Sensor calibration attack can track Android devices using sensor data, iPhone patched in March

Damien Wilde | May 23 2019 - 7:36 am PT

A research paper has uncovered a sensor calibration attack that is capable of pulling device data and can track Android and iPhone handsets across the internet almost instantly — without any user interaction or input.

The team made up of researchers at the University of Cambridge and private security firm Polymath Insight found a de-anonymizing exploit that is able to distinguish minute differences in device sensor calibration to extract precise device data all without any user input (via ZDNet).

The attack runs code when a user visits a webpage, sending queries to the actual device sensors via automated background processes that run when the page is loaded. The overall process is said to take a second and was tested on Google Pixel 2 and Pixel 3 handsets.

A brand new technique, the sensor calibration attack is able to utilize calibration details from Android and iPhone gyroscope, magnetometer, and accelerometer sensors. This calibration process can be used as a unique device ‘fingerprint’, that can be used to track devices across browsers and even third-party applications.

It is such a successful exploit because Apple and most Android device manufacturers often use per-device factory calibration to compensate for systematic errors introduced during manufacture. Application programmers need access to these sensors and data to build context-aware applications with greater accuracy for the end user.

The sensor calibration fingerprint also never changes, no matter if you factory reset your iPhone or Android device. This would allow the attacker to track individual device IMEI codes and more.

In this paper, we explore a new type of fingerprinting attack on sensor data: calibration fingerprinting. A calibration fingerprinting attack infers the per-device factory calibration data from a device by careful analysis of the sensor output alone.

Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers.

We demonstrate the potential of this new class of attack by performing calibration fingerprinting attacks on the inertial measurement unit sensors found in iOS and Android devices.

These sensors are good candidates because access to these sensors does not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device.

We find we are able to perform a very effective calibration fingerprinting attack: our approach requires fewer than 100 samples of sensor data and takes less than one second to collect and process into a device fingerprint that does not change over time or after a factory reset.

We demonstrate that our approach is very likely to produce globally unique fingerprints for iOS devices, with an estimated 67 bits of entropy in the fingerprint for iPhone 6S devices. In addition, we find that the accelerometer of Google Pixel 2 and Pixel 3 devices can also be fingerprinted by our approach.

All of this exploit information was passed over to both Apple and Google in August and December 2018, respectively. Google has stated that it is “investigating the issue”. The research team has stated that device manufacturers can plug this gaping security hole by rounding off sensor measurements, or injecting random figures into reported values so that the data is obscured.

Apple patched the exploit with the release of iOS 12.2 way back in March 2019. They did so by adding noise to the sensor calibration output to obscure individual device fingerprints, making its devices unable to be tracked via this attack. Apple also removed websites’ ability to access motion sensor data from the stock Safari browser.

Conversely, Google has yet to issue a fix for this sensor calibration attack on Android devices. It’s worth noting that not all Android devices are affected simply due to cost. A large proportion of the Android ecosystem is made up of low-cost handsets that lack calibrated motion sensors.

That said, the research team found that Google Pixel 2 and Pixel 3 devices were directly affected after tests. Many other high-end Android phones with calibrated motion sensors will also likely be affected.

It’s impossible to remove the sheer array of sensors from computer and smartphone systems across the board, so a workaround like this might be one of the most basic of solutions. Any sensor calibration attack would also be completely invisible to users because apps or websites don’t need special permissions to access sensor calibration data.

You can read further details and the full research paper titled SensorID: Sensor Calibration Fingerprinting for Smartphones. You can check if your device is affected or vulnerable to the exploit via this link.

Add 9to5Google to your Google News feed.

FTC: We use income earning auto affiliate links. More.