GTID: A Technique for Physical Device and Device Type Fingerprinting

In this paper, we introduce GTID, a technique that can actively and passively fingerprint wireless devices and their types using wire-side observations in a local network. GTID exploits information that is leaked as a result of heterogeneity in devices, which is a function of different device hardware compositions and variations in devices’ clock skew. We apply statistical techniques on network traffic to create unique, reproducible device and device type signatures, and use artificial neural networks (ANNs) for classification. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 37 devices representing a wide range of device classes (e.g., iPads, iPhones, Google Phones, etc.) and traffic types (e.g., Skype, SCP, ICMP, etc.). Our experiments provided more than 300 GB of traffic captures which we used for ANN training and performance evaluation. In order for any fingerprinting technique to be practical, it must be able to detect previously unseen devices (i.e., devices for which no stored signature is available) and must be able to withstand various attacks. GTID is a fingerprinting technique to detect previously unseen devices and to illustrate its resilience under various attacker models. We measure the performance of GTID by considering accuracy, recall, and processing time and also illustrate how it can be used to complement existing security mechanisms (e.g., authentication systems) and to detect counterfeit devices.