Fingerprinting iPhones

This clever attack allows someone to uniquely identify a phone when you visit a website, based on data from the accelerometer, gyroscope, and magnetometer sensors.

We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint. Overall, our attack has the following advantages:

  • The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
  • The attack takes less than one second to generate a fingerprint.
  • The attack can generate a globally unique fingerprint for iOS devices.
  • The calibration fingerprint never changes, even after a factory reset.
  • The attack provides an effective means to track you as you browse across the web and move between apps on your phone.

* Following our disclosure, Apple has patched this vulnerability in iOS 12.2.

Research paper.

Posted on May 22, 2019 at 6:24 AM • 23 Comments

Comments

Sok PuppetteMay 22, 2019 7:33 AM

This is why you don't give $!@#$^#@ Web pages access to sensors. Or USB. Or the user's location. Or notifications. Or the ability to change window decorations. Or any of the other moronic stuff the "Web platform" idiots keep adding.

Sitaram ChamartyMay 22, 2019 8:03 AM

@Sok Puppette

I, and some people I know who are equally paranoid, don't even use the browser on the cell phone except for very specific, pre-determined sites. (Yes those sites *could* do this, but the likelihood of being attacked by arbitrary JS reduces quite a bit.

I'm not, of course, saying I knew of *this* specific attack. This is the result of just general paranoia.

I wonder how common this is in the audience of this site (it's of course hopeless to ask that for the general population!)

sitaram

SvenMay 22, 2019 8:58 AM

@Sok Puppette:

The website only gets fused data. Apps can therefore be more accurate.

Also the paper states:
[as of iOS 12.2] Apple also removed access to motion sensors from Mobile Safari by default.

TimHMay 22, 2019 9:04 AM

"The attack can be launched by any website you visit".

Then the paper says ...if Javascript enabled. S'not enabled on my phone, and IMHO people are foolish to enable JS on phones and exceptionally foolish to do phone banking.

Petre Peter May 22, 2019 9:06 AM

If certain features come disabled out of the box [js,motion sensors]
than maybe that's a hint that the features shouldn't exist.

SamSMay 22, 2019 9:45 AM

If the solution is to add "uniformly distributed random noise" to the analog values, then wouldn't you still be able to exploit this vulnerability by averaging more samples to cancel out that noise?

Granted, the phone would probably have to be held perfectly still, e.g. on a table, to get enough stability to punch through the noise over hundreds or thousands of samples, but is this still a potential attack vector?

Denton ScratchMay 22, 2019 11:51 AM

@Sitaram Chamarty

I don't use my phone to browse the web.

But I'm unusual, I think; I bought my Android phone about twelve years ago. It's not much bigger than a pad of Post-Its. A girl at work said "Wow, it's so small!" - not what a chap wants to hear from a lass! All my colleagues had huge fondleslabs that didn't fit in their pockets, that they'd upgraded to in the last few months.

I use it as a - wait for it - mobile phone. And to receive texts. The virtual keyboard is too small for my clumsy fingers, so I rarely send texts. My eyesight has degenerated; I have to fetch my specs out of my bag to see anything on the screen. Typing URLs is just not worth it - the screen is so tiny that viewing a web-page is just hard work. And anyway - as far as I can see, the mobile web sucks - it's impossible to build a site that works nicely with all the different quirks of all the different mobile browsers (it's like the late nineties all over again). Certainly, my antique device doesn't play nicely with websites built for modern mobile browsers.

I rooted this device shortly after acquiring it, and installed CyanogenMod, and then promptly removed or disabled a bunch of pre-installed Google and Faceache spyware. Maps is gone, so Location is disabled. There is a serviceable Satnav in the car, but I don't use the car much, either.

I know I can still be tracked; but more often than not I leave the phone at home (mostly on charge, because the 12-year-old batteries don't hold much charge), and if the snoopers still haven't figured out where my home is, then they're incompetent. I take it out with me if I know I will need to call a taxi or something.

They can probably spy on me by secretly enabling the microphone; but hey, I'm not the Secret Squirrel - all they'll get is me arguing with the missus about what we're having for supper.

@SamS

Yes, that's what I thought. In fact, isn't extracting statistical significance from dirty data the core business activity that the snoopers are engaged in?

