Researchers at Cambridge University have determined that attackers could use the built-in motion sensors in mobile devices to generate a unique device fingerprint.
Device fingerprinting has been in use for many years. It is the creation of a unique identifier, or fingerprint, through the combination of different bits of information made available by the target device. On desktop computers, this is largely through the browser. On mobile devices it is both through the browser and via apps.
There are some valid reasons for device fingerprinting. For example, the frequency with which a unique device connects or attempts to connect with a website could be indicative of attempted fraud. The primary use of fingerprinting, however, is to track users for marketing purposes, and is anathema to privacy activists and privacy conscious vendors.
“A device fingerprint allows websites to detect your return visits or track you as you browse from one website to the next across the Internet,” explains Alastair Beresford, a reader in computer security at the Computer Laboratory and an official fellow at Queens’ College, Cambridge, in an associated blog. “Such techniques can be used to protect against identity theft or credit card fraud, but also allow advertisers to monitor your activities and build a user profile of the websites you visit (and therefore a view into your personal interests).”
The latest version of Firefox (v67) has introduced a fingerprint blocking option. MacOS Mojave came with a Safari version that “presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration.” In theory, it means that fingerprints will not be unique, and therefore of little value.
Earlier this month, Google announced that Chrome “will more aggressively restrict fingerprinting across the web. When a user opts out of third-party tracking, that choice is not an invitation for companies to work around this preference using methods like fingerprinting, which is an opaque tracking technique.”
These browser enhancements have no effect on mobile device apps that compile fingerprints directly from the smartphone and send them back to the vendor. Both iOS and Android attempt to limit this by making access to the required information more difficult. For Android, this is done by forcing developers to ask for user permission to use privacy-sensitive APIs. Apple has been more successful by simply removing developer access to the UDID (Unique Device Identifier) and MAC addresses of hardware modules in iOS 7, and through the privacy enhanced Safari with iOS 12. At this point, there is no reliable method of fingerprinting up-to-date iOS devices.
This was the challenge accepted (PDF) by researchers from Cambridge University and Polymath Insight Ltd: to find a way to fingerprint iOS devices despite Apple’s protections, that will also work on Android. They chose to look at the sensors built into all mobile devices. The advantage of the sensors is that they do not require any specific permissions for access because they are used by a multitude of apps that increase the attractiveness of mobile devices. There have been earlier attempts to generate fingerprints from sensors, but they have not been sufficiently accurate or consistent.
Measuring the output from the sensors doesn’t help, since the very purpose of sensors is to continuously change their output. Direct access to the sensors themselves isn’t possible. But the researchers found that they could infer details of each sensor’s calibration, and calibration is necessary because of minute errors in the sensors themselves.
Mobile device motion sensors are based on micro-electro-mechanical systems (MEMS) with microfabrication to emulate the mechanical parts. This reduces their cost but increases the error rate over optical counterparts. Both deterministic and random errors are introduced during manufacture — random errors from electronic noise interference, and deterministic errors produced by manufacturing imperfections. The deterministic errors are corrected by calibration, often while still in the factory.
In principle, since the minute errors in manufacturing are unique to each device, the calibration details will also be unique. The researchers found they were able to mathematically infer this calibration data through careful analysis of the sensor output alone. They were then able to develop an app that could extract the data in just one second, and that the process could also be achieved (although not quite so accurately) over the internet if the user visits a prepared webpage.
In technical terms, they found they could obtain about 42 bits of entropy from the gyroscope (which they call the GyroID), and a further 25 bits from the magnetometer (MagID) on an iPhone 6S. Combining both results is the SensorID, which provides a globally unique fingerprint for the phone. The researchers also found that Google Pixel 2 and Pixel 3 devices could be similarly fingerprinted.
“Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device,” explains an associated FAQ. “Vigorous movement during extraction requires additional samples, but the task nevertheless completes within a few hundred samples and takes a few seconds. The exploitation of this vulnerability requires no special permission from the user. This Fingerprinting attack is easy to conduct by a website or an app.”
If the goal of an attacker is to obtain a reliable fingerprint for a mobile phone, it could be achieved by persuading the user to install a doctored app or to visit a compromised web page. The app would be able to extract the fingerprint and send it to the attacker, while the web page would communicate with a remote server under the attacker’s control.
“The idea of a calibration fingerprint attack is widely applicable,” state the researchers. “Although this paper mainly targets the gyroscope and magnetometer found in iOS devices, we anticipate calibration information used in other embedded sensors may also be recovered and used as a fingerprint, and therefore we expect future research will successfully perform calibration fingerprinting attacks on other types of sensor.”
Their recommendation to mitigate this attack is the addition of uniformly distributed random noise to the output of the sensor before any calibration is applied. Apple accepted and adopted their recommendations in version 12.2 of iOS.