In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page.
The researchers reported their attack to Apple in advance of their disclosure and Apple has patched the vulnerability.
The researchers were subsequently able to run this attack successfully against Google's flagship Pixel 2 and Pixel 3 phones (Google is "investigating the issue").
The researchers advise that manufacturers could prevent this class of attacks by rounding off sensor measurements, or by injecting random noise into their reported values.
SENSORID: Sensor Calibration Fingerprinting for Smartphones [Jiexin Zhang, Alastair R. Beresford and Ian Sheret/IEEE Security]
(Image: The Photographer, CC-BY-SA)