Identifying Users with Browser Fingerprinting of access points is sent to geolocation service provider Geolocation service provider returns latitude/longitude, postal address and accuracy

Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch

Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona

Walter Sprenger

Compass Security AG

Identifying Users with Browser Fingerprinting

© Compass Security AG Seite ‹#›www.csnc.ch

AGENDA

Browser Fingerprinting

Identifying Users

Live Demo

Browser GeoLocation

Live Demo



Browser Fingerprinting


EFF - Panopticlick

Panopticlick from Electronic Frontier Foundation� Showed that the fingerprint of a browser is unique

� Cookies are not used for the fingerprint

� Test your browser: panopticlick.eff.org


Browser Fingerprint

More than 40 usable Parameters

Categories� HTTP Request Headers

� JavaScript

� Java Applet

� Flash

� HTML5 Features

Parameters with most Entropy� User-Agent string

� Font-List

� Installed Plugins

Calc-Hash

Par1 ParXPar2


Identify Users

An Internet User� enters his password 8 times a day

� has 25 Web-Accounts

� Remembers 6.5 different passwords

� Uses one password for about 3.9 web sites

Reference: "A Large Scale Study of Web Passwords Habits", Dinei Florêncio, Cormac Herley, WWW '07

Interesting sites� Large user bases

� User is author or can create apps

� Security is not main goal of site

⇒ Ideal: Social Networking Sites


Proof-of-Concept Fingerprintr

Fingerprintr� Create Fingerprint

� Compare Fingerprint

� Configure Parameters used for fingerprint

� Store data in database

Facebook App� Create Fingerprint


Facebook App Fingerprintr

Facebook App

Fingerprintr

Admin-Interface

Direct Access



Live Demo: Identifying Users with Browser Fingerprinting


Screenshot: Fingerprintr






Why using Browser Fingerprinting?

Why should you want to identify users with browser

fingerprinting?


Fraud Detection

Fraud Detection� Create browser profiles of users

� Verify profile when ordering, transfering money

� Detect session hijacking attacks

In Case of different Fingerprints� Re-authenticate user

� Enforce another identifying parameter

� Security question

� SMS token

� Mail link


Session Tracking

User Friendly� Replace Cookies functionality (if cookies are not allowed or deleted)

� Track User spanning multiple sessions

� Persistent identification (Remember Me-Functionality)

Marketing / Statistics� Record and analyze user behaviour

� Improve data quality of address databases


Investigations

Identify the name of� Stalkers

� Anonymous WebMail senders

� Malicious Blogger

� Hackers

� Resolve IP-Address to user name without court order


Pitfalls with Browser Fingerprinting

Problems with Browser Fingerprint� Fingerprint changes with browser modifications

� Browser/Plugin update

� New plugins

� New fonts

� New applications on system

� The more parameters are used for the fingerprint…

� The better the uniqueness among many browsers

� The lower the chance of not identifying the same browser again

� Cross-Domain

� Websites must include JavaScript (like Google Analythics)

� Browser parameters sometimes differ on different sites/servers(eg. order of font list)



Reference: http://samy.pl/evercookie/

Evercookie


Storage used by Everycookie

Storage of Evercookie� Standard HTTP Cookies

� Local Shared Objects (Flash Cookies)

� Silverlight Isolated Storage

� Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

� Storing cookies in Web History

� Storing cookies in HTTP Etags

� Storing cookies in Web cache

� window.name caching

� Internet Explorer userData storage

� HTML5 Session Storage

� HTML5 Local Storage

� HTML5 Global Storage

� HTML5 Database Storage via SQLite


Evercookie Framework

Framework Features/Advantages� Works cross browser

� Read all storage locations

� Recover deleted cookies

Proof-of-Concept� http://samy.pl/evercookie/



Live Demo: Evercookie



Browser GeoLocation


Locate Mobile Phones and Laptops?

The localization of mobile phones has been known for a long time.

(GPS, Cell-ID, HLR lookups, Silent SMS, iPhone Tracking, etc.)

But did you know that your laptop can be localized as well?



Live Demo: GeoLocation


Sample of GeoLocation

maps.google.com


Disable GeoLocation

Internet Explorer 9 options

Firefox about:config


JavaScript Code Snippet

GeoLocation JavaScript

var mylat; var mylong;

// geolocation supported?

if (navigator.geolocation) {

// get coordinates

navigator.geolocation.getCurrentPosition(

function (position) {

mylat=position.coords.latitude;

mylong=position.coords.longitude;

}

)};


Browser Localization explained

How does Browser Localization work?� JavaScript in HTML page requests coordinates

� Browser binary retrieves list of access points (MAC, SSID, signal-strength) from the wireless network card

� List of access points is sent to geolocation service provider

� Geolocation service provider returns latitude/longitude, postal address and accuracy information

GeoLocation Service Providers� Skyhook Wireless

� Google

� Apple

� Navizon

� Xtify



POST https://www.google.com/loc/json

{"version":"1.1.0","request_address":true,

"access_token":

"2:2wKdveEadfvychcI:-dadsf7uYNAnQLZO",

"wifi_towers":[

{"mac_address":"00-11-22-33-44-55",

"ssid":“WLANDefault","signal_strength":-55},

{"mac_address":“aa-bb-cc-dd-ee-ff",

"ssid":"OpenRG","signal_strength":-84}]}



JSON Response

{"location":

{"latitude":47.2353182,

"longitude":9.1869627,

"address":{

"country":"Switzerland",

"country_code":"CH",

"region":"St Gall",

"county":"Toggenburg",

"city":"Nesslau-Krummenau",

"street":"Ämelsbergstrasse",

"street_number":"1658",

"postal_code":"9652"},

"accuracy":33.0}}


Update WiFi/Coord Databases

Updating the GeoLocation Database� StreetView cars

� Navigation providers (TomTom, Navigon, etc.)

� Contracts with 3rd parties (taxi, buses, garbage collection)

� Every user of location services help to update the database

� iPhone with GPS/WLAN/CellID Information

� Browser with geolocation services

� For example

� 4 WiFi MAC addresses are submitted from a client

� 3 are known in geolocation database

� The new MAC address is inserted into the database accordingly


Usage of GeoLocation Services

What could this be used for?

Locate Users� An application that collects MAC addresses of WiFi access points and sends

this information to the surveyor

� Weakness in browser that allows to access the Geolocation API withoutprompting the user

Find Criminals� Find the location of criminals without court order

� Location information is much more accurate than IP to Location



Live Demo: GeoLocation Trojan


Voting!


Discussion

Questions?


Contact

Compass Security Network Computing

Werkstrasse 20

Postfach 2038

CH - 8645 Jona

[email protected] | www.csnc.ch | +41 55 214 41 60

Secure File Exchange: www.csnc.ch/filebox

PGP-Fingerprint:


References

Identifying Users� http://panopticlick.eff.org/

� http://samy.pl/evercookie/

GeoLocation� http://code.google.com/intl/de-CH/apis/gears/api_geolocation.html

� http://www.mozilla.com/de/firefox/geolocation/

� http://diveintohtml5.org/geolocation.html

Documents

Identifying Users with Browser Fingerprinting of access points is sent to geolocation service provider Geolocation service provider returns latitude/longitude, postal address and accuracy