Biometric Fingerprinting, Mass Surveillance and You

Originally published at: https://www.whonix.org/blog/1890-2
Tracking techniques have become more sophisticated with time. They advanced from simple cookies to browser/device fingerprinting (which Tor Browser focuses on defeating) to user behavior fingerprinting. The latter is about profiling how a user types on a keyboard or uses a mouse.

Keystroke dynamics have been around for a while but the massive scale of deployment is new and comes with serious implications for anonymous users. This technology is already used by PRISM partners, banks and massive online courses.

Note that even if a user’s destination does not itself surreptitiously record biometrics, anyone observing the network traffic of SSH in interactive mode or JS applications (functionality like Google suggestions) can generate a model for your biometric statistics.

As a countermeasure security researcher Paul Moore created a prototype Chrome plugin known as KeyboardPrivacy. It works by caching keystrokes and introducing a random delay before passing them on to a webpage. A Firefox add-on was planned but nothing has surfaced so far.

We don’t know how effective VMs are at blunting the threat. Read more if you are interested in helping out.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the OS level.

When someone is using ssh / vnc, one is specifically vulnerable (and ignorant) about keystroke fingerprinting, right?

Any way to work around the keystroke fingerprinting? ssh / vnc to server one, and from there ssh / vnc to server two perhaps?

When someone is using ssh / vnc, one is specifically vulnerable (and ignorant) about keystroke fingerprinting, right?

Yes

Any way to work around the keystroke fingerprinting? ssh / vnc to server one, and from there ssh / vnc to server two perhaps?

I don’t think so because the connection from servers 1 to 2 will receive them in time delayed order they were sent.

Some options:

*Never sending anything except over authenticated HSs. Thats a good idea for many reasons because exposed VNC/SSH services are large security holes. Tor’s encryption/anonymity properties should conceal the size and timing of keystrokes sent.

*In the case of SSH described in the paper (Spoofing key-press latencies with a generative keystroke dynamics model) this applies when interactive mode is enabled so an easy but limiting workaround is to disable it. VNC needs realtime interaction or else it would be terribly laggy and unusable.

*The proposed anti-keystroke tool should help wit all these usecases even if the communication is sniffed and without disabling functionality.

Registered, got detected over clearnet. Then run VNC over Tor. I was still detected again with a score of 13 %.

What does 13 % mean? At the moment not much, because someone else typing 10 fingers would have to input this and then see if they are also detected to be “13 %” of me.

Anyone up to test that?

• go to https://www.keytrac.net/en/tryout/authenticate
• the user name / password entry is just to record / detect your typing pattern
• adrelanos
• mytestpw
• (used a super simple pw to stress the test under hard conditions)

If that was to work, we could have some instructions on how one can VNC to its own locally running VNC server over Tor. I am very skeptic though, this does not actually open up more issues than it fixes. If it fixes any issues at all.

So in the first clearnet attempt you tested via the VPS connected with VNC?

What browser did you use? TBB has some timer accuracy mitigations they added to JS.

To accurately reproduce your keystrokes again over Tor you can use GNU Xnee to record and replay them:

https://packages.debian.org/jessie/x11/cnee

HulaHoop:

So in the first clearnet attempt you tested via the VPS connected with VNC?

Not a VPS. Just a server in my LAN.

First connection was a LAN only VNC connection. Second one was VNC
connection over Tor.

What browser did you use?

Used Firefox.

TBB has some timer accuracy mitigations they added to JS.

I see. So I gotta test again.

To accurately reproduce your keystrokes again over Tor you can use GNU Xnee to record and replay them:

https://packages.debian.org/jessie/x11/cnee

Interesting to know such a package exists. However, I did not understand
what I’d need it for.

Tested TBB 6.5a3-hardened. Does not defeat keystroke fingerprinting.

Tested without a connecting through a sheath, authenticated Tor Hidden Service VNC. That would be Tor over Tor. And not a useful test.

• either it should be defeated by Tor Hidden Service VNC: no, it’s not
• or by TBB: no, it’s not as of TBB 6.5a3-hardened

Anyhow. Both attempts above (VNC; TBB) are either the wrong level to fix it or awful workarounds. Let’s see if https://phabricator.whonix.org/T542 will fix it.