Schneier on Security
A blog covering security and security technology.
« "A Court Order Is an Insider Attack" |
| D-Link Router Backdoor »
October 18, 2013
Identifying Cell Phones Through Sensor Imperfections
There seems to be a bunch of research into uniquely identifying cell phones through unique analog characteristics of the various embedded sensors. These sorts of things could replace cookies as surveillance tools.
Slashdot and MetaFilter threads.
Posted on October 18, 2013 at 6:37 AM
• 7 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Disabled identifier with noscript FireFox plugin :P
Intent MAC access control (SEAndroid) will prevent any app trying to get at the accelerometer and mic, and be careful what apps you download, look at permissions though I suspect all apps will have this spyware soon. Radio noise fingerprint sounds impossible to defend against though my phone is being tower and wifi AP tracked anyways right now. Maybe an app that generates random small transmissions to throw it off, or airplane mode when not in use
In a forthcoming paper for George Washington Law Review, Calo argues that if companies like Facebook and Google offered users paid options, like Pandora does, it would encourage these businesses to improve service for their users, rather than for their advertisers — or “reorient the consumer from being a product to being a client.”
I see them abiding to that already. Like "give us your money and still be tracked". Maybe I'm just too pessimistic tho.
If you have the docs I think you have, you already know about the fingerprinting being done at that level. Just how foxacid enumerates the browser, variations enumerate everything from voiceprints to IMEI numbers. Cookies are so 90's.
Sensors might become more relevant if people start actively doing IMEI spoofing or similar though, right now they are mostly a parlor trick.
It seems to me that identification of devices, such as cell phones, is reminiscent of the GUID that Microsoft introduced to identify Windows computers (even though a CPU serial number was available). It turns out that my computers have their serial numbers built-in somewhere (I just had a computer scanned by HP and Intel code to get the configuration information for a problem investigation).
It is also reminiscent of other topics where people can be identified by some physical characteristics, such as ears, walking gait, voice, iris scan, DNA, and oh yes, fingerprints. All may be useful for something, but often these are simply thrown about as FUD.
While characteristics of such things as sensor imperfections may "help" to narrow down a search for some device, or even actually identify such a device, it seems that a lot of sensory data would have to be sent (and stored) everytime the device is used so that data is with the content information (txt msg, voice call, email, web access, file transfer, audio/video transmit or playback). I would think the current cell phones ALREADY have a unique identifier, if not more than one, which are infinitely more useful and readily available, rather than depend on a variable factor (physical sensor imperfections) that will change over time with use.
I call this type of device "fingerprinting" FUD.
I’ll make my comment short since we are already into the Friday squid.
1. It appears to me that granting large corporations immunity who then participates with the NSA to spy on US citizens is an uneven application of the law. This “immunity” should be revoked or challenged at the highest levels (in addition to Fourth and First Amendment violations).
2. It seems to me that once big corporations like Yahoo, Google, and Microsoft are in bed with the NSA their employees are being threatened with jail time if said employees violate any NSA secrecy regulations. This is a form of extortion, intimidation, and cyber-bullying. The NSA should be sued for said extortion/bullying.
3. Individuals who use iphone type of products should be informed about the risks and the amounts of data collected using said iphone type of products somewhat like the FDA labeling requirements. As it stands most people who use iphone type products are unaware of the vast amount of information they are giving away. I say this is false advertising and probably fraud. This must be vigorously challenged in court.
This is like how you can track and identify people from photos taken from their digital cameras/cell phones etc by pixel imperfections like hot pixels which occur on every photo on the same place.
A down sample of the image or remap or replacement of the sensor might enable you to avoid identification or tracking.
It seems rather esoteric given the gamut of options available to the TPTB to fingerprint what device you are using. I know one of the old Symbian browsers used to leak the phones unique identifier in http request headers. Android apps can request device identifying information and this can even be done without asking for privileges by exploiting the java VM. It seems that little has been done about this problem and I guess it is expected that the powers that be will exploit it - not to mention industry who would find it useful to use with their DRM. A lot of this is purely academic but when you look at cpuID and Microsoft Windows' anti piracy efforts (which have been a collective and epic failure) you can only cringe and wonder where we will be in a further ten years. Windows users who choose to use their "windows live" authentication on Windows 8 will already have their PC fingerprinted and linked to their M$ ID no doubt.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.