Specialists from Cambridge University (UK) presented a new method of tracking users Android and iOS devices on the Internet. The technique is called “Removing digital prints with calibration” or simply SensorID and is based on the use of data factory calibration of the device’s sensors, access to which app or website can receive without permission.
For the attack SensorID used calibration data from the gyroscope and magnetometer (iOS) device as well as accelerometer, gyroscope and magnetometer (Android device). According to the authors SensorID, Apple devices more vulnerable to attack than gadgets running Android. This is because in the process of production of devices “Apple” the company conducts exact calibration of all sensors, and the manufacturers of Android-devices do it not always.
The attack is based on a thorough analysis of sensor data that is available without any permission. “Our analysis allows to obtain factory calibration data for each device that manufacturers build into the firmware of the smartphone to compensate for systematic manufacturing errors (sensor — ed)”, — said the authors of the SensorID.
Calibration data can be used as fingerprints are unique identifiers that allow analytical companies and cyber criminals to track user activity on the Internet. Data collection does not affect the operation of the device, and the victim is not even aware of it.
According to the researchers, obtaining calibration data takes one second, and the position of the device or environment it does not matter. Because the calibration data are the same, that allow you to track user activity on the Internet, even after resetting the device.
The vulnerability (CVE-2019-8541) was fixed by Apple in March this year with the release of iOS 12.2 by adding random noise to the output of the sensor calibration. Google has not yet released any bug fixes, stating its intention to study the problem.
Read more •••