decomposition of mac address structure for granular
play

Decomposition of MAC Address Structure for Granular Device Inference - PowerPoint PPT Presentation

Sep 12, 2023 •330 likes •611 views

Furious MAC Decomposition of MAC Address Structure for Granular Device Inference Jeremy Martin , Erik C. Rye , Robert Beverly + US Naval Academy Annapolis, MD + US Naval Postgraduate School Monterey, CA December 9, 2016 1 / 24

  1. Furious MAC Decomposition of MAC Address Structure for Granular Device Inference Jeremy Martin ∗ , Erik C. Rye ∗ , Robert Beverly + ∗ US Naval Academy Annapolis, MD + US Naval Postgraduate School Monterey, CA December 9, 2016 1 / 24

  2. Furious MAC Outline Introduction 1 Methodology 2 Results 3 Conclusions 4 2 / 24

  3. Motivation Furious MAC Layer-2 Media Access Control (MAC) Addresses: Ubiquitous (Ethernet, WiFi, Bluetooth, etc) Uniqueness ensured via IEEE allocations Readily available, regardless of encryption, associated state, or user interaction What’s in a MAC? DE: AD: BE: EF: CA: FE First 3 bytes (OUI): device manufacturer ◮ FuriousMAC: can we trust the first 3 bytes alone? FuriousMAC: what can we infer from 3 least significant bytes? ◮ Contiguous? ◮ Sequential? ◮ Predictable? e.g., fine-grained make and model ? 3 / 24

  4. Motivation Furious MAC Layer-2 Media Access Control (MAC) Addresses: Ubiquitous (Ethernet, WiFi, Bluetooth, etc) Uniqueness ensured via IEEE allocations Readily available, regardless of encryption, associated state, or user interaction What’s in a MAC? DE: AD: BE: EF: CA: FE First 3 bytes (OUI): device manufacturer ◮ FuriousMAC: can we trust the first 3 bytes alone? FuriousMAC: what can we infer from 3 least significant bytes? ◮ Contiguous? ◮ Sequential? ◮ Predictable? e.g., fine-grained make and model ? 3 / 24

  5. Motivation Furious MAC Layer-2 Media Access Control (MAC) Addresses: Ubiquitous (Ethernet, WiFi, Bluetooth, etc) Uniqueness ensured via IEEE allocations Readily available, regardless of encryption, associated state, or user interaction What’s in a MAC? DE: AD: BE: EF: CA: FE First 3 bytes (OUI): device manufacturer ◮ FuriousMAC: can we trust the first 3 bytes alone? FuriousMAC: what can we infer from 3 least significant bytes? ◮ Contiguous? ◮ Sequential? ◮ Predictable? e.g., fine-grained make and model ? 3 / 24

  6. Motivation Furious MAC Layer-2 Media Access Control (MAC) Addresses: Ubiquitous (Ethernet, WiFi, Bluetooth, etc) Uniqueness ensured via IEEE allocations Readily available, regardless of encryption, associated state, or user interaction What’s in a MAC? DE: AD: BE: EF: CA: FE First 3 bytes (OUI): device manufacturer ◮ FuriousMAC: can we trust the first 3 bytes alone? FuriousMAC: what can we infer from 3 least significant bytes? ◮ Contiguous? ◮ Sequential? ◮ Predictable? e.g., fine-grained make and model ? 3 / 24

  7. Furious MAC Motivation Fine-Grained Wireless Device Fingerprinting. Why: Support policy-based security Crowd density and population diversity studies User profiling, tracking, and security threats Targeted device attacks Reconnaissance (e.g., IoT devices such as security cameras, thermostats, and automobiles) 4 / 24

  8. Furious MAC Outline Introduction 1 Methodology 2 Results 3 Conclusions 4 5 / 24

  9. Methodology Furious MAC Enabling device manufacturer and model predictions for previously unknown MACs: FuriousMAC is first trained on MACs with known manufacturer and model Derive mapping of MAC address to device manufacturer model ◮ Management frames containing WPS-enriched data fields ◮ Discovery protocols, primarily mDNS ◮ Easily extensible 6 / 24