Denton ScratchMay 22, 2019 12:04 PM

Oh - and I haven't enabled the near-field payment thingie on this device. I haven't enabled near-field on my debit card either - I mostly pay for groceries and so on with cash. All the students around here are always waving their phones at payment terminals; I thought students were supposed to be intelligent.

Clive RobinsonMay 22, 2019 12:07 PM

@ Denton Scratch,

The virtual keyboard is too small for my clumsy fingers, so I rarely send texts. My eyesight has degenerated; I have to fetch my specs out of my bag to see anything on the screen.

Fat fingeriris, is as many here will confirm, something I've long suffered from... As for specs I've got to that age where I dare not take them off, incase I don't remember where I put them down...

It can be a bit embarising people "can you see my glasses"...

Sed Contra May 22, 2019 12:55 PM

... wailing fading cry in the infinite distance ... “why can’t somebody pleeeease write a general purpose Who_Wants_To_Know app that oversees all phone communications cations tions ...”

Clive RobinsonMay 22, 2019 1:46 PM

@ All,

For many years I've had javascript turned off most of the time, likewise cookies.

As I don't do social media or online shopping, the few sites that want them can usually be ignored / worked around by a simple search that evrn DuckDuck appears to be able to solve (ie most content is in more than one place on the Internet).

People used to say even here that turning Javascript etc off was not a good idea for reasons unspecified or that were wooly and ill defined.

However as people might have noticed the message is catching on that Javascript etc is "bad for your health".

Which is why it's nice to see the above comments from @Sitaram Chamarty, @TimH, and @Petre Peter.

The more people that stop using Javascript etc the less likely sites are going to use it to the point it abuses the user's bandwidth, browser, electricity bill and god alone knows from their personal life.

As for HTML5 personaly I think it shows the W3C has been bought and paid for by the likes of Glugles lobbyists and their checkbooks... The same for the more famous browsers.

BillMay 22, 2019 3:33 PM

@Clive "can you see my glasses"

Ah yes, the hardest place to find your glasses is when they're on your head... :)

PaulMay 22, 2019 3:48 PM

@Sitaram Chamarty no no no. JS attacks in the wild are rife. For example, I saw people getting "panelled" almost the way IE6 once was. This at least means a sandbox escape + executable patching to evade signature check. Google does not want to admit publicly them being pwned embarrassingly often.

And... Googlers finally fixed an XSS on google.com, supposedly recently found, but I myself saw few injections with redirections, and xss live on google.com over the years.

@Sven

> If the solution is to add "uniformly distributed random noise" to the analog values, then wouldn't you still be able to exploit this vulnerability by averaging more samples to cancel out that noise?

Totally, this will not defeat Kalman like techniques. Moreover, I have no idea how even if it's possible to mangle a sensor signal to the extend you can beat out all fingeprintable information out of it.

"reverse-Kalman" is not the only family of fingerprint techniques. A coworker of mine, a math PhD told me that one will have to throttle down the gyro signal to single hertz to make it useless for fingerprinting.

These browser guy don't know much about math. It's near impossible to sanitise this signal. It would've been much better if they just axed it, and not wait until they have to fix it again after another exploit will appear.

I remember arguing with either google or mozilla engineer to add permission requests to sensor API back in 2016, but they shot it down with "it's impossible to fingerprint a 60hz signal"

RealFakeNewsMay 22, 2019 7:40 PM

One question (already covered, but no harm asking again):

WHY DO WEBSITES HAVE ACCESS TO THIS DATA AT ALL?

Would web browser developers please stop being morons, and remove this rubbish???

KnaveMay 22, 2019 8:41 PM

@RealFakeNews:

Websites have access to this data because:

A) the web is the (only) universal platform, meaning that given sufficient time an inexorable gravity will make it into a serviceable platform for fully featured applications deliverable zero config on demand

B) hundreds of billions of dollars per year are made from advertising and your personal information

C) the surveillance state

@Schneier:

I stop by only occasionally. Have you looked into the degenerate cesspit sheet-rending Lovecraftian hellscape nightmare terror that is the NPM dependency ecosystem?

Here's a little hint of the indescribable: dependency trees 15+ levels deep.

KnaveMay 22, 2019 8:52 PM

@Paul: "I remember arguing with either google or mozilla engineer to add permission requests to sensor API back in 2016, but they shot it down with "it's impossible to fingerprint a 60hz signal"

That is barking mad.

