phone tracking and fingerprinting through sensor flaws

 

(James Temple @ sfgate) Security researcher Hristo Bojinov demonstrating a method for “fingerprinting” a smart phone through its accelerometer in his Palo Alto office. Credit: Carlos Avila Gonzalez, Chronicle staff photographer. One afternoon late last month, security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat.

And that was it. In a matter of seconds, the device had given up its “fingerprints.”

Code running on the website in the device’s mobile browser measured the tiniest defects in the device’s accelerometer — the sensor that detects movement — producing a unique set of numbers that advertisers could exploit to identify and track most smartphones.

It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint (see below for a further explanation). Marketers could use the ID the same way they use cookies — the small files that download from websites to desktops — to  identify a particular user, monitor their online actions and target ads accordingly.

Stale Cookies

It’s a novel approach that raises a new set of privacy concerns: Users couldn’t delete the ID like browser cookies, couldn’t mask it by adjusting app privacy preferences — and wouldn’t even know their device had been tagged.

“I don’t know if it’s been thought of before,” said Dan Auerbach, staff technologist at the Electronic Frontier Foundation. “It’s very alarming.”

Bojinov, a Ph.D. candidate in computer science at Stanford originally from Bulgaria, set out about a year ago with several collaborators at the Stanford Security Lab to test whether it was technically feasible to identify devices using various sensors. Bojinov wanted to make device manufacturers, software designers, policymakers and advocates aware of this potential avenue for tracking, in the hope that the industry would take steps to guard against it.

“People need to consider the whole system when they think about privacy,” Bojinov said.

 

Snooping

Indeed, accelerometers aren’t the only thing to worry about. The Stanford research team, which plans to publish its results in the months ahead, was also able to identify phones using the microphone and speaker. They found they could produce a unique “frequency response curve,” based on how devices play and record a common set of frequencies (see the explanation below).

Meanwhile, a team at the Technical University of Dresden in Germany recently developed a tracking method that exploited variations in the radio signal of cell phones, according to a story in New Scientist. The “collection of components like power amplifiers, oscillators and signal mixers … can all introduce radio signal inaccuracies,” researcher Jakob Hasse explained.

A Wired Opinion article today raises the possibility that the M7 coprocessor in Apple’s new iPhone could create another avenue for data collection.

Asked if this sort of work risks putting ideas into the heads of online advertisers, Bojinov said he’d be surprised if someone in the industry wasn’t already exploring these approaches.

The private sector and U.S. government have repeatedly demonstrated a willingness to make use of mobile phone’s hardware in ways users wouldn’t expect. Apps like Color, Shopkick and IntoNow activated smartphone microphones to detect when people were in the same room, entered a particular store or watched a specific TV show, as Computerworld reported.

Likewise, the FBI has famously flipped on the microphones of investigation targets to eavesdrop on conversations.

Losing the fight

To be sure, the smartphone is already a compromised device for anyone keenly concerned about ad tracking and privacy. Unique users can be identified, for targeting ads and other purposes, through cookies in the mobile browser or unique ID numbers associated with the device or particular apps. In addition, many apps can tap into the phone’s location, contact list, photos and more.

But conscientious users can at least exercise choices to minimize these capabilities — by selecting browsers that block certain tracking cookies by default, like Apple’s Safari, carefully picking apps that are less intrusive and managing which services access certain data.

Fingerprinting devices though the accelerometer and mobile browser, however, could eliminate such control, potentially undermining choice and transparency for the user. That’s what troubles privacy advocates the most.

“The fight to make it easier or harder to identify users is being lost by privacy advocates right now,” EFF’s Auerbach said. “There are a lot of novel techniques that are making it difficult to even know that tracking is even happening, because the fingerprinting is occurring” online rather than on the device itself.

Unlike with cookie files, there are no digital bread crumbs lining the advertiser’s trail.

Ryan Calo, an assistant professor of law focused on privacy at the University of Washington, said these forms of identification are merely the latest examples of broad and long-running trends in online advertising: Every privacy protection tool or ad blocking plug-in is met with new technologies that allow companies to sidestep such controls.

He believes the struggle will only continue as long as there is a misalignment of incentives between companies and consumers. If the core business model of major tech companies is collecting personal data to target ads, they will continue to find ways to do so — limited only by the law or whatever line users themselves draw.

In a forthcoming paper for George Washington Law Review, Calo argues that if companies like Facebook and Google offered users paid options, like Pandora does, it would encourage these businesses to improve service for their users, rather than for their advertisers — or “reorient the consumer from being a product to being a client.”

“I’m increasingly convinced that we need to change the basic incentive structure around tracking,” he said. “Absent that, we’re just going to see an arms race, whether in fingerprinting phones or fingerprinting browsers. If there’s money in identifying individual consumers, and if it’s not specifically illegal, people will do it.”

How it works:

Security researchers at Stanford have discovered methods of “fingerprinting” mobile devices by measuring tiny errors in the sensors, including the accelerometer and microphone. The degree of error is unique to each phone because, despite streamlined industrial processes, no two devices roll off the assembly line functioning in the exact same way.

The variations can be used to create IDs for phones that advertisers, and perhaps law enforcement, could exploit to track the devices.

The accelerometer is a standard sensor in smartphones that measures the acceleration of the device. It’s what enables, among other things, the browser to shift from landscape to vertical, as a user tilts their phone.

If the device is standing still, the accelerometer spits out numbers that represent its position in three-dimensional space.

The researchers wrote a piece of Javascript, a programming language used on many websites, for the Stanford Sensor ID experiment at Sensor-ID.com. It collects data about a phone’s acceleration along the Z-axis, a line straight up and down, running perpendicular to a phone lying on a table.

(Test your own phone by navigating here in your mobile browser.)

When the phone isn’t moving, the accelerometer should only sense the force of gravity. In a perfect world, the number it produces in that scenario would be -1 when the phone is facing up on a table and 1 when it’s facing down.

But it’s not a perfect world — every sensor has tiny defects. So instead, the accelerometer spits out two numbers like 0.0762669283983 and 1.00111302044, figures that in combination are unusual enough to work as a phone identifier.

The graph below shows accelerometer data from 16 devices tested at an Apple Store:

For the sake of the experiment, users have to play along, actively visiting the site and moving the phone as directed. But researcher Hristo Bojinov said a similar script could potentially be inserted invisibly onto any website. They’ve also identified a way to make similar measurements while a phone is bouncing around, say in a purse.

Separately, the researchers succeeded in fingerprinting phones using the microphone. The phone’s speaker plays a series of tones that climb in pitch, beginning below a level audible to humans, as the microphone records them. In this case, the software analyzes the system’s “frequency response curve,” identifying the unique way it plays and records a common set of frequencies.

This 3D graph shows audio frequency response for 16 devices, each in different colors. The devices ran the test three times, so the illustration highlights the persistent pattern for each device as well as the differences between them.

This process is a little more complex than the accelerometer experiment and would require the user to download an app to work. Unlike the accelerometer method, it would also give itself away — since the user could hear the rising tones.

Bojinov, who co-founded the startup Anfacto, collaborated on the sensor experiments with Stanford computer science professor Dan Boneh, fellow Stanford doctoral student Yan Michalevsky and Gabi Nakibly, an adjunct lecturer at the Israel Institute of Technology.

– James Temple