  10. Furious MAC Methodology Derive mapping of MAC address to device manufacturer model Management frames with WPS-enriched data fields ◮ Access Points (Beacons and Probe Responses), client devices (Probe Requests) manufacturer, model name, model number, device name, primary device type.category , .subcategory and uuid e ◮ Advantages: Unencrypted, non-associated state, low data-rates, wide range of device types ◮ Disadvantage: Not used by all devices (iOS, Ubiquiti, etc.) Discovery protocols, primarily mDNS ◮ mDNS data field, dns.txt : reveals a model identification key-value pair, correlates to a manufacturer and model ◮ Advantages: Fills in some high profile gaps → iOS!! ◮ Disadvantages: Layer-2 encryption, associated state, often higher data-rate, not used by all devices 7 / 24

  11. Furious MAC Methodology Training Using 802.11 management frames and unencrypted mDNS packets, we build a model of MAC → ( manufacturer , model ) Trained on 600GB of passively-collected 802.11 traffic: ◮ Two billion frames ◮ 2.8 million unique devices across a spectrum of IoT devices ◮ January 2015 – May 2016 ◮ IRB exemption: Only examine MACs, management frames, and discovery protocols. No attempt to decrypt traffic or inspect user’s communication. 8 / 24

  12. Furious MAC Methodology Locally assigned MAC address Privacy: randomized MAC addresses while in a non-associated state (Probe Requests) P2P: peer-to-peer connections utilize a locally assigned MAC address derived from the global MAC address APs and hotspots often advertise service using locally assigned MAC Ignored to preserve accuracy of mappings 9 / 24

  13. Methodology - Prediction Furious MAC We perform a lexicographical comparison to find the manufacturer and model (Constrained such that the OUI must match) f0 e0 4th Byte of MAC address d0 c0 b0 a0 90 80 70 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 5th Byte of MAC address MacBookPro9,2 iPhone 5c (GSM) iPad Mini 2 (WiFi) iPad Mini 2 (Cellular) Observed Models in 24:A2:E1 (Apple) Plot observed MAC addr-models by 4th and 5th bytes for all OUI Color between same models; color intensity relative to largest “gap” 10 / 24

  14. Furious MAC Outline Introduction 1 Methodology 2 Results 3 Conclusions 4 11 / 24

  15. Furious MAC Results Results 802.11 Corpus Statistics Vendor MAC Address Allocation Strategies Prediction Validation 12 / 24

  16. Furious MAC 802.11 Corpus Statistics Top 10 Manufacturers - Clients WPS Count % non-WPS Count % LGE 11,184 22.60 Apple 231,214 44.36 Ralink 4,279 8.64 Samsung 48,617 9.33 Motorola 3,260 6.58 Murata 48,246 9.26 HTC 3,256 6.57 Intel 25,734 4.95 Prosoft 2,234 4.50 HP 15,287 2.94 Amazon 2,222 4.49 Microsoft 13,949 2.68 Huawei 1,905 3.83 Ezurio 12,385 2.38 Asus 1,659 3.34 Epson 6,839 1.32 ZTE 1,619 3.25 Lexmark 5,289 1.01 Alco 1,036 2.10 Sonos 4,542 .09 Other 16,859 34.10 Other 109,271 20.96 Apple makes up ∼ 45% of the non-WPS devices, emphasizing how mDNS and WPS are complementary 13 / 24

  17. Furious MAC MAC Address Allocation OUI Complexity There is no general pattern between manufacturers; some assign the entire OUI to only one model while others assign smaller ranges to dozens of distinct models The size and number of distinct ranges assigned to a model also follows no general rule 2,956 OUIs observed (WPS): ∼ 5,000 OUI to manufacturer pairings and 10 , 000 OUI to model pairings 352 OUIs observed (Apple mDNS): 1,028 OUI to model pairings Visualization of Allocation Space Next, we highlight several exemplar allocation schemes 14 / 24

  18. MAC Address Allocation Furious MAC f0 e0 4th Byte of MAC address d0 c0 b0 a0 90 80 70 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 5th Byte of MAC address MacBookPro9,2 iPhone 5c (GSM) iPad Mini 2 (WiFi) iPad Mini 2 (Cellular) Observed Models in 24:A2:E1 (Apple) Different generations w/in same OUI Different device types (phone, tablet, laptop) Different allocation sizes, large contiguous blocks Fine-grained, e.g., iPad Mini 2 WiFi vs. Cellular 15 / 24

