Exposing/fingerprinting hidden services remotely by tracking heat-based clock skew…
When tools such as NMAP arrived on the scene years ago and fingerprinting for enumeration for pentesting and VA was the "hot" ticket, evasion techniques sprung up that were quite creative and forced researchers to get even more creative in attempts to discover and detect OS, applications and services running on a host remotely.
This has got to be one of the (and you’ll pardon the pun) "coolest" methods of detection and service enumeration I have seen to date; using CPU speed and temperature to detect processor utilization by hidden services — remotely using timestamp skews!
From Steven J. Murdoch @ Light Blue Touchpaper:
It is well known that quartz crystals, as used for controlling system
clocks of computers, change speed when their temperature is altered.
The paper shows how to use this effect to attack anonymity systems. One
such attack is to observe timestamps from a PC connected to the
Internet and watch how the frequency of the system clock changes.
I’m sure we’ll see evasion techniques, exception cases and "debubking the myth" posts pile up, but Mr. Murdoch sure made me scratch my head in amazement. Maybe I’m just simple folk, but I think it’s really neat.
Next thing you know it’ll detect operator arousal after downloading pr0n! I can tell you one thing, it’s pretty damned easy to fingerprint a MacBook Pro w/Core Duo processors…it heats my living room on a cold day and burns the hair of my thighs if I try to use it like a laptop…