Proceedings of the First ACM Conference on Wireless Network Security (WiSec)
We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting framework. Our method complements known fingerprinting approaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to conceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.
Sergey Bratus, Cory Cornelius, David Kotz, and Dan Peebles. Active Behavioral Fingerprinting of Wireless Devices. In Proceedings of the IEEE PerCom Workshop on Pervasive Health Technologies (PerHealth), March 2017. DOI 10.1145/1352533.1352543.