Thomas Hupperich
Thorsten Holz
Giorgio Giacinto
ABSTRACT
Client fingerprinting techniques enhance classical cookie-based user tracking to increase the robustness of tracking techniques. A unique identifier is created based on characteristic attributes of the client device, and then used for deployment of personalized advertisements or similar use cases. Whereas fingerprinting performs well for highly customized devices (especially desktop computers), these methods often lack in precision for highly standardized devices like mobile phones.
In this paper, we show that widely used techniques do not perform well for mobile devices yet, but that it is possible to build a fingerprinting system for precise recognition and identification. We evaluate our proposed system in an online study and verify its robustness against misclassification.
Fingerprinting of web clients is often seen as an offence to web users' privacy as it usually takes place without the users' knowledge, awareness, and consent. Thus, we also analyze whether it is possible to outrun fingerprinting of mobile devices. We investigate different scenarios in which users are able to circumvent a fingerprinting system and evade our newly created methods.
- Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., and Diaz, C. The web never forgets: Persistent tracking mechanisms in the wild. SIGSAC 2014. Google Scholar
Digital Library
- Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., and Preneel, B. FPDetective: Dusting the web for fingerprinters. CCS 2013. Google ScholarDigital Library
- Alexa Internet, Inc. Top 1M Websites. http://www.alexa.com/topsites/, 2014.Google Scholar
- Applications, N. Mobile/Tablet Browser Market Share. http://www.netmarketshare.com/browser-market-share.aspx, 2014.Google Scholar
- Azizyan, M., Constandache, I., and Roy Choudhury, R. Surroundsense: Mobile phone localization via ambience fingerprinting. MobiCom '09. Google ScholarDigital Library
- Biggio, B., Corona, I., Maiorca, D., Nelson, B., Srndic, N., Laskov, P., Giacinto, G., and Roli, F. Evasion attacks against machine learning at test time. ECML PKDD 2013.Google ScholarDigital Library
- Boda, K. Firegloves. http://fingerprint.pet-portal.eu/?menu=6.Google Scholar
- Bojinov, H., Michalevsky, Y., Nakibly, G., and Boneh, D. Mobile device identification via sensor fingerprinting. CoRR abs/1408.1416 (2014).Google Scholar
- Brade, K. The tor browser. https://gitweb.torproject.org/tor-browser.git.Google Scholar
- Dey, S., Roy, N., Xu, W., Choudhury, R. R., and Nelakuditi, S. AccelPrint: Imperfections of Accel-erometers Make Smartphones Trackable. NDSS 2014.Google Scholar
- Eckersley, P. How Unique is Your Web Browser? PETS 2010. Google ScholarDigital Library
- Eubank, C., Melara, M., Perez-botero, D., and Narayanan, A. Shining the floodlights on mobile web tracking -- A privacy survey. W2SP 2013.Google Scholar
- Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. The weka data mining software: An update. SIGKDD Explor. Newsl. 11, 1 (Nov. 2009), 10--18. Google ScholarDigital Library
- Hupperich, T., Maiorca, D., Kührer, M., Holz, T., and Giacinto, G. On the Effectiveness of Fingerprinting Mobile Devices. Tech. Rep. TR-HGI-2015-002, Horst Görtz Institute for IT-Security, 2015.Google Scholar
- Kamkar, S. Evercookie -- never forget. Retrieved at April 29th, 2014 from http://samy.pl/evercookie/.Google Scholar
- Kohno, T., Broido, A., and Claffy, K. Remote physical device fingerprinting. Dependable and Secure Computing, IEEE Transactions on 2, 2 (April 2005). Google ScholarDigital Library
- MaxMind, Inc. MaxMind GeoIP2. https://www.maxmind.com/en/geoip2-services-and-databases.Google Scholar
- Moon, S., Skelly, P., and Towsley, D. Estimation and removal of clock skew from network delay measurements. INFOCOM 1999.Google ScholarCross Ref
- Mowery, K., and Shacham, H. Pixel Perfect: Fingerprinting Canvas in HTML5. W2SP 2012.Google Scholar
- Nikiforakis, N., Joosen, W., and Livshits, B. Privaricator: Deceiving fingerprinters with little white lies. Tech. Rep. MSR-TR-2014-26, February 2014.Google Scholar
- Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. IEEE Symposium on Security and Privacy 2013. Google ScholarDigital Library
- Stone, P. Pixel perfect timing attacks with HTML5. Context Information Security (White Paper) (2013).Google Scholar
Recommendations
Mobile device fingerprinting considered harmful for risk-based authentication
EuroSec '15: Proceedings of the Eighth European Workshop on System SecurityIn this paper, we present a critical assessment of the use of device fingerprinting for risk-based authentication in a state-of-practice identity and access management system. Risk-based authentication automatically elevates the level of authentication ...
Leveraging Sensor Fingerprinting for Mobile Device Authentication
DIMVA 2016: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721Device fingerprinting is a technique for identification and recognition of clients and widely used in practice for Web tracking and fraud prevention. While common systems depend on software attributes, sensor-based fingerprinting relies on hardware ...
Remote Physical Device Fingerprinting
SP '05: Proceedings of the 2005 IEEE Symposium on Security and PrivacyWe introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by ...
Comments