unique IMSI number from a phone—are often used by law-enforcement and intelligence services to spy on and track mobile users in a given cell. (An IMSI is a unique identification associated with all GSM and UMTS network mobile phone users.)
Much like Wi-Fi clients, mobile phones are configured to search for an optimized signal—the more powerful, the better. With this in mind, the IMSI catcher boosts its power higher than the real mobile operator’s signal. By masquerading as a base station, it captures the mobile-phone connections in that cell (or some other predetermined area of interest). The IMSI catcher also has a connection to the real base station through an intermediate device and can relay captured calls through itself to the real base station. The caller can detect none of this.
The clever part of this attack is the way the IMSI catcher masquerades as a base station to capture the signals in the vicinity. Because a base station always sets the encryption type during call setup with the mobile phone, it can force the mobile phone to use no encryption. This is completely transparent to the caller because it is an automated function. The user has no idea that the initial leg of the call, from the handset to the fake base station, is without encryption, and that all of his or her data (and voice) will be in cleartext. (The second leg, from fake base station to the real base station, uses standard encryption because it is at that point a normal call.)
An earlier weakness with this MITM attack was that call initiation was unidirectional, so the tapped phones couldn’t receive calls (which would be a giveaway). To remedy this, newer equipment has patch-through technology that allows incoming calls to be passed to the device. Another weakness was that the technology worked only on GSM base stations, not on the later Universal Mobile Telecommunications System (UMTS) node-B stations. However, because practically every network supports older 2G phones over 3G networks, this permits base stations and node-B to coexist on the same network, resolving that issue.
NOTE
Stingray and other fake base stations can only work on 2G GSM. A good indicator that something may be amiss is if a 3G or 4G phone suddenly drops down to using 2G, especially in areas where there should more advanced networks.
The Stingray mobile phone tracker was initially developed for the military, but local and state law-enforcement agencies in the United States have widely adopted it. Stingray has both an active and passive mode. In active mode, it works as a base-station simulator. In passive mode, it works as a digital analyzer. When in active mode, Stingray can force all nearby mobile phones to connect with it because it simulates a real base station. It can then extract data such as the IMSI numbers and electronic serial number (ESN). This is often a necessary step because the Stingray will capture many mobile devices, and the operator will have to identify the target device by extracting data from the device’s internal storage. Once the IMSI has been identified for the target device, surveillance can continue on that phone.
NOTE
Traditionally, the U.S. has had very strict laws regarding phone tapping, but the Patriot Act loosened some of those requirements—much to the dismay of privacy advocates.
Perhaps more troubling than law enforcement’s encroachment on privacy was a survey carried out by ESD America (a provider of defense and law-enforcement technology in the U.S.) in the mid-2000s. It uncovered 19 fake base stations around the country—some in big cities such as New York, Chicago, Denver, Dallas, Los Angeles, Seattle, Houston, and Miami. These fake base stations, which had previously been unidentified, were potentially installed by criminals in the U.S. copying a Chinese business model that involved spamming users’ phones to obtain banking details via Short Message Service (SMS). By intercepting the SMS in cleartext, they could harvest the data without anyone noticing.
CHAPTER SUMMARY
Although fingerprinting is not necessarily a bad thing, it can and often does lead to abuses of privacy or worse. This is especially true with mobile devices. Because these devices are such a big part of people’s lives, fingerprinting them can enable others to capture a very accurate profile of an individual and his or her behaviors.
Thus far, finding unique characteristics to fingerprint a device over time has been difficult. Many features provide a unique profile, but few are stable. Unfortunately, methods that appear to identify unique characteristics, down to very specific devices and their users, appear to be on the horizon. This new way of fingerprinting is in many ways much like the real thing—unique, stable, and very much a part of each person’s identity. And therein lies the problem from both an advertising and a criminal perspective. It is a huge advantage to be able to track someone as he or she browses the Web or wanders around out in the real world.
Not surprisingly, the groups that want this information are investing heavily in better ways to get it. The good news is that the big three mobile device providers—Apple, Google, and Microsoft—are moving in the opposite direction, toward device diversity. With device diversity, a user can work on any device with his or her data stored in the cloud, using workflows that follow him or her from one device to another. This greatly mitigates fingerprinting performed via browsers because the user can easily switch back and forth between devices. This makes the task of fingerprinting more difficult.
The bad news is that there are newer, more detailed, and more permanent methods of fingerprinting not just browsers, but actual devices and users. Because of this, it’s more important than ever for IT security to help educate users. This is not only for the sake of the users, but also for the IT teams that will have to deal with the resulting breaches that will inevitably leak into the corporate space.
Active fingerprinting
Application fingerprinting
Cookies
Cross-site profiling
Fingerprinting
International Mobile Subscriber Identity (IMSI)
Passive fingerprinting
Proximity fingerprinting
Remote fingerprinting
Spyware
CHAPTER 14 ASSESSMENT
1. Device fingerprinting is a relatively new networking phenomenon and is always malicious.
A. True
B. False
2. Which of the following describes fingerprinting?
A. It makes for a richer user experience online, enabling sites to offer customized content and more convenient consumer transactions.
B. It can lead to abuse from aggressive advertisers.
C. It can lead to serious security issues on jailbroken phones.
D. All of the above.
3. Which of the following describes proximity fingerprinting?
A. It works only on wired networks.
B. It is a standard practice for managing networks.
C. It relies on the use of JavaScript.
D. All of the above.
4. Remote fingerprinting is primarily accomplished with spyware.
A. True
B. False
5. Which of the following are not used in passive fingerprinting?
A. HTTP headers
B. TCP/IP headers
C. GPS locations
D. 802.11 Wi-Fi settings
6. On mobile devices, it is difficult to find unique characteristics for fingerprinting. Once found, however, they tend to be stable.
A. True
B. False
7. The advertisingIdentifier tag in Apple-based applications does which of the following?
A. It is commonly used for cross-site selling.
B. It remains active even if the application is deleted.
C. It enables application vendors to collect analytics on their applications only while they are installed.
D. It protects against jailbreaking.
8. What is one of the simplest ways to avoid mobile device fingerprinting?
A. Disable JavaScript.
B. Delete the cookie file after each use.
C. Regularly reset the phone to its factory settings.
D. Lie about your preferences on e-commerce sites.
9. Which of the following describes spy software?
A. It is easy to install.
B. It is always illegal and unethical.
C. It can open up a phone to much greater abuse because it typically requires jailbreaking.
D. It does not require advance notice when employers own the phones.
10. Spy cells enable law enforcement to set up rogue access points on local area networks.
A. True
B. False