Unspoofable Device Identity Using Flash Memory

Slashdot links to a Security Week article about some fascinating research into using the near impossible to replicate pattern of errors in NAND flash memory to uniquely identify a device. The author at Security Week, Markus Jakobsson, very cannily likens this to the trusted computing modules with which Intel and others experimented a few years back.

In 1998, Intel announced the introduction of processor identities. Anti-fraud practitioners celebrated, security experts busied themselves thinking of the research implications, and privacy advocates were terrified.

In the end, Intel cancelled the processor identity plans. Unfortunately, I would say, given how fraud has mushroomed. As a result, machines are identified in other ways – but not so well.

He overlooks what I think was the stronger driver behind these earlier efforts. There are good uses of trusted computing, ones that augment a user’s control and capabilities. But it was the promise of much stronger DRM to extend control by content makers into consumers’ computers that seemed to animate the original efforts. This new method is passive, thankfully, so should place more control with the owner of the device, even if the idea that the identity produced is nearly impossible to mask. One would hope it would better serve user empowerment over outside control.

Another implication that the article doesn’t explore is how this might affect the state of play with behavioral tracking online. Again, requiring software to expose the fingerprint means it is more likely that a user would have to actively allow identification. But how many malware plagues are unleashed en masse because of a simple promise of some digital goodies in exchange for one little browser plugin install?

My final thought is how this is so strikingly similar to a couple of other stories I’ve read recently. Those dealt with the unique noise introduced by power transmission into recordings and other applications. Together with this work I think it points to an emerging trend where more capabler sensing and analysis is teasing out some latent qualities, for good or ill, in what was formerly deemed mere noise.

Unspoofable Device Identity Using Flash Memory, Slashdot