Last minute geek

last minute tech news from around the net

Monday, Sep 16th

Last update11:38:00 PM

You are here: English BoingBoing ibag In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

User Rating: / 0
In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. The researchers reported their attack to Apple in advance of their disclosure and Apple has patched the vulnerability. The researchers were subsequently able to run this attack successfully against Google's flagship Pixel 2 and Pixel 3 phones (Google is "investigating the issue"). The researchers advise that manufacturers could prevent this class of attacks by rounding off sensor measurements, or by injecting random noise into their reported values. Sensors are an essential component of many computer systems today. Mobile devices are a good example, containing a vast array of sensors from accelerometers and GPS units, to cameras and microphones. Data from these sensors are accessible to application programmers who can use this data to build context-aware applications. Good sensor accuracy is often crucial, and therefore manufacturers often use per-device factory calibration to compensate for systematic errors introduced during manufacture. In this paper we explore anew type of fingerprinting attack on sensor data: calibration fingerprinting. A calibration fingerprinting attack infers the per-device factory calibration data from a device by careful analysisof the sensor output alone. Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers. Read the rest

Read all
Comment Policy:
We pre-moderate any comments and welcome all kinds of thoughts, supportive, dissenting, critical or otherwise. We delete or censor comments that are:

* abusive
* off-topic
* contain personal attacks, or against any company or organization
* promote hate of any kind
* use excessively foul language
* is blatantly spam or advertising

We do not discriminate based on the person who is posting, and we never censor comments for political or ideological reasons. We never delete an appropriate comment because we disagree with its viewpoint or ideology, and we never publish an inappropriate comment because we agree with or support its viewpoint or ideology.

Attention spammers: we manually approve all comments. Spamming and blatant advertising will NOT be published on this site and is deleted immediately, you've been warned, do not waste your time here.

Add comment

Security code