In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page.

The researchers reported their attack to Apple in advance of their disclosure and Apple has patched the vulnerability.

The researchers were subsequently able to run this attack successfully against Google's flagship Pixel 2 and Pixel 3 phones (Google is "investigating the issue").

The researchers advise that manufacturers could prevent this class of attacks by rounding off sensor measurements, or by injecting random noise into their reported values.

Sensors are an essential component of many computer systems today. Mobile devices are a good example, containing a vast array of sensors from accelerometers and GPS units, to cameras and microphones. Data from these sensors are accessible to application programmers who can use this data to build context-aware applications. Good sensor accuracy is often crucial, and therefore manufacturers often use per-device factory calibration to compensate for systematic errors introduced during manufacture. In this paper we explore anew type of fingerprinting attack on sensor data: calibration fingerprinting. A calibration fingerprinting attack infers the per-device factory calibration data from a device by careful analysisof the sensor output alone. Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers. We demonstrate the potential of this new class of attack by performing calibration fingerprinting attacks on the inertial measurement unit sensors found in iOS and Android devices. These sensors are good candidates because access to these sensors does not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device. We find we are able to perform a very effective calibration fingerprinting attack:our approach requires fewer than 100 samples of sensor data andtakes less than one second to collect and process into a device fingerprint that does not change over time or after factory reset.We demonstrate that our approach is very likely to produce globally unique fingerprints for iOS devices, with an estimated67 bits of entropy in the fingerprint for iPhone 6S devices. In addition, we find that the accelerometer of Google Pixel 2 and Pixel 3 devices can also be fingerprinted by our approach.

SENSORID: Sensor Calibration Fingerprinting for Smartphones [Jiexin Zhang, Alastair R. Beresford and Ian Sheret/IEEE Security]

(via Schneier)

(Image: The Photographer, CC-BY-SA)