Role of Device Fingerprinting in Cyber Security – A Brief Overview

• Thursday January 18, 2024

Device fingerprinting is a technique used to identify a computing device on the internet. This helps to determine whether the device is trusted or not. Many people may own the same device or may have the same device fingerprint. Once the device fingerprint is combined with geolocation, timezone, operating system, and browser versions, the identification becomes more precise. This combination enables the unique identification of a device or user. It applies to those involved in online transactions and provides a reasonable degree of certainty. Identifying a computing device precisely is often not possible. However, it is possible to determine the operating system, browser information, and other details of the device. This information is highly useful for specific purposes. It helps trace the origin of suspicious activity by focusing on particular browsers and operating systems.

Why is Device Fingerprinting required?

1. Personal identity information like user names, passwords, social security numbers, and credit cards are now a commodity in the black market. Therefore, there is a need to come up with alternative/complementary techniques to differentiate between legitimate and illegitimate identities or transactions online.
2. Fraudsters operating from blocklisted IP addresses hide their IP addresses and evade IP address Geo Location tools by using proxies. Device fingerprinting is a powerful tool for recognising a returning fraudster even when they are hiding their real name and IP addresses with the help of a proxy server.

Two types of fingerprint methods exist – Active Fingerprinting and Passive Fingerprinting.

Active Fingerprinting:

The client machine actively helps the remote server identify the client by providing information like Hardware Serial number, MAC address, etc. This is used in Digital rights management.

Passive Fingerprinting:

This method does not require the client to take part actively; rather, TCP/IP configurations, different protocol parameters, OS information, browser information, etc, are used to identify the client.
Passive fingerprinting can be done at different levels of internet connection. A complete fingerprinting solution attempts to incorporate fingerprinting from these different levels and then assimilate those fingerprints to identify the device uniquely.

Let us now take a look at these different fingerprinting methods.

1. Browser Fingerprinting – It is a method of utilising the capabilities available with a browser, for example, HTML, Javascript, Flash or other available plugins, browser type, browser version, language, etc, to identify a device.
2. HTTP Fingerprinting – This is a method to identify the HTTP Client or HTTP Server systems through the use of signature matching of HTTP protocol parameters, response code obtained against specific HTTP requests, etc. One of the easiest forms of identifying HTTP Servers is by getting hold of the HTTP Server field from the HTTP Response header. This is called Banner grabbing. For example, the following figure shows clearly that the HTTP communication is from a Microsoft-IIS/10.0 web server.

For more details, take a look at

https://www.net-square.com/httprint_paper.html

3. TCP Fingerprinting – This method gets hold of the TCP parameters of the connection to identify the device. For TCP traffic signature layout is as follows:

ver:ittl:olen:mss:wsize,scale:olayout:quirks:pclass, where

ver denotes IPv4 or IPv6 or both, ittl depicts the initial TTL value; olen denotes the length of the Ipv4 options or Ipv6 extension headers; mss denotes maximum segment size, wsize denotes TCP window size; scale denotes TCP window scaling factor and so on.

For details on each of the fields, take a look at http://lcamtuf.coredump.cx/p0f3/README

4. DHCP Fingerprinting – It is a method of detecting the end device OS by examining the exchange of DHCP packets. The DHCP packets contain multiple options. One of the most important options that are used for DHCP fingerprinting is option 55, called the parameter request list. This option is present in the packets sent from the client end i.e. the Discover and Request Packets. Here are a few examples,

1,33,3,6,15,28,51,58,59|Amazon Fire OS 5.6.x
1,3,44,6,7,12,15,22,54,58,59,69,18,43|Hewlett-Packard JetDirect (Q7545A)
1,15,3,6,44,46,47,31,33,249,43,252|Windows Vista
1,28,2,3,15,6,119,12,44,47,26,121,42,249,33,252|Ubuntu 18

5. SSL/TLS Fingerprinting – SSL/TLS fingerprinting is done by capturing the static elements of the Client Hello packet, such as SSL/TLS record version, cipher suites, compression options, and extensions such as signature algorithms, elliptic curves and elliptic curve point format.

A string is formed out of this information and then hashed with MD5 to form a 32-character fingerprint.

771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0

MD5 Hash of the above String- 66918128f1b9b03303d77c6f2eefd128

SSL/TLS fingerprints can also be used to detect applications, malware families, and pen testing tools, regardless of their destination. JA3 is a famous open-source tool which does SSL/TLS fingerprinting.

JA3 fingerprint 94c485bca29d5392be53f2b8cf7f4304 denotes chrome running on OSX, JA3 fingerprint b386946a5a44d1ddcc843bc75336dfcedetects Dyre malware family running on Windows.

6. User Agent-Based Fingerprinting: HTTP and mail protocols like SMTP application headers have a User Agent field. A user agent is a string of text that identifies the browser and operating system to the web server or email server you are connecting to. While connecting to a website, the User-Agent field of the HTTP header of the HTTP request gets populated and sent to the web server. The content of the user agent varies from browsers and operating systems. The web server can use this information to serve different web pages or just collect visitor information for analytics. A User Agent can also be used in analytics and statistics showing the browsers and operating systems in use by their visitors. This piece of information is of high importance when it comes to tracing the origin of suspicious activity by narrowing down on browsers and operating systems.

User Agent-based fingerprinting using browscap.org data can help map User Agent information with the Browser Version, Platform, Platform Description, Device Name and Type. For example,

User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 lookup gives the following information –

Browser – Chrome
Browser Version – 120.0
Browser Bits – 32 BIT
Maker – Google
Platform – macOS
Device Name – Macintosh
Device Type – Desktop

7. ICMP Fingerprinting: From the ICMP protocol packet, parameters like icmp type, icmp code, icmp checksum, icmp id, icmp sequence, icmp data and icmp ttl are extracted to, form the fingerprint string. The format of the fingerprint string looks like the following:

<icmp_type>:<icmp_code>:<icmp_checksum>:<icmp_id>:<icmp_sequence>:<icmp_data>:<icmp_ttl>::<os_name>:<device_type>:<device_vendor>

The string on the left side of :: (shown in red) is formed out of the ICMP protocol parameters, as we see in an ICMP packet. The string on the right side of :: (shown in green) says the mapped device type along with its vendor and the supported operating system. The following are two examples.

8:0:Non-Zero:0x0200:256:*:128::Windows XP / Windows 2000 / Windows Server 2008 R2
8:0:Non-Zero:0x0100:256:*:128::Windows NT