  19. MAC Address Allocation Furious MAC f0 e0 4th Byte of MAC address d0 c0 b0 a0 90 80 70 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 5th Byte of MAC address LGL39C LG-F200S LG-P760 LG-E455 LG-D520 LG-E460 LG-P769 LG-LS720 LG-D680 LG-E470f LG-P659 LG-E451g LGMS659 LG-E465f LG-V510 VS870 4G Nexus 4 LGMS500 LG-P655H LG-E467f LG-E440 LG-D410 LG-D500 LG-D686 Observed Models in 8C:3A:E3 (LGE) Micro-allocation of LGE smartphones Large blocks of unallocated or unobserved address space Fingerprinting is difficult compared to Apple 16 / 24

  20. MAC Address Allocation Furious MAC f0 e0 4th Byte of MAC address d0 c0 b0 a0 90 80 70 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 5th Byte of MAC address BLU STUDIO 7.0 DASH JR K i-mobile_IQ_BIG2 O+ Ultra T07 irisX8 Micromax Q380 T06 Micromax A316 i-mobile i-STYLE 218 BLU STUDIO C DOOV L1M A3-A20 Micromax Q391 Micromax AQ5001 Windows Archos 35b Titanium Observed Models in 90:21:81 (Shanghai Huaqin) Diversity of Phone Manufacturers for a Single OUI Improves granularity of fingerprinting over OUI-based methods 17 / 24

  21. MAC Address Allocation Furious MAC f0 4th Byte of MAC address e0 d0 c0 b0 a0 90 80 70 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 5th Byte of MAC address OC810 Broadcom Ralink Wireless Linux Client RC8021 OpenRG Platform OC821D H560N AD1018 WAP-PLUS RC8025 iCamera WAP Observed Models in 00:0E:8F (Sercomm Corp.) Fine-grained model inference → 802.11-enabled cameras 18 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Granular Search, Market Structure, and Wages Isaac Sorkin Gregor Jarosch Jan Sebastian

Granular Search, Market Structure, and Wages Isaac Sorkin Gregor Jarosch Jan Sebastian

Granular Search, Market Structure, and Wages Isaac Sorkin Gregor Jarosch Jan Sebastian Nimczik August 2019 Abstract We build a model where firm size is a source of labor market power. The key mechanism is that a granular employer can

706 views • 67 slides
Steady Deflagration Structure in Two-Phase Granular Propellants Joseph M. Powers 1 , Mark E.

Steady Deflagration Structure in Two-Phase Granular Propellants Joseph M. Powers 1 , Mark E.

Steady Deflagration Structure in Two-Phase Granular Propellants Joseph M. Powers 1 , Mark E. Miller2, D. Scott Stewart3, and Herman Krier4 presented at 12th ICDERS, Ann Arbor, Michigan July 23-28, 1989 1 Assistant Professor, Department of

549 views • 16 slides
Granular Soil Structure Granular Soil Structure Crusted Soil Crusted Soil Soil Compaction Soil

Granular Soil Structure Granular Soil Structure Crusted Soil Crusted Soil Soil Compaction Soil

Granular Soil Structure Granular Soil Structure Crusted Soil Crusted Soil Soil Compaction Soil Compaction Native Soil Structure Native Soil Structure Microbes/Livestock Microbes/Livestock Bacteria Bacteria 1000 lbs/A 1000 lbs/A

545 views • 20 slides
FUNCTIONAL PEPTIDOMICS OF AMPHIBIAN VENOMS The dermal granular (venom) gland The dermal granular

FUNCTIONAL PEPTIDOMICS OF AMPHIBIAN VENOMS The dermal granular (venom) gland The dermal granular

FUNCTIONAL PEPTIDOMICS OF AMPHIBIAN VENOMS The dermal granular (venom) gland The dermal granular (venom) gland The venom producing cells of the Stimulation/injury causes opening of the granular gland produce secretions, granular

775 views • 49 slides
1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion practice) 3. IPv6 advantages over IPv4 4. IPv4 address structure 5. IPv6 address structure IPv4 Address 32 bit address (computer stores information

655 views • 53 slides
Granular friction in a wide rage of shear rates Takahiro Hatano (The University of Tokyo)

Granular friction in a wide rage of shear rates Takahiro Hatano (The University of Tokyo)

Granular friction in a wide rage of shear rates Takahiro Hatano (The University of Tokyo) Collaborators: Osamu Kuwano (JAMSTEC, Yokohama) Ryosuke Ando (AIST, Tsukuba) 06/27/2013 Physics of Granular Flow (Kyoto) granular friction: examples

790 views • 34 slides
Nonlinear Waves in Nonlinear Waves in Granular Crystals Granular Crystals Mason A. Porter Oxford

Nonlinear Waves in Nonlinear Waves in Granular Crystals Granular Crystals Mason A. Porter Oxford

Nonlinear Waves in Nonlinear Waves in Granular Crystals Granular Crystals Mason A. Porter Oxford Centre for Industrial and Applied Mathematics Mathematical Institute, University of Oxford References: PRE 77 : 015601(R) (2008); Physica D 238 : 6,

612 views • 22 slides
Parallelizing the Spot Model for Dense Granular Flow 18.337 Parallel Computing Yee Lok Wong

Parallelizing the Spot Model for Dense Granular Flow 18.337 Parallel Computing Yee Lok Wong

Parallelizing the Spot Model for Dense Granular Flow 18.337 Parallel Computing Yee Lok Wong May 8, 2008 Department of Mathematics, MIT 1 Part 1: Background on Granular Flow and the Spot Model 2 Microscopic Flow Mechanism of Granular

522 views • 28 slides
Release granular mushrooms Release granular mushrooms and dried mixtures and dried mixtures

Release granular mushrooms Release granular mushrooms and dried mixtures and dried mixtures

LLC Scientific Production Enterprise Etalon Release granular mushrooms Release granular mushrooms and dried mixtures and dried mixtures Relevance of area Relevance of area Tomsk region is the undisputed leader in reserves mushrooms

456 views • 12 slides
Low-frequency oscillations and convective phenomena in a density-inverted vibrofluidised granular

Low-frequency oscillations and convective phenomena in a density-inverted vibrofluidised granular

Nicols Rivas (n.a.rivas@ctw.utwente.nl) Physics of glassy and granular materials Multi Scale Mechanics Kyoto, Japan, July 2013 Low-frequency oscillations and convective phenomena in a density-inverted vibrofluidised granular system S.

469 views • 34 slides
[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

The Singular Value Decomposition [11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license plate, photographed by Professor P. M. Kroonenberg of Leiden University. Frobenius norm for matrices x 2 1 + x 2

872 views • 43 slides
A Deadlock-free Multi-granular, Hierarchical Locking Scheme for Real-time Collaborative Editing

A Deadlock-free Multi-granular, Hierarchical Locking Scheme for Real-time Collaborative Editing

A Deadlock-free Multi-granular, Hierarchical Locking Scheme for Real-time Collaborative Editing Jon A. Preston Sushil K. Prasad Agenda Motivation Related Work in Collaborative Editing Systems The Tree Data Structure Properties

650 views • 25 slides
Lebesgue decomposition and order structure Zsigmond Tarcsay and Tams Titkos IWOTA Chemnitz,

Lebesgue decomposition and order structure Zsigmond Tarcsay and Tams Titkos IWOTA Chemnitz,

Lebesgue decomposition and order structure Zsigmond Tarcsay and Tams Titkos IWOTA Chemnitz, 15th August 2017 1 / 20 Zsigmond Tarcsay and Tams Titkos On the order structure of representable functionals (to appear) 2 / 20 Motivation I.

1.18k views • 20 slides
Highly Granular Calorimeters: Technologies and Results Yong Liu Johannes Gutenberg-Universitt

Highly Granular Calorimeters: Technologies and Results Yong Liu Johannes Gutenberg-Universitt

Highly Granular Calorimeters: Technologies and Results Yong Liu Johannes Gutenberg-Universitt Mainz on behalf of the CALICE Collaboration Instrumentation for Colliding Beam Physics (INSTR17) Mar. 1, 2017, BINP Novosibirsk Highly granular

753 views • 35 slides
SVM Learning of IP Address Structure for Latency Prediction Rob Beverly, Karen Sollins and Arthur

SVM Learning of IP Address Structure for Latency Prediction Rob Beverly, Karen Sollins and Arthur

