We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting frame- work. Our method complements known fingerprinting ap- proaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to con- ceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.
Sergey Bratus, Cory Cornelius, David Kotz, Daniel Peebles Institute for Security Technology Studies Dartmouth College