Track Any Computer on the Internet Using its Clock Skew Fingerprint

The Internet Patrol default featured image
Share the knowledge

It is now possible to track and identify a computer anywhere it goes on the Internet by using its clock skew as a method for fingerprinting it. Clock skew is what a computer thinks the time is as compared to other time-keeping with which it is interfacing. And when measured against other quantifiable processes when the computer is connected to the Internet, it can apparently provide a reliable fingerprint, unique and allowing it to be tracked across the Internet. Voila. The clock skew fingerprint.

The clock skew fingerprint is based on the work of University of California graduate student Tadayoshi Kohno, who explains that clock skew fingerprinting works by taking advantage of the fact that typically “each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device’s clock skew and thereby fingerprint a physical device.”

This, by the way, is all done without the knowledge or any cooperation from the owner of the Internet-connected device being tracked and fingerprinted by its clock skew. Says Kohno, “For all our methods, we stress that the fingerprinter does not require any modification to or cooperation from the fingerprintee.” Even more impressive when you consider that they have successfully used clock skew fingerprints to track devices using just about every popular operating system, including Windows, OS X, Linux, FreeBSD, and even Pocket PCs.

Did we say “impressive”? Or..maybe..scary? Says Kohno of his clock skew fingerprints “our technique can be mountable by adversaries thousands of miles and multiple hops away.” And without the clock skew fingerprintee’s knowledge that they and their computer are being tracked.

“One could also use our techniques to help track laptops as they move, perhaps as part of a Carnivore-like project”. An example, says Kohno, is that one can use clock skew fingerprints “to argue whether a given laptop was connected to the Internet from a given access location”.

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Actually the abstract from Kohno’s thesis summarizes it pretty well:

“We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device’s system time is maintained via NTP or SNTP”

We will control the horizontal. We will control the vertical.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

11 thoughts on “Track Any Computer on the Internet Using its Clock Skew Fingerprint

  1. I wonder what effect this has if I disable disable TCP timestamping under Linux (echo 0 > /proc/sys/net/ipv4/tcp_timestamps).
    Somehow I doubt that this technique would be used as a primary tracking method, maybe just for correlation.

  2. Read the article!

    Many fallacies being discussed in the comments are covered in the article.

    AboutTime is just like NTP and won’t change the skew.

    The skew-times are embedded in the TCP packets that are forwarded by the proxy, I think it says.

    The “extra effort” for Windows is to always respond with time-stamps in the TCP reply packets, even though that violates the spec, and Windows will cheerfully start responding to your replies with time-stamp info in subsequent packets. That ain’t much extra effort.

    I suspect many software packages will start mucking with TCP packet time-stamps to foil this technique, hopefully before spammers/scammers start abusing it to be Big Brother.

  3. Skew refers to the rate of deviation, not the amount. That would be constant even if the clock had been set a few seconds previously.

  4. I run AboutTime in background updating my PC clock to NTIS or navy.mil every two hours, automatically. Would that affect this technique? It seems whatever clock skew I might have gets changed every two hours. Sort of like changing fingers periodically.

  5. if you read there research paper you’ll notice taht it takes extra effort to fingerprint a
    windows machine because it will not stamp the packet by default.
    At any rate if you use a proxy server it should be impossible to detect unless you capture
    the packet before it hits the proxy.. i think.
    if you ran a software clock depending on how it was written could get near atomic level of accuracy
    but it would prob eat up sizable resources. but if softclocks was commen then there will almost no wiggle
    room for clockskew. it seems to me that to keep track of a specific machien you would need to know
    every systems finger print at all times. that would require total collection of all packets.
    even so the ip v4 gives space for almost 4billion machines (not including private ranges 10.x.x.x, 172.16.x.x, 192.168.x.x)
    and there could be near unlimited numbers behind NAT
    given the very large number i’d think there would be systems that are identicle to there fingerprinting
    but how large a number i dont know.

  6. I would think that the reason for connecting to a NTP or other time synchronization service is because the system is unable to keep corect time. I would also think that it would be simple enough to capture and anlyze a few packets, especially those to and from and NTP server, from any system on the net and determine a specific clock skew. I find it most interesting with the lengths manufacturers go to to create duplicate chips over and over that such a minor imperfection as clock skew can create a traceble and unique signature.

  7. I would think that since the only reason to reconnect and re-synch with an NTP service or any other time synch service is because your system is unable to keep perfect time, hence a clock skew. I would also think that the skew can be detected and calculated by capturing and analyzing only a few packets even (or especially) those going to a NTP server. It is interesting with the lengths manufacturers go to make chips exactly the same over and over that an imperfection in time-keeping can lead to an unique signature.

  8. Does this technique still work if the computer is connected to an automatic tim correction utility that corrects the time several times a day?

  9. Hmm, I wonder how long it takes to obtain a reliable fingerprint, and what impact automatic time synchronization programs (like NTP) have on it. Time to start searching…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.