B3RN3D

Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

Fingerprinting Attacks on Screen Resolution

Fingerprinting attacks are ways of identifying individuals by some kind of attribute of their online activity. In some ways, fingerprinting attacks are the most dangerous and difficult type of de-anonymizing threats to defend against. I want to highlight one facet of fingerprinting that is used by many web services and organizations: screen resolution tracking.

In many cases, you have a laptop with a native screen resolution. This could be 1024x768, or 1900x1024, or some other combination. These resolutions point to the make and model of your laptop itself. The Macbook Pro for instance has a native resolution of 1280x800. While there are many other laptops that run a similar resolution, you have shrunk down all of the possible systems that could be connecting to that of a system with that resolution. Imagine what a forensic investigator could do with this information.

This is even more dangerous on mobile devices such as Android. Each manufacturer releases new phones and tablets with different resolution, these are often very odd screen resolutions, making them very unique to that phone time. There are dozens of sites that provide this information for you:

Background

There are two types of fingerprinting; passive and active. Active fingerprinting attacks are usually reserved to those that are collecting information about your network traffic, and do a secondary correlation. For example, if an adversary were running multiple exit nodes, they collect the list of sites each circuit connects to, and tries correlates that to a specific user.

Active attacks will manipulate or inject an identifier into your traffic – an identifying cookie or malicious JavaScript that when executed tries to collect identifying information about your browsing environment.

This is not a new revelation, the EFF has highlighted this problem by making the Panopticlick project. This simulates attacks that aim at fingerprinting your browser, its plugins, fonts installed, etc. This is similar to the BrowserSpy project.

Screen Resolution

While we’ve found ways to defend ourself against a variety of attacks (e.g. detecting the plugins we have installed by disabling JavaScript), defending yourself against tracking your screen resolution becomes more difficult. You should note here that screen resolution is the actual resolution of your computer screen, not just your browser window.

Here’s a simple Javascript example that does that

1
2
3
<a href="javascript:alert
('Your resolution is '+screen.width+'x'+screen.height);">
Screen Resolution Example</A>

Demo: Screen Resolution Detection Example

EDIT: lugh points out that this example is inconsistent and depends on your OS and browser.

Defense Measures

There are a couple of ways of defending, let me go over some possibilities:

  • disabling Javascript: CSS (AFAIK) does not have a way of detecting your screen resolution
  • resizing your browser window: Sometimes attacks do not read screen resolution, but just window size.
  • changing your screen resolution: This is often difficult but by choosing a screen resolution that many other users may have, would help defend against fingerprinting. The Liberte Linux distribution is the only system I’ve seen that automatically does this by forcing the screen resolution of 800x600.
  • external monitors: If you are on a laptop, and have an external monitor around, it might be possible to have its resolution provide instead of your laptop screen. Note here that different operating systems handle this value in different ways. Some append the width and height of both screens to eachother.
  • modifying the JavaScript engine: This solution has not been done very often and is considered a security risk, but there is a possibility that a new custom JavaScript engine could return a different value than your actual resolution.
  • virtualization: If you are running your anonymous environment inside of a virtual machine, you can dynamically change the resolution very easily by resizing the window of the VM.

There are different situations that heed different defense. If you run into a site you need access to that requires JavaScript, you’re not going to be able to disable it. Same applies for the browser window trick if the service is detecting Screen.height as opposed to Window.height. Going into your screen settings and changing your screen resolution might work, but it’s pretty cumbersome. The virtualization option is very plausible but requires that you are running virtualization software like Virtual Box.

Real-World Attacks

One example of software designed for fingerprinting is Juniper’s Webapp Secure. It is a tool that will fingerprint a web site’s users based on a variety of metrics; one of which is your computer’s resolution. By doing so, they are able to track their browsing experience across multiple sessions without any cookies.

Applying to Registration

Screen resolution is just a single attribute that can be keyed on but I find that it is relied upon the most often during web provider registration processes. This may be because the providers don’t believe that anyone would go through the steps of changing their screen resolution – I’m not sure. In any event, by merely changing your screen resolution, you are able to easily register without the stigma of anything you have done in a previous sessions possibly fingerprinting you. This along with clearing your cookies, connecting with a different IP address, and possibly manipulating the fonts that are installed on your computer will let you bypass the registration process…. sometimes.

Conclusions

If nothing else, I provide this as a reminder that your screen resolution is often a hard-coded, highly identifiable value you should actively defend against leaking to unknown parties. While not as identifying as say something like your MAC address, it remains a highly attributable value. Imagine a scenario where an adversary is correlating the online activity of someone visiting a site with a resolution of 1870x1300. Even if you’ve securely erased your system before a forensic investigator has arrived, they will be able to easily notice that your laptop’s screen resolution is 1870x1300. And because this resolution is highly unusual, it’s a simple step to make the correlation between your laptop and its traffic.