Sitaram ChamartyMay 23, 2019 12:09 AM

@Paul

I agree JS attacks are rife. My way of dealing with it is not to browse at all, except for a few very specific sites (less than 5, of which one is my own anyway). I think I'm OK with that level of paranoia :-)

And no google is not one of my sites, in fact until wireguard stopped working for some reason (I need to look into this; haven't had time) my phone wouldn't even go to most google properties because I've blackholed them using dnsmasq on the other side of the wireguard vpn.

----

I wonder if it would be useful to collect all the wisdom of the people in this forum and put it into some easily digestible form for the non-IT folks to at least begin to understand the problem and have some hope of taking some action on their own, even in relatively small ways.

(Maybe it's been done; if someone knows they maybe can post a URL?)

sitaram

JonMay 23, 2019 8:03 AM

Solution: Trash the database.

Recall that phone tracking tracks only the phone. The linking of a phone to a person is done elsewhere. Same thing with gait - it is a gait - is it your gait?

So buy a phone at the same time your pals buy phones, and swap phones. Each will be carefully linked to someone - but not you. Both of you pay for the phones, and both of you are somewhere else when someone claims you are somewhere... And both of you have gaits that don't match the phone.

This does take some pre-planning. Exactly what government and organized crime know how to do. Otherwise, it's just another way to nab the stupid. J.

Alyer Babtu May 23, 2019 10:42 AM

How this fits into the criminal ecosystem and taking it to the next level. Let the arms race continue!

https://spectrum.ieee.org/tech-talk/telecom/security/digital-doppelgngers-fool-advanced-antifraud-tech

“The doppelgängers on Genesis mimicked authentic digital masks, thereby co-opting cybersecurity techniques to get past fraud-detection protocols. “If there’s machine learning on one side, there’s going to be machine learning on the other,” Malek says. “Now, hackers and bad actors are implementing their own as an exercise of adversarial machine learning.”

James TMay 24, 2019 10:02 AM

@ Sitaram Chamarty,
My intention is not to be rude but Are You $&%*=# kidding me. ;-) Kidding, I am one of the morons of witch you speak! Does it stream TV shows or Movies? Does it have a little play Cannon, where you can run around and and it looks like you are making things explode? No?! Then most young people have no use for it, in my experience. Not All, but most. Security is hard work, at least for me anyway. Could be from the Word in my second sentence between the _____ of. Six Years ago I thought BIOS was what a person would write just before the died. What is needed is the Machine in the Real Star Trek where they could force information into your Brain! Guess that would open a OTHER Can of worms. I would use it on myself. I wish I knew how to convince my two, "Grown Infants" to take Computer Security seriously. I could use the help. My three Brain cells are in constant battle, of who gets to take the next nap. I think there are people in the wild counting on laziness of people. Nation States are too. I hope I'm wrong about everything!

Jesse ThompsonMay 24, 2019 4:54 PM

@Denton Scratch

I don't use my phone to browse the web.

I use it as a - wait for it - mobile phone. And to receive texts.

Feh. Don't you realize that SS7 is irretrievably broken, so every word you blab can be eavesdropped upon (not to mention all the juice really being in the metadata to begin with) and that even with GPS disabled making and/or receiving telephone calls just guarantees that they can triangulate your position through which towers your phone flirts with and how strongly it connects to each?

Only rookies use their phones to make voice calls and fiddle about with texting.

Now I'm not trying to say that you're being lax with OPSEC or anything, but personally I took apart my phone and used the solder pen to burn out every chip capable of sending or receiving RF signals, as well as every sensor and accelerometer. I sniped the microphone and speaker (which itself is just a lousy microphone with reversed polarity anyway), and the fingerprint scanner as well so that nobody can grab my biometrics in case they gain physical access.

Then I uploaded a hardened variant of a minimalist mobile OS that only runs the 4 function calculator in kiosk mode. But I had to hack that to disable multiplication and division too, since everybody knows that's just a breeding ground for side channel timing attacks. >:S

Latest Mobile PhonesMay 28, 2019 3:13 AM

The fingerprint is very important for every smartphone and iPhone has some of its best sensors in their products. We all need to read this post to make our fingerprinting more secure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.