Skip to content

Changes

Page history
Create Digital Fingerprints and Some Techniques to Obfuscate Them authored by mbddq7's avatar mbddq7
Show whitespace changes
Inline Side-by-side
Digital-Fingerprints-and-Some-Techniques-to-Obfuscate-Them.md 0 → 100644
View page @ 57f0769e
# Digital Fingerprints and Some Techniques to Obfuscate Them
Digital fingerprinting is an increasingly common tool being used to identify various computer devices and subsequently their users. Many methods of fingerprinting report accuracies of 99% and higher. In the right hands, digital fingerprinting could be used to help identify cases of identify theft or unusual activity in a user’s account. However, it seems that often that digital fingerprints are used to identify devices and target them with user-specific ads.
## Types of Digital Fingerprints
#### Browser Fingerprinting
Browser fingerprints are fingerprints that can identify a specific browser (I.e., an installation of Google Chrome on a device). Original browser fingerprints were determined by a server created identity that would be saved as a cookie. Eventually, these fingerprints moved away needing to store cookies, to a stateless set of variables that would create a unique fingerprint for each browser. Newer versions of fingerprinting use the information that applications are provided and exploit algorithms and APIs that can lead to device identifying information. Based on the input and returned output that a remote device responds with, it is possible to infer information about a device. When a browser sends input to an API, the resulting output will vary depending on the hardware and software used in the API.
FingerprintJS is a JavaScript library that is used for browser fingerprinting. FingerprintJS markets itself as a way to allow developer teams to help prevent fraud, and declares that they have a 99.5% accuracy in determining unique users. FingerprintJS will take in parameters and use them to create a unique ID. The parameters used in FingerprintJS include:
* User agent details (browsers installed and their versions, operating system)
* Hardware details (screen resolution, battery usage, device memory)
* Browser plugins used
* Browser and OS settings
* WebGL parameters
![FirefoxFingerprintJs](uploads/fa9827da9b0aadd4a9cf9d8294e9bf1b/FirefoxFingerprintJs.PNG)
AmIUnique is a website that helps to determine if your browser fingerprint it unique. AmIUnique doesn't share a unique ID that it creates, but it shares all the information it used to identify a browser's uniqueness. It also shares the amount each element makes up their database of users. It uses the follow information to determine a device’s fingerprint.
* User agent header
* Accept header
* Connection header
* Encoding header
* Language header
* Upgrade Insecure Requests header
* Referer header
* Cache-Control header
* BuildId of the browser
* List of plugins
* Platform
* Cookies preferences (allowed or not)
* Do Not Track preferences (yes, no or not communicated)
* Timezone
* Screen resolution and its color depth
* Use of local storage
* Use of session storage
* Picture rendered with the HTML Canvas element
* Picture rendered with WebGL
* Supported Audio formats
* Supported Video formats
* Presence of AdBlock
* List of fonts
![FirefoxAmIUnique](uploads/7c2d41430e9b1532cc344d55a26ca026/FirefoxAmIUnique.PNG)
#### Device Fingerprinting
Cross Browser Fingerprint can identify a device, not just a browser on that device. It can do so by combining many of the environmental variables provided to the browser and running certain tests on the device using certain APIs. For example, you could use the anti-aliasing provided by the remote device, determine how that resulting output varies from other anti-aliasing outputs, and then use that to determine which algorithm might have been used. The algorithm used is a finger printable feature, that can help create the larger fingerprint of the device. The cross browser fingerprint uses the following to help build their fingerprint:
* Screen resolution
* Number of CPU Virtual Cores
* AudioContext
* List of Fonts
* Line, curve, and anti-aliasing
* Vertex Shader
* Fragment Shader
* Transparency via Alpha Channel
* Image Encoding and Decoding
* Installed writing scripts (Languages)
* Modeling and multiple models
* Lighting and shadow mapping
* Camera
* Clipping Planes
Below is a compilation of some of the rendered tests used in Cross Browser Fingerprinting.
