Signal spoofing is the deliberate forgery or alteration of browser and device signals to mislead fingerprinting and fraud detection systems. Attackers intercept or override web API responses to return synthetic values that impersonate a different device, browser, or user profile, with the goal of evading identification or minting fresh identities.
Individual signals are relatively easy to spoof in isolation: a script can override a single API to return an arbitrary value. The fundamental challenge for attackers is that a complete fingerprint draws from many independent subsystems simultaneously, and the values across those subsystems must be mutually consistent. A device that reports a high-end GPU renderer but produces audio output typical of a software audio stack, or claims a Windows platform while exhibiting macOS font metrics, contains contradictions that a genuine device would never produce.
Cross-signal consistency analysis exploits this difficulty. Rather than trusting each signal in isolation, it compares groups of signals that should agree if the hardware profile is genuine. Inconsistencies raise a spoofing suspicion score independently of whether any individual signal value is itself implausible.
In doorman-benny
doorman-benny surfaces spoofing evidence through `consistency.spoofLikelihood` (low, medium, or high), derived from cross-signal consistency checks that measure how well the reported signals agree with each other across hardware, platform, and rendering subsystems.
Consistency scoring (docs)Frequently asked questions
What signals are most commonly spoofed?
User-agent strings, screen resolution, and time zone are the simplest to override and are commonly targeted. More sophisticated spoofing also targets canvas output, WebGL renderer strings, and platform identifiers. The harder the signal is to fabricate consistently, the more useful it is for detection.
How does consistency scoring detect spoofing?
Consistency scoring compares pairs or groups of signals that should correlate on a genuine device. For example, a claimed GPU renderer implies certain capability limits; a platform claim implies certain font rendering characteristics. When these expected correlations break down, the session receives a higher spoofing suspicion.
Can spoofing be completely undetectable?
In practice, no. The more signals a fingerprinting system reads, the harder it is to spoof all of them coherently in real time. Attackers who successfully spoof one layer, such as GPU identity, often leave inconsistencies in another, such as audio behaviour or rendering precision, that consistency analysis can surface.
