SensorID

Sensor Calibration Fingerprinting for Smartphones

Paper Cite Demo

@inproceedings{zhang2019sensorid,
    author = {Zhang, Jiexin and Beresford, Alastair R. and Sheret, Ian},
    title = {SensorID: Sensor Calibration Fingerprinting for Smartphones},
    booktitle = {Proceedings of the 40th IEEE Symposium on Security and Privacy (SP)},
    year = {2019},
    month = {May},
    publisher = {IEEE}
}
      

Background

When you visit a website, your web browser provides a range of information to the website, including the name and version of your browser, screen size, fonts installed, and so on. Ostensibly, this information allows the website to provide a great user experience. Unfortunately this same information can also be used to track you. In particular, this information can be used to generate a distinctive signature, or device fingerprint, to identify you.

A device fingerprint allows websites to detect your return visits or track you as you browse from one website to the next across the Internet. Such techniques can be used to protect against identity theft or credit card fraud, but also allow advertisers to monitor your activities and build a user profile of the websites you visit (and therefore a view on your personal interests). Browser vendors have long worried about the potential privacy invasion from device fingerprinting and have included measures to prevent such tracking. For example, on iOS, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings, and eliminate cross-domain tracking.


Calibration Fingerprinting Attack

We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint. Overall, our attack has the following advantages:

  • The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
  • The attack takes less than one second to generate a fingerprint.
  • The attack can generate a globally unique fingerprint for iOS devices.
  • The calibration fingerprint never changes, even after a factory reset.
  • The attack provides an effective means to track you as you browse across the web and move between apps on your phone.

* Following our disclosure, Apple has patched this vulnerability in iOS 12.2.


Presentation

We will present this work on 21st May at IEEE Symposium on Security and Privacy 2019 (IEEE S&P'19). A preview of our talk can be viewed below:


Demo Videos


Generate your gyroscope fingerprint online

If you have an iPhone or iPad running an iOS 12.1 or earlier, you can use our gyroscope fingerprinting demo to find out your GyroID.


Q&A

Am I affected by the attack?

You are affected by this fingerprinting attack if you are using any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max, and iPhone XR. You are also likely to be affected if you are using a Pixel 2/3 device, although we hypothesise the generated fingerprint has less entropy and is unlikely to be globally unique. A SensorID can be generated by both apps and mobile websites and requires no user interaction.

How can I protect myself from this attack?

If you are using an iOS device, please update the system to iOS 12.2 to protect against this attack.

What is sensor calibration?

Motion sensors used in modern smartphones, including the accelerometer, gyroscope, and magnetometer, are based on MEMS (Micro-Electro-Mechanical Systems) technology and use microfabrication to emulate the mechanical parts found in traditional sensor devices. MEMS sensors are usually less accurate than their optical counterparts due to various types of error. In general, these errors can be categorized as deterministic and random. Sensor calibration is the process of identifying and removing the deterministic errors from the sensor.

How does the sensor calibration fingerprinting attack work?

Our approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps. Our analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors. This calibration data can then be used as the fingerprint.

We found that the gyroscope and magnetometer on iOS devices are factory calibrated and the calibration data differs from device to device. In addition, we find that the accelerometer of Google Pixel 2 and Pixel 3 can also be fingerprinted by our approach.

Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device. Vigorous movement during extraction requires additional samples, but the task nevertheless completes within a few hundred samples and takes a few seconds. The exploitation of this vulnerability requires no special permission from the user. This Fingerprinting attack is easy to conduct by a website or an app.

Is the calibration fingerprint globally unique for iOS devices?

In general, it is difficult to create a unique fingerprint for iOS devices due to strict sandboxing and device homogeneity. However, we demonstrated that our approach can produce globally unique fingerprints for iOS devices from an installed app -- around 67 bits of entropy for the iPhone 6S. Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices.

Why do manufacturers use factory calibration?

In the context of mobile devices, the main benefit of per-device calibration is that it allows more accurate attitude estimation. By contrast, sensors embedded in low-cost smartphones are usually poorly calibrated due to the high cost and complexity of factory calibration. For an individual manufacturer, the choice of sensor calibration is, therefore, an engineering trade-off.

What is SensorID?

We define the SensorID as a combination of distinctive sensor calibration fingerprints. In the case of iOS devices, the SensorID includes both the calibration fingerprint of the gyroscope (GyroID) and magnetometer (MagID). In the case of Google Pixel 2 and 3, the SensorID includes the calibration fingerprint of the accelerometer (AccelID).

