Researchers at Cambridge University’s Computer Laboratory have developed an insidious fingerprinting attack that allows iOS and Android devices to be tracked across the internet. The attack is simple to execute and virtually impossible to stop without direct intervention from Apple or Google. If you have an iPhone or a Pixel 2 or 3, your phone is vulnerable. Other high-end Android phones may be vulnerable as well.
Websites gather information from browsers that can be used to create a fingerprint for the device you’re using when you visit the website. This fingerprint can then be used to track every website you visit using the same browser on the same device. The researchers developed a method for creating a much more robust device fingerprint that uses data gathered from the sensors in a smart phone. They call it SensorID. The research was presented at the IEEE Symposium on Security and Privacy on May 21. Interested readers can find a non-technical version and FAQ here or the full research paper here.
SensorID
Here’s how SensorIDs are created. Smart phones contain sensors like accelerometers, gyroscopes and magnetometers. These sensors are usually not as accurate as they need to be when they come off the assembly line due to imperfections in the manufacturing process. Device manufacturers calibrate devices by measuring and correcting the errors for each device and encoding the calibration data in the device's firmware. In most cases, the calibration data uniquely identifies the smart phone. The researcher’s attack allows them to infer the calibration data which gives them a fingerprint for the phone.
The attack is almost impossible to stop. The data needed to create the fingerprint is freely available on every website visited or app used by the device. It’s completely unprotected and gaining access does not require any action from the user other than visiting a website or using an app. In most cases, it takes less than a second to create the fingerprint after a website is visited or an app is opened. If the phone is being vigorously moved, fingerprint creation takes a few seconds.
The fingerprint that’s created is also very robust. Typical device fingerprints are based on data gathered from the browser. They can be defeated by switching to a different browser. SensorID is based on data from the sensors which remains unchanged no matter which browser is used at any given time. The researchers determined that Safari, Chrome, Firefox, Opera, Brave and Firefox Focus are all vulnerable to their attack. Fingerprint detection modes do not stop it. A factory reset is also ineffective because the calibration data in the device’s firmware remains unchanged.
SensorID and iPhones
There’s good news and bad news about SensorID and iPhones. First the bad. iPhones are more susceptible than Android phones to SensorID. The main reason is Apple concentrates on the high-end smart phone market and all their phones contain calibrated accelerometers and magnetometers. That means virtually every iPhone has a unique SensorID that can be used to track every website visited and every app used on the device.
Now the good news. The researchers informed Apple about iPhone’s vulnerability to SensorID in August 2018. Apple issued a patch with iOS 12.2 this past March. If you have an iPhone and have not updated to 12.2, it would be a good idea to do so now.
SensorID and Android phones
As with iPhones, there’s good news and bad about SensorID and Android phones. First the good. Android phones are generally less susceptible to attack because many of them are lower level phones that do not have calibrated sensors. The researchers were only able to test a small number of Android phones and, with a notable exception, were unable to create a fingerprint from the phones they tested. Which Android phones passed the test is unknown.
Now the bad news. The researchers demonstrated that a fingerprint can be created from the accelerometer in a Pixel 2 or 3. They informed Google in December 2018 and Google is currently “investigating the issue”. Thus far, Google hasn’t released a patch.
Should you worry?
The researchers know of no cases where the attack they’ve demonstrated has been exploited in the wild. However, they also point out that the sensor data that’s the basis for the attack is easily accessed and is known to be gathered by at least 2,653 of Alexa’s top 100,000 websites.
If you have an iPhone, it’s vulnerable to attack unless you’ve updated to iOS 12.2. If you have a Pixel 2 or 3, it's vulnerable to attack. If you have a different Android phone, there’s not enough data in hand to determine vulnerability one way or the other. Put another way, if you have an iPhone you’re vulnerable but there’s something you can do about it. If you have an Android phone you may or may not be vulnerable but there’s nothing you can do about it.
