A new device fingerprinting technique can track Android and iOS devices across the Internet by using factory-set sensor calibration details that any app or website can obtain without special permissions.
This new technique -- called a calibration fingerprinting attack, or SensorID -- works by using calibration details from gyroscope and magnetometer sensors on iOS; and calibration details from accelerometer, gyroscope, and magnetometer sensors on Android devices.
According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones' sensors.
How does this technique work?
"Our approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps," the research team said in a research paper published yesterday.
"Our analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors [in their devices' sensors]," researchers said.
This calibration data can then be used as a fingerprint, producing a unique identifier that advertising or analytics firms can use to track a user as they navigate across the internet.
Furthermore, because the calibration sensor fingerprint is the same when extracted using an app or via a website, this technique can also be used to track users as they switch between browsers and third-party apps, allowing analytics firms to get a full view of what users are doing on their devices.
In addition, the technique also does not pose any technical difficulties for the entity that does all the tracking.
"Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device," researchers said.
"We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either," they added.
The sensor calibration fingerprint also never changes, even after a factory reset, allowing tracking entities access to an identifier as unique and persistent as an IMEI code.
Further, this type of tracking is also silent and invisible to users. This is because apps or websites accessing sensor calibration details to compute a device's fingerprint don't need any special permission to do so.
Patched in iOS, but not Android
The three-person research team who discovered this new tracking vector said they notified both Apple and Google in August 2018, and December 2018, respectively
Apple patched this issue (CVE-2019-8541) with the release of iOS 12.2 in March this year by adding random noise to the sensor calibration output. This means that starting with iOS 12.2, iPhones and iPads will generate a new fingerprint with every sensor calibration query, making this type of user tracking useless.
Furthermore, to remove any other potential headaches, Apple also removed websites' ability to access motion sensor data from Mobile Safari.
But while Apple was more prompt to fix this issue, Google was not, and only told researchers they would investigate.
This is most likely because iOS devices are more exposed to this type of tracking than Android smartphones, where a large chunk of the ecosystem is made up of low-cost devices that use uncalibrated motion sensors.
According to the research team, the tracking method they discovered was, indeed, more dangerous to Apple devices, mainly because of device homogeneity and Apple's tendency to ship higher-quality handsets with very precise (calibrated) motion sensors.
However, similar top-range Android smartphones were also vulnerable. During their tests, researchers said their technique successfully generated sensor calibration fingerprints for Pixel 2 and Pixel 3 devices.
More details about this research are available in a whitepaper titled "SensorID: Sensor Calibration Fingerprinting for Smartphones," that was presented yesterday at the IEEE Symposium on Security and Privacy 2019 (IEEE S&P'19).
A demo page where users can see if their device is vulnerable and generate a sensor calibration fingerprint is also available.
More vulnerability reports:
- Windows 10 zero-day exploit code released online
- Google to replace faulty Titan security keys
- A large chunk of Ethereum clients remain unpatched
- Intel CPUs impacted by new Zombieload side-channel attack
- Patch status for the new MDS attacks against Intel CPUs
- Root account misconfigurations found in 20% of top 1,000 Docker containers
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic