Menu
Every computer has a unique clock skew, even ones of the same
model, so this acts as a fingerprint.
Even if that computer
moves location and changes ISP, it can be later identified
through this phenomenon.
By collecting TCP timestamps or
sequence numbers, clock skew can be accurately remotely
measured.
In addition to varying between computers, clock skew
also changes depending on temperature. Thus a remote attacker,
monitoring timestamps, can make an estimate of a computer's
environment, which has wide-scale implications on security and
privacy.
Through measuring day length and time-zone, the
location of a computer could be estimated, which is a
particular concern with anonymity networks and VPNs. Local
temperature changes caused by air-conditioning or movements of
people can identify whether two machines are in the same
location, or even are virtual machines on one server.
The
temperature of a computer can also be influenced by CPU load,
so opening up a low-bandwidth covert channel. This could be
used by processes which are prohibited from communicating for
confidentiality reasons and because this is a physical covert
channel, it can even cross "air-gap" security boundaries.
The
talk will demonstrate how to use this channel to attack the
hidden service feature offered by the Tor anonymity system.
Here, an attacker can repeatedly access a hidden service,
increasing CPU load and inducing a temperature change. This
will affect clock skew, which the attacker can monitor on all
candidate Tor servers. When there is a match between the load
pattern and the clock skew, the attacker has linked the real
IP address of a hidden server to its pseudonym, violating the
anonymity properties Tor is designed to provide.
The talk will also present a separate illustration of the temperature covert channel technique, such as investigating a suspected attack on the Tor network in August 2006, by a well equipped adversary.
Steven Murdoch