Finding an 802.11 Fingerprint

An implementation comprises a driver, radio chipset, firmware, and possibly some user-space applications. Ideally, one would be able to identify any component of a given implementation and further refine identification of each software component by its version. Whether it is possible to identify these components depends largely upon behaviors not governed by the standard and where they are implemented. As we shall see, there is even deviation from the standard within the industry that presents very useful opportunities for fingerprinting. Developing 802.11 fingerprints is largely an exploratory exercise in determining how an 802.11 implementation behaves uniquely.

The strength of a fingerprint determines whether the components of an implementation can be identified individually. The fingerprints described in this paper afford reliable identification of 802.11 chipsets, drivers, and in some cases, different versions of the same driver. No attempt was made to differentiate firmware versions or userland applications that might influence the behavior of the driver.

One of the most unique aspects of 802.11 implementation fingerprinting is that many characteristics of the implementation are controlled by hardware. However, there is a trend in modern 802.11 chipsets to push more and more functionality into software. Popular examples of these chipsets include products from Atheros and Ralink. Though it seems unlikely, it is quite possible that drivers for software based radio chipsets (such as products from Atheros and RaLink) could be patched, allowing them to mimic the details of other implementations. Doing this would allow an attacker to have his driver or chipset intentionally misidentified, perhaps to sidestep a fingerprint-aware WIDS.

Many other devices however have certain aspects that cannot be controlled from software. The older Prism2 generation of chipsets is the best example of a chipset that operates somewhat independently of the driver.