Issue No.03 - March (2010 vol.9)
Suman Jana , University of Utah, Salt Lake City
Sneha K. Kasera , University of Utah, Salt Lake City
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TMC.2009.145
We explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions—the inability to effectively detect Medium Access Control (MAC) address spoofing. We calculate the clock skew of an AP from the IEEE 802.11 Time Synchronization Function (TSF) time stamps sent out in the beacon/probe response frames. We use two different methods for this purpose—one based on linear programming and the other based on least-square fit. We supplement these methods with a heuristic for differentiating original packets from those sent by the fake APs. We collect TSF time stamp data from several APs in three different residential settings. Using our measurement data as well as data obtained from a large conference setting, we find that clock skews remain consistent over time for the same AP but vary significantly across APs. Furthermore, we improve the resolution of received time stamp of the frames and show that with this enhancement, our methodology can find clock skews very quickly, using 50-100 packets in most of the cases. We also discuss and quantify the impact of various external factors including temperature variation, virtualization, clock source selection, and NTP synchronization on clock skews. Our results indicate that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks.
IEEE 802.11, fingerprint, MAC address spoofing, fake access point, time stamp.
Suman Jana, Sneha K. Kasera, "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews", IEEE Transactions on Mobile Computing, vol.9, no. 3, pp. 449-462, March 2010, doi:10.1109/TMC.2009.145