A new fingerprinting technique, developed by a team of University of Cambridge, allows websites to uniquely identify a phone, based on data from the accelerometer, gyroscope, and magnetometer sensors.
Usually web browser provides a range of information to the website, including the name and version of software, screen size, fonts installed, officially in order to provide a better user experience.
However this information can also be used to track users, generating a distinctive signature, or device fingerprint, thact may be used to track users across websites.
Some browsers itself (i.e. Firefox 67) or browser plugins (such us Privacy Badger) allows user to try avoid browser fingerprinting filtering tracking cookies, requests to tracking domains or limiting use of canvas fingerprinting.
This brand new technique, named SensorID has been developed by Jiexin Zhang , Alastair Beresford and Ian Sheret from University of Cambridge: using data from the accelerometer, gyroscope, and magnetometer sensors allow website to create a unique fingerprint of users smartphones.
We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint. Overall, our attack has the following advantages:
- The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
- The attack takes less than one second to generate a fingerprint.
- The attack can generate a globally unique fingerprint for iOS devices.
- The calibration fingerprint never changes, even after a factory reset.
- The attack provides an effective means to track you as you browse across the web and move between apps on your phone.
A PoC (the same used in the video above) is available at https://sensorid.cl.cam.ac.uk/gyroID/:
This proof-of-concept website obtains a hardware identifier for iOS devices based on the calibration information of the gyroscope. This identifier cannot be changed by the user, including with a factory reset. This method works on all iOS devices we have tested that contain a gyroscope.
Extracting the calibration matrix typically takes a few seconds and does not depend on the position or orientation of the device. Vigorous movement during extraction requires additional samples.
This website only works for iOS devices with an M-series motion coprocessor.
How to mitigate this fingerprinting technique?
To mitigate this fingerprint attack, researchers suggest vendors to add an "uniformly distributed random noise to ADC outputs before calibration is applied".
Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain.
This technique was disclosed to Apple on August 2018 and to Google on December 2018.
On iOS 12.2, Apple adopted suggestions and added random noise to the ADC outputs (CVE-2019-8541) and removes access to motion sensors from Mobile Safari by default.
Google is currently still working on a fix.