Submitted by Jonathan Goddard on Mon, 20/05/2019 - 14:27
When you visit a website, your web browser provides a range of information to the website, including the name and version of your browser, screen size, fonts installed, and so on. Ostensibly, this information allows the website to provide a great user experience. Unfortunately this same information can also be used to track you. In particular, this information can be used to generate a distinctive signature, or device fingerprint, to identify you.
A device fingerprint allows websites to detect your return visits or track you as you browse from one website to the next across the internet. Such techniques can be used to protect against identity theft or credit card fraud, but also allow advertisers to monitor your activities and build a user profile of the websites you visit (and therefore a view on your personal interests). Browser vendors have long worried about the potential privacy invasion from device fingerprinting and have included measures to prevent such tracking. For example, on iOS, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings, and eliminate cross-domain tracking.
Researchers at the Department of Computer Science and Technology have developed a new type of fingerprinting attack, the calibration fingerprinting attack. The attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint. The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you. The attack takes less than one second to generate a fingerprint which never changes, even after a factory reset. This attack therefore provides an effective means to track you as you browse across the web and move between apps on your phone.
The team working on this project includes Jiexin Zhang and Alastair Beresford. Their approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps. The analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors. This calibration data can then be used as the fingerprint.
In general, it is difficult to create a unique fingerprint for iOS devices due to strict sandboxing and device homogeneity. However, the study demonstrated that their approach can produce globally unique fingerprints for iOS devices from an installed app -- around 67 bits of entropy for the iPhone 6S. Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices. Apple adopted the researchers’ proposed mitigations in iOS 12.2 for apps (CVE-2019-8541) and removed access to motion sensors from Mobile Safari by default.
The team will present this work on 21st May at IEEE Symposium on Security and Privacy 2019 (IEEE S&P’19). For more details, please visit the SensorID website and read the paper.
