Graduate School and Research Center in Digital Sciences

Clock around the Clock: Time-based device fingerprinting

Sanchez-Rola, Iskander; Santos, Igor; Balzarotti, Davide

CCS 2018, 25th ACM Conference on Computer and Communications Security, October 15-19, 2018, Toronto, Canada

Physical device fingerprinting exploits hardware features to uniquely identify a machine. This technique has been used for authentication, license binding, or attackers identification, among other tasks. More recently, hardware features have also been introduced to identify web users and perform web tracking. A particular type of hardware fingerprint exploits differences in the computer internal clock signals. However, previous methods to test for these differences relied on complex experiments performed by running native code in the target machine. In this paper, we show a new way to compute a hardware fingerprinting, based on timing the execution of sequences of instructions readily available in API functions. Due to its simplicity, this method can also be performed remotely by simply timing few seemingly innocuous lines of JavaScript code. We tested our approach with different functions, such as common string manipulation or widespread cryptographic routines, and found that several of them can be used as basic blocks for fingerprinting. Using this technique, we implemented a tool called CryptoFP. We tested its native implementation in a homogeneous scenario, to distinguish among a perfectly identical (both in software and hardware) set of computers. CryptoFP was able to correctly discriminate all the identical computers in this scenario and recognize the same computer also under different CPU load configurations, outperforming every other hardware fingerprinting method. We then show how CryptoFP can be implemented using a combination of the HTML5 Cryptography API and standard timing API for web device fingerprinting. In this case, we compared our method, both in the same homogeneous scenario and by performing an experiment with real-world users running heterogeneous devices, against other state-of-the-art web device fingerprinting solutions. In both cases, our approach clearly outperforms all existing methods.

Document Doi Bibtex

Title:Clock around the Clock: Time-based device fingerprinting
Keywords:device fingerprinting; web privacy
Department:Digital Security
Eurecom ref:5664
Copyright: © ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2018, 25th ACM Conference on Computer and Communications Security, October 15-19, 2018, Toronto, Canada
Bibtex: @inproceedings{EURECOM+5664, doi = {}, year = {2018}, title = {{C}lock around the {C}lock: {T}ime-based device fingerprinting}, author = {{S}anchez-{R}ola, {I}skander and {S}antos, {I}gor and {B}alzarotti, {D}avide}, booktitle = {{CCS} 2018, 25th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity, {O}ctober 15-19, 2018, {T}oronto, {C}anada}, address = {{T}oronto, {CANADA}}, month = {10}, url = {} }
See also: