We describe a tracking technique for Linux devices, exploiting a new TCP source port generation mechanism recently introduced to the Linux kernel. This mechanism is based on an algorithm, standardized in RFC 6056, for boosting security by better randomizing port selection. Our technique detects collisions in a hash function used in the said algorithm, based on sampling TCP source ports generated in an attackerprescribed manner. These hash collisions depend solely on a per-device key, and thus the set of collisions forms a device ID that allows tracking devices across browsers, browser privacy modes, containers, and IPv4/IPv6 networks (including some VPNs). It can distinguish among devices with identical hardware and software, and lasts until the device restarts. We implemented this technique and then tested it using tracking servers in two different locations and with Linux devices on various networks. We also tested it on an Android device that we patched to introduce the new port selection algorithm. The tracking technique works in real-life conditions, and we report detailed findings about it, including its dwell time, scalability, and success rate in different network types. We worked with the Linux kernel team to mitigate the exploit, resulting in a security patch introduced in May 2022 to the Linux kernel, and we provide recommendations for better securing the port selection algorithm in the paper.
|Original language||American English|
|Title of host publication||32nd USENIX Security Symposium, USENIX Security 2023|
|Number of pages||18|
|State||Published - 2023|
|Event||32nd USENIX Security Symposium, USENIX Security 2023 - Anaheim, United States|
Duration: 9 Aug 2023 → 11 Aug 2023
|Name||32nd USENIX Security Symposium, USENIX Security 2023|
|Conference||32nd USENIX Security Symposium, USENIX Security 2023|
|Period||9/08/23 → 11/08/23|
Bibliographical notePublisher Copyright:
© 2023 32nd USENIX Security Symposium, USENIX Security 2023. All rights reserved.