Leveraging USB to Establish Host Identity Using Commodity Devices

Adam Bates, Ryan Leonard, Hannah Pruse, Kevin Butler, and Daniel Lowd.
21st ISOC Network and Distributed System Security Symposium (NDSS'14).
San Diego, CA, USA. February 25, 2014.
(acceptance rate=18.6%)
Available Media


Determining a computer’s identity is a challenge of critical importance to users wishing to ensure that they are interacting with the correct system; it is also extremely valuable to forensics investigators. However, even hosts that contain trusted computing hardware to establish identity can be defeated by relay and impersonation attacks. In this paper, we consider how to leverage the virtually ubiquitous USB interface to uniquely identify computers based on the characteristics of their hardware, firmware, and software stacks. We collect USB data on a corpus of over 250 machines with a variety of hardware and software configurations, and through machine learning classification tech-niques we demonstrate that, given a period of observation on the order of tenths of a second, we can differentiate hosts based on a variety of attributes such as operating system, manufacturer, and model with upwards of 90 % accuracy. Over longer periods of observation on the order of minutes, we demonstrate the ability to distinguish between hosts that are seemingly identical; using Random Forest classification and statistical analysis, we generate fingerprints that can be used to uniquely and consistently identify 70 % of a field of 30 machines that share identical OS and hardware specifications. Additionally, we show that we can detect the presence of a hypervisor on a computer with 100% accuracy and that our results are resistant to concept drift, a spoofing attack in which malicious hosts provide fraudulent USB messages, and relaying of commands from other machines. Our techniques are thus generally employable in an easy-to-use and low-cost fashion.