Compatibility Mode - Hacking-Lab LiveCD

Identifying Users with Browser Fingerprinting

Walter Sprenger Compass Security AG

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

AGENDA Browser Fingerprinting Identifying Users Live Demo Browser GeoLocation Live Demo

© Compass Security AG

www.csnc.ch

Seite ‹#›

Browser Fingerprinting

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

EFF - Panopticlick Panopticlick from Electronic Frontier Foundation
Showed that the fingerprint of a browser is unique
Cookies are not used for the fingerprint
Test your browser: panopticlick.eff.org

© Compass Security AG

www.csnc.ch

Seite ‹#›

Browser Fingerprint More than 40 usable Parameters Par2

Categories






Par1

HTTP Request Headers JavaScript Java Applet Flash HTML5 Features

ParX

Calc-Hash

Parameters with most Entropy
User-Agent string
Font-List
Installed Plugins

© Compass Security AG

www.csnc.ch

Seite ‹#›

Identify Users An Internet User





enters his password 8 times a day has 25 Web-Accounts Remembers 6.5 different passwords Uses one password for about 3.9 web sites

Reference: "A Large Scale Study of Web Passwords Habits", Dinei Florêncio, Cormac Herley, WWW '07

Interesting sites
Large user bases
User is author or can create apps
Security is not main goal of site

⇒ Ideal: Social Networking Sites

© Compass Security AG

www.csnc.ch

Seite ‹#›

Proof-of-Concept Fingerprintr

Fingerprintr





Create Fingerprint Compare Fingerprint Configure Parameters used for fingerprint Store data in database

Facebook App
Create Fingerprint

© Compass Security AG

www.csnc.ch

Seite ‹#›

Facebook App Fingerprintr Facebook App

Fingerprintr

Direct Access

Admin-Interface

© Compass Security AG

www.csnc.ch

Seite ‹#›

Live Demo: Identifying Users with Browser Fingerprinting

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Screenshot: Fingerprintr

© Compass Security AG

www.csnc.ch

Seite ‹#›

Screenshot: Fingerprintr

© Compass Security AG

www.csnc.ch

Seite ‹#›

Screenshot: Fingerprintr

© Compass Security AG

www.csnc.ch

Seite ‹#›

Why using Browser Fingerprinting?

Why should you want to identify users with browser fingerprinting?

© Compass Security AG

www.csnc.ch

Seite ‹#›

Fraud Detection Fraud Detection
Create browser profiles of users
Verify profile when ordering, transfering money
Detect session hijacking attacks

In Case of different Fingerprints
Re-authenticate user
Enforce another identifying parameter
Security question
SMS token
Mail link

© Compass Security AG

www.csnc.ch

Seite ‹#›

Session Tracking User Friendly
Replace Cookies functionality (if cookies are not allowed or deleted)
Track User spanning multiple sessions
Persistent identification (Remember Me-Functionality)

Marketing / Statistics
Record and analyze user behaviour
Improve data quality of address databases

© Compass Security AG

www.csnc.ch

Seite ‹#›

Investigations Identify the name of





Stalkers Anonymous WebMail senders Malicious Blogger Hackers


Resolve IP-Address to user name without court order

© Compass Security AG

www.csnc.ch

Seite ‹#›

Pitfalls with Browser Fingerprinting Problems with Browser Fingerprint
Fingerprint changes with browser modifications
Browser/Plugin update
New plugins
New fonts
New applications on system
The more parameters are used for the fingerprint…
The better the uniqueness among many browsers
The lower the chance of not identifying the same browser again
Cross-Domain
Websites must include JavaScript (like Google Analythics)
Browser parameters sometimes differ on different sites/servers (eg. order of font list)

© Compass Security AG

www.csnc.ch

Seite ‹#›

Evercookie

Reference: http://samy.pl/evercookie/

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Storage used by Everycookie Storage of Evercookie














Standard HTTP Cookies Local Shared Objects (Flash Cookies) Silverlight Isolated Storage Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out Storing cookies in Web History Storing cookies in HTTP Etags Storing cookies in Web cache window.name caching Internet Explorer userData storage HTML5 Session Storage HTML5 Local Storage HTML5 Global Storage HTML5 Database Storage via SQLite

© Compass Security AG

www.csnc.ch

Seite ‹#›

Evercookie Framework Framework Features/Advantages
Works cross browser
Read all storage locations
Recover deleted cookies

Proof-of-Concept
http://samy.pl/evercookie/

© Compass Security AG

www.csnc.ch

Seite ‹#›

Live Demo: Evercookie

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Browser GeoLocation

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Locate Mobile Phones and Laptops?

