This Article 
 Bibliographic References 
 Add to: 
On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews
March 2010 (vol. 9 no. 3)
pp. 449-462
Suman Jana, University of Utah, Salt Lake City
Sneha K. Kasera, University of Utah, Salt Lake City
We explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions—the inability to effectively detect Medium Access Control (MAC) address spoofing. We calculate the clock skew of an AP from the IEEE 802.11 Time Synchronization Function (TSF) time stamps sent out in the beacon/probe response frames. We use two different methods for this purpose—one based on linear programming and the other based on least-square fit. We supplement these methods with a heuristic for differentiating original packets from those sent by the fake APs. We collect TSF time stamp data from several APs in three different residential settings. Using our measurement data as well as data obtained from a large conference setting, we find that clock skews remain consistent over time for the same AP but vary significantly across APs. Furthermore, we improve the resolution of received time stamp of the frames and show that with this enhancement, our methodology can find clock skews very quickly, using 50-100 packets in most of the cases. We also discuss and quantify the impact of various external factors including temperature variation, virtualization, clock source selection, and NTP synchronization on clock skews. Our results indicate that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks.

[1] “AirDefense, Wireless Lan Security,” http:/, 2009.
[2] “AirWave Management Platform,” http:/, 2009.
[3] “Cisco Wireless LAN Solution Engine (WLSE),” http:/, 2009.
[4] “Rogue Access Point Detection: Automatically Detect and Manage Wireless Threats to Your Network,” http:/, 2009.
[5] “Raw Glue AP,” http:/, 2009.
[6] C. He and J.C. Mitchell, “Security Analysis and Improvements for IEEE 802.11i,” Proc. Ann. Network and Distributed System Security Symp. (NDSS), 2005.
[7] “AirMagnet,” http:/, 2009.
[8] “NetStumbler,” http:/, 2009.
[9] T. Kohno, A. Broido, and K.C. Claffy, “Remote Physical Device Fingerprinting,” IEEE Trans. Dependable Secure Computing, vol. 2, no. 2, pp. 93-108, Apr.-June 2005.
[10] S.J. Murdoch, “Hot or Not: Revealing Hidden Services by Their Clock Skew,” Proc. Conf. Computer and Comm. Security (CCS '06), pp. 27-36, 2006.
[11] S.B. Moon, P. Skelly, and D. Towsley, “Estimation and Removal of Clock Skew from Network Delay Measurements,” technical report, Univ. of Massachusetts at Amherst, 1998.
[12] IEEE Standard 802.11—Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, The Institute of Electrical and Electronics Engineers, Inc., 1999.
[13] IEEE Guide for Measurement of Environmental Sensitivities of Standard Frequency Generators, IEEE Standards Coordinating Committee 27-SCC27- on Time and Frequency, 1995.
[14] P. Hough, Method and Means for Recognizing Complex Patterns, US Patent 3069654, 1962.
[15] D.H. Ballard, “Generalizing the Hough Transform to Detect Arbitrary Shapes,” Readings in Computer Vision: Issues, Problems, Principles, and Paradigms, pp. 714-725, Morgan Kaufmann, 1987.
[16] L. Xu and E. Oja, “Randomized Hough Transform (RHT): Basic Mechanisms, Algorithms, and Computational Complexities,” CVGIP: Image Understanding, vol. 57, no. 2, pp. 131-154, 1993.
[17] A.P. Dempster, N.M. Laird, and D.B. Rubin, “Maximum Likelihood from Incomplete Data via the EM Algorithm,” J. Royal Statistical Soc., vol. 39, no. 1, pp. 1-38, 1977.
[18] “tcpdump,” http:/, 2009.
[19] “MadWifi—Multiband Atheros Driver for WiFi,” http:/madwifi. org, 2009.
[20] “Intel PRO/Wireless 3945abg Driver for Linux,” http:/, 2009.
[21] “Linux Kernel Source Code,” http:/, 2009.
[22] M. Rodrig, C. Reis, R. Mahajan, D. Wetherall, J. Zahorjan, and E. Lazowska, “CRAWDAD Dataset of Wireless Network Measurement,” Proc. SIGCOMM '04, Oct. 2006.
[23] “DD-WRT,” http:/, 2009.
[24] A. Pásztor and D. Veitch, “PC Based Precision Timing without GPS,” SIGMETRICS Performance Evaluation Rev., vol. 30, no. 1, pp.1-10, 2002.
[25] “Network Time Protocol Version 4 Reference and Implementation Guide,” reports/ntp4ntp4.pdf, 2009.
[26] D. Bovet and M. Cesati, Understanding the Linux Kernel, third ed. O'Reilly Media, Inc., Nov. 2005.
[27] P. Bahl et al., “Enhancing the Security of Corporate Wi-Fi Networks Using DAIR,” Proc. MobiSys, pp. 1-14, 2006.
[28] “Raw Fake AP,” http:/, 2009.
[29] “Broadcom Product Brief BCM-5354,” http://www.broadcom. com/collateral/pb5354-PB01-R.pdf , 2009.
[30] A. Adya et al., “Architecture and Techniques for Diagnosing Faults in IEEE 802.11 Infrastructure Networks,” Proc. ACM MobiCom, pp. 30-44, 2004.
[31] R. Beyah et al., “Rogue Access Point Detection Using Temporal Traffic Characteristics,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM), Dec. 2004.
[32] C. Mano et al., “Ripps: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts through Network Traffic Conditioning,” ACM Trans. Information and System Security, vol. 11, no. 2, 2007.
[33] W. Wei et al., “Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs,” Proc. Internet Measurement Conf. (IMC), pp. 93-108, 2007.
[34] J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J.V. Randwyk, and D. Sicker, “Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting,” Proc. 15th Conf. USENIX Security Symp. (USENIX-SS '06), pp. 12-12, 2006.

Index Terms:
IEEE 802.11, fingerprint, MAC address spoofing, fake access point, time stamp.
Suman Jana, Sneha K. Kasera, "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews," IEEE Transactions on Mobile Computing, vol. 9, no. 3, pp. 449-462, March 2010, doi:10.1109/TMC.2009.145
Usage of this product signifies your acceptance of the Terms of Use.