![CrossBrowserFingerprinting](uploads/c453617ef7f2b20b61eabee701d37830/CrossBrowserFingerprinting.PNG)
#### TCP/IP Fingerprinting
Nmap uses a TCP/IP fingerprint to detect a remote OS. Using the command nmap -O will attempt to determine a target’s operating system. The scan will send up to 16 TCP, UDP, and ICMP probes to the target device. The probes look to exploit several ambiguities in the standard protocol RFCs. The responses from the device are then combined into a fingerprint after being analyzed. Nmap will output device information into 8 catergories. Device type attempts to categorize the device as a high level device type. Running describes the OS classification scheme. OS CPE is the common platform enumeration. OS details is the detailed OS description for that fingerprint. Uptime guess attempts to determine how long the device has been up. Network distance is the amount of routers in-between devices. TCP sequence prediction shows how vulnerable a system is to blind TCP spoofing attacks. The IP ID sequence generation shows the ID generation algorithm that Nmap thinks was used. Below is the output for one such scan:
> nmap -O -v scanme.nmap.org <br>
Starting Nmap ( http://nmap.org ) <br>
Nmap scan report for scanme.nmap.org (74.207.244.221)<br>
Not shown: 994 closed ports<br>
PORT STATE SERVICE<br>
22/tcp open ssh<br>
80/tcp open http<br>
646/tcp filtered ldp<br>
1720/tcp filtered H.323/Q.931 <br>
9929/tcp open nping-echo<br>
31337/tcp open Elite<br>
Device type: general purpose<br>
Running: Linux 2.6.X<br>
OS CPE: cpe:/o:linux:linux_kernel:2.6.39<br>
OS details: Linux 2.6.39<br>
Uptime guess: 1.674 days (since Fri Sep 9 12:03:04 2011)<br>
Network Distance: 10 hops<br>
TCP Sequence Prediction: Difficulty=205 (Good luck!)<br>
IP ID Sequence Generation: All zeros<br>
Read data files from: /usr/local/bin/../share/nmap<br>
Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds<br>
Raw packets sent: 1063 (47.432KB) | Rcvd: 1031 (41.664KB)<br>
## Obfuscation
One of the best protections to use against Browser fingerprinting is to use browsers that attempt to protect your privacy. Firefox browser has an experimental Fingerprinting Protection software that they are currently developing that misreports data when the browser requests it. The protections that Firefox implements include falsely reporting timezones, not reporting all fonts, reporting a specific common verson number and operating systems, and has the media statistics web API report false information. When testing this, AmIUnique was not able to identify my browser as the same one without the protection, but FingerprintJS still able to uniquely identify the browser.
![FirefoxAmIUniquePrivacy](uploads/1272020fdfb954da925aae64f52e5962/FirefoxAmIUniquePrivacy.PNG)
Tor Browser also does a lot to combat fingerprinting. The Tor Browser gives all of it's users the same fingerprint. Tor also blocks certain APIs (Such as WebGL and the Canvas API) so that their rendered results can't be used. Additionally, certain JS functions (such as performance.now) have been modified so that they can't be used to potentially identify users. Below is the default Tor fingerprint.
![TorFingerprint](uploads/e635e5c3feeb96857cb72f9224dc38a7/TorFingerprint.png)
Another way to make fingerprinting difficult is to use randomization. Even in the above methods of submitting false or misleading information, the device will still be sharing a relatively static fingerprint. If only one user on a website uses Tor, then there is a chance that they are the only user with that fingerprint on the website. FPRandom is a modified version of Firefox that submits randomized outputs for certain fingerprinting aspects. It managed to submit different hashes for each time a website tried to collect its fingerprint. This allowed for the user to be considered a different user by the website each time the webpage was visited.
## References
https://fingerprintjs.com/ - FingerprintJS homepage
https://amiunique.org/ - AmIUnique Homepage
https://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf - Details of cross browser fingerprinting
https://nmap.org/book/osdetect-usage.html - OS Detection with Nmap
https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting - Mozilla Browser Fingerprint protection
https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead - Tor Browser takes on fingerprinting
https://link.springer.com/chapter/10.1007/978-3-319-62105-0_7 - FPRandom study page