SVM Learning of IP Address Structure for Latency Prediction Rob Beverly, Karen Sollins and Arthur Berger {rbeverly,sollins,awberger}@csail.mit.edu SIGCOMM MineNet06 1 SVM Learning of IP Address Structure for Latency Prediction The case

806 views • 38 slides
Poncelet Coefficients of Granular Media S.Bless*, R.Peden, I. Guzman, M.Omdivar *sbless@poly.edu

Poncelet Coefficients of Granular Media S.Bless*, R.Peden, I. Guzman, M.Omdivar *sbless@poly.edu

Poncelet Coefficients of Granular Media S.Bless*, R.Peden, I. Guzman, M.Omdivar *sbless@poly.edu Background The mechanics of sand and other heterogeneous materials are of great interest nowadays. Data for high speed penetra;on of granular

371 views • 20 slides
What is it? A low-cost laser rangefinder consisting of PS3 Eye camera + line laser diode

What is it? A low-cost laser rangefinder consisting of PS3 Eye camera + line laser diode

What is it? A low-cost laser rangefinder consisting of PS3 Eye camera + line laser diode Algorithm 1. RGB -> Greyscale 2. Noise elimination: Gaussian convolution 3. Finds the index which has the maximum convolved peak 4. Find distance

363 views • 9 slides
The Notorious M.T.U. Kevin Benton - Mirantis Sean Collins - Mirantis Ihar Hrachyshka - Red Hat

The Notorious M.T.U. Kevin Benton - Mirantis Sean Collins - Mirantis Ihar Hrachyshka - Red Hat

The Notorious M.T.U. Kevin Benton - Mirantis Sean Collins - Mirantis Ihar Hrachyshka - Red Hat Matt Kassawara - IBM Objectives Learn about MTU in physical networks Learn about nuances of virtual networks that impact MTU Review

584 views • 31 slides
Rush City s Culture s Culture Project Description Rush City Project Description

Rush City s Culture s Culture Project Description Rush City Project Description

Mr. James Snookums Snookums Bell Bell Mr. James East St. Louis Action Research Project East St. Louis Action Research Project th of 2006 October 14 th October 14 of 2006 Alfonso Cervantes Alfonso Cervantes David Rivera

65 views • 3 slides
The past, the present and the future for Small Water and Wastewater Systems Hallvard degaard *

The past, the present and the future for Small Water and Wastewater Systems Hallvard degaard *

1 IWA Specialized Conference on Small Water and Wastewater Systems Athens 14-16 September 2016. The past, the present and the future for Small Water and Wastewater Systems Hallvard degaard * Prof. em. Norwegian University of Science and

504 views • 34 slides
Emin Gabrielyan, Roger D. Hersch cole Polytechnique Fdrale de Lausanne, Switzerland

Emin Gabrielyan, Roger D. Hersch cole Polytechnique Fdrale de Lausanne, Switzerland

5th Workshop on Distributed Supercomputing: Scalable Cluster Software May 23-24, 2001, Sheraton Hyannis, Cape Cod, Hyannis Massachusetts, USA Emin Gabrielyan, Roger D. Hersch cole Polytechnique Fdrale de Lausanne, Switzerland

442 views • 7 slides
MRN Guidelines for IHO S-100WG4 27 February 1 March 2019 Eivind Mong Raphael Malyankar

MRN Guidelines for IHO S-100WG4 27 February 1 March 2019 Eivind Mong Raphael Malyankar

MRN Guidelines for IHO S-100WG4 27 February 1 March 2019 Eivind Mong Raphael Malyankar Sponsored by NOAA MRN Background Top level name space is urn:mrn IALA developed based on uniform resource identifier (URI) is defined in RFC

406 views • 17 slides
Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of

Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of

Department of Computer Science Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of Computer Science Outline Introduction Link Layer (L2) addressing Privacy-based analysis of related

639 views • 18 slides
Redis 2.2 October 27 th 2010 Pieter Noordhuis Who am I? Live in Groningen, NL Redis

Redis 2.2 October 27 th 2010 Pieter Noordhuis Who am I? Live in Groningen, NL Redis

(whats new in) Redis 2.2 October 27 th 2010 Pieter Noordhuis Who am I? Live in Groningen, NL Redis contributor since March Backed by VMware So, whats new? Memory efficiency Throughput improvements Improved EXPIRE

452 views • 28 slides

More recommend