A new study by researchers at Cambridge University’s Computer Laboratory has revealed that an attack called calibration fingerprinting or SENSORID, allows iOS and Android devices to be tracked across the internet. The researchers stated that this attack is easy to conduct by a website or an app in under 1 second as it requires no special permissions, does not require user interaction, and is computationally efficient.
Yesterday, at the IEEE Symposium on Security and Privacy, the researchers presented a research paper titled “SENSORID: Sensor Calibration Fingerprinting for Smartphones”, that introduces the calibration fingerprinting attack. In this paper, the researchers have demonstrated the effectiveness of this attack on iOS devices and found the lack of precision in the M-series co-processor helps the generation of such a fingerprint.
“Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers”, the research report states.
“According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones’ sensors”, reports ZDNet.
When the attack was experimented on an iPhone 6S, it was found that that the GYROID contains about 42 bits of entropy and the MAGID provides an additional 25 bits of entropy. The study has demonstrated that the combination of the MAGID and GYROID – the SENSORID – is globally unique for the iPhone 6S. This did not change on factory reset or after a software update. This shows that the attack can also be applied retrospectively to a historic archive of sensor data. In addition to iOS devices, it has been found that Google Pixel 2 and Pixel 3 can also be fingerprinted by SENSORID attack.
The researchers claim that all iOS devices that have a gyroscope or magnetometer can be fingerprinted by this approach, including the latest iPhone XS and iPhone XS Max. The mainstream iOS browsers- Safari, Chrome, Firefox, and Opera and privacy enhanced browsers- Brave and Firefox Focus are all vulnerable to this calibration based fingerprinting attack, even if the fingerprinting protection mode is turned on.
They added, “We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SENSORID either.”
The researchers notified Apple about this vulnerability in August 2018 and Google in December 2018. Apple patched this issue with the release of iOS12.2 in March 2019. However, Google has not taken any prompt action and have just informed the researchers that they will investigate this issue.
With the latest iOS 12.2 release, the new iPhones and iPads will generate a new fingerprint with every sensor calibration query, making SENSORID type of user tracking useless. Further, Apple also removed access to motion sensors from Mobile Safari by default.
The researchers anticipate that calibration information used in other embedded sensors can also be recovered and used as a fingerprint. Thus future research will successfully perform calibration fingerprinting attacks on other types of sensor.
Any iPhone, is vulnerable to an attack, unless it has been updated to to iOS 12.2. If a user is using a Pixel 2 or 3, it’s vulnerable to attack. But the vulnerability to an Android phone is not yet known fully, but there is a sure possibility to it.