Is SensorID correlated with the manufacturing batch?

We collected gyroscope data from 25 iOS devices in an Apple Store. Some of these devices have similar serial numbers, which suggests they may come from the same manufacturing batch. However, the SensorID of these devices differs significantly.

Will SensorID ever change?

We have not observed any change in the SensorID of our test devices in the past half year. Our dataset includes devices running iOS 9/10/11/12. We have tested compass calibration, factory reset, and updating iOS (up until iOS 12.1); the SensorID always stays the same. We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either.

Can privacy-enhanced browsers protect me from this attack?

If users are using an iOS version before 12.2 or an Android device with factory calibrated sensors, both mainstream browsers (Safari, Chrome, Firefox, and Opera) and privacy-enhanced browsers (Brave and Firefox Focus) are vulnerable to this calibration-based fingerprinting attack, even with the fingerprinting protection mode turned on.

Has this been abused in the wild?

We don't know. However, a study shows that motion sensor data is accessed by 2,653 of the Alexa top 100K websites, including more than 100 websites exfiltrating motion sensor data to remote servers. This is troublesome since it is likely that the SensorID can be calculated with exfiltrated data, allowing retrospective device fingerprinting.

Can we conduct the same attack to fingerprint the accelerometer on iOS devices?

This fingerprinting attack does not directly apply to the accelerometer on iOS devices.

Can we conduct the same attack to fingerprint other Android devices?

We have found that the accelerometer in Google Pixel 2 and Pixel 3 can be fingerprinted by our calibration fingerprinting attack. It is possible that some other Android devices are also factory calibrated and thus can be fingerprinted. However, we only have data from a few Android device models; the Android device models we have tested, apart from Google Pixel 2 and 3, cannot be fingerprinted using our approach.

How did vendors respond to this attack?

We followed a coordinated disclosure procedure and reported this vulnerability to Apple on 3rd August 2018. On iOS 12.2, Apple adopted our suggestion and added random noise to the ADC outputs (CVE-2019-8541). Apple also removed access to motion sensors from Mobile Safari by default. This vulnerability was disclosed to Google on 10th December 2018. Google has contacted us and is investigating this issue.

How to mitigate this fingerprinting attack?

To mitigate this calibration fingerprint attack, vendors can add uniformly distributed random noise to ADC outputs before calibration is applied. Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain. Please refer to our paper for more details. In addition, we recommend privacy-focused mobile browsers add an option to disable the access to motion sensors via JavaScript. This could help protect Android devices and iOS devices that no longer receive updates from Apple.

Where to find more information?

Please refer to our paper for more details.


Press Coverage

  • 9to5Google: Sensor calibration attack can track Android devices using sensor data, iPhone patched in March
  • AppleInsider: iOS exploit closed in iOS 12.2 let websites use motion sensors to 'fingerprint' devices
  • Boing Boing: In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction
  • CDRinfo: Researchers Demonstrate How iPhones And Some Android Phones Can Be Tracked Online Using Sensor Data
  • Dark Reading: Mobile Exploit Fingerprints Devices with Sensor Calibration Data
  • Forbes: All iPhones And Some Android Phones Are Vulnerable To A New Device Fingerprinting Attack
  • GadgetNewsUpdate: Android and iOS devices impacted by new sensor calibration attack
  • Inc.com: A New Security Vulnerability Means iPhone and Android Users Could Be Tracked Everywhere They Go Online
  • Naked Security: Your phone's sensors could be used as a cookie you can’t delete
  • Packt: SENSORID attack: Calibration fingerprinting that can easily trace your iOS and Android phones, study reveals
  • SecurityWeek: Attackers Could Use Mobile Device Sensors to Generate Unique Device Fingerprint: Research
  • TechNadu: Calibration Fingerprinting Attack Ends All Notions of User Privacy in Smartphones
  • The Register: iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2
  • Threatpost: Calibration Attack Drills Down on iPhone, Pixel Users
  • ZDNet: Android and iOS devices impacted by new sensor calibration attack

Contact

Computer Laboratory
University of Cambridge
15 JJ Thompson Avenue
Cambridge CB3 0FD


Acknowledgement

Stan (Jiexin) Zhang is supported by the China Scholarship Council. Alastair Beresford is partly supported by The Boeing Company and EPSRC under Grant No.:~EP/M020320/1. The opinions, findings, and conclusions or recommendations expressed are those of the authors and do not necessarily reflect those of the funders.