The localization of mobile phones has been known for a long time. (GPS, Cell-ID, HLR lookups, Silent SMS, iPhone Tracking, etc.)

But did you know that your laptop can be localized as well?

© Compass Security AG

www.csnc.ch

Seite ‹#›

Live Demo: GeoLocation

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Sample of GeoLocation maps.google.com

© Compass Security AG

www.csnc.ch

Seite ‹#›

Disable GeoLocation Internet Explorer 9 options

Firefox about:config

© Compass Security AG

www.csnc.ch

Seite ‹#›

JavaScript Code Snippet GeoLocation JavaScript var mylat; var mylong; // geolocation supported? if (navigator.geolocation) { // get coordinates navigator.geolocation.getCurrentPosition( function (position) { mylat=position.coords.latitude; mylong=position.coords.longitude; } )}; © Compass Security AG

www.csnc.ch

Seite ‹#›

Browser Localization explained How does Browser Localization work?
JavaScript in HTML page requests coordinates
Browser binary retrieves list of access points (MAC, SSID, signal-strength) from the wireless network card
List of access points is sent to geolocation service provider
Geolocation service provider returns latitude/longitude, postal address and accuracy information

GeoLocation Service Providers






Skyhook Wireless Google Apple Navizon Xtify

© Compass Security AG

www.csnc.ch

Seite ‹#›

Browser Localization explained POST https://www.google.com/loc/json {"version":"1.1.0","request_address":true, "access_token": "2:2wKdveEadfvychcI:-dadsf7uYNAnQLZO", "wifi_towers":[ {"mac_address":"00-11-22-33-44-55", "ssid":“WLANDefault","signal_strength":-55}, {"mac_address":“aa-bb-cc-dd-ee-ff", "ssid":"OpenRG","signal_strength":-84}]}

© Compass Security AG

www.csnc.ch

Seite ‹#›

Browser Localization explained JSON Response {"location": {"latitude":47.2353182, "longitude":9.1869627, "address":{ "country":"Switzerland", "country_code":"CH", "region":"St Gall", "county":"Toggenburg", "city":"Nesslau-Krummenau", "street":"Ämelsbergstrasse", "street_number":"1658", "postal_code":"9652"}, "accuracy":33.0}} © Compass Security AG

www.csnc.ch

Seite ‹#›

Update WiFi/Coord Databases Updating the GeoLocation Database
StreetView cars
Navigation providers (TomTom, Navigon, etc.)
Contracts with 3rd parties (taxi, buses, garbage collection)
Every user of location services help to update the database
iPhone with GPS/WLAN/CellID Information
Browser with geolocation services
For example
4 WiFi MAC addresses are submitted from a client
3 are known in geolocation database
The new MAC address is inserted into the database accordingly

© Compass Security AG

www.csnc.ch

Seite ‹#›

Usage of GeoLocation Services What could this be used for?

Locate Users
An application that collects MAC addresses of WiFi access points and sends this information to the surveyor
Weakness in browser that allows to access the Geolocation API without prompting the user

Find Criminals
Find the location of criminals without court order
Location information is much more accurate than IP to Location

© Compass Security AG

www.csnc.ch

Seite ‹#›

Live Demo: GeoLocation Trojan

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Voting!

© Compass Security AG

www.csnc.ch

Seite ‹#›

Discussion

Questions?

© Compass Security AG

www.csnc.ch

Seite ‹#›

Contact Compass Security Network Computing Werkstrasse 20 Postfach 2038 CH - 8645 Jona [email protected] | www.csnc.ch | +41 55 214 41 60 Secure File Exchange: www.csnc.ch/filebox PGP-Fingerprint:

© Compass Security AG

www.csnc.ch

Seite ‹#›

References Identifying Users
http://panopticlick.eff.org/
http://samy.pl/evercookie/

GeoLocation
http://code.google.com/intl/de-CH/apis/gears/api_geolocation.html
http://www.mozilla.com/de/firefox/geolocation/
http://diveintohtml5.org/geolocation.html

© Compass Security AG

www.csnc.ch

Seite ‹#›