SensorID Sensor Calibration Fingerprinting for Smartphones CVE-2019-8541 Stan (Jiexin) Zhang, Alastair Beresford Ian Sheret {jz448, arb33}@cl.cam.ac.uk ian.sheret@polymathinsight.co.uk University of Cambridge Polymath Insight Limited
Device Fingerprinting Device fingerprinting aims to generate a distinctive signature, or fingerprint, that uniquely identifies a specific computing device. With a reliable device fingerprint, advertisers can track users online and o ffl ine, study their behaviour, deliver tailored content, etc. To protect user privacy, both Android and iOS have applied a variety of measures to prevent device fingerprinting. � 2
Motion Sensors in Smartphones Accelerometer Gyroscope Magnetometer Z + Ω Z Z Y X X X Y + Ω Y + Ω X � 3
A calibration fingerprinting attack infers the per-device factory calibration data from a device by careful analysis of the sensor output alone. • attack takes less than 1 second • requires no permission or interaction from the user • can be launched from both a mobile website and an mobile app • can generate a globally unique and consistent fingerprint � 4
Deterministic Errors in Motion Sensors Scale Error Non-orthogonality Bias � 6
Motion Sensor Calibration 0 0 S x Scale Error 0 0 S y S = 0 0 S z N xx N xy N xz Non-orthogonality N yx N yy N yz N = N zx N zy N zz B x B y B = Bias B z � 7
Motion Sensor Calibration Sensor Output = Scale * Non-orthogonality * ADC output + Bias N xx N xy N xz 0 0 O x S x A x B x 0 0 B y O y S y N yx N yy N yz A y = + O z 0 0 B z S z N zx N zy N zz A z Or O = GA + B A = ADC output, O = sensor output, G = gain matrix � 8
Sensor Calibration Fingerprinting O 1 = GA 1 + B O 2 = GA 2 + B O 2 − O 1 = G ( A 2 − A 1 ) [ O 2 − O 1 , ⋯ , O n − O n − 1 ] = G [ A 2 − A 1 , ⋯ , A n − A n − 1 ] Δ O = G Δ A Δ A : all values are integers � 9
Samsung Galaxy S8 iPhone X 0.4 0.50 0.2 Gyroscope Output (deg/s) 0.25 Axis x 0.0 y 0.00 z − 0.2 − 0.25 − 0.4 0 500 1000 1500 2000 0 500 1000 1500 2000 Sequence � 10
Samsung Galaxy S8 iPhone X 0.06 Difference between Gyroscope Outputs (deg/s) 0.04 0.02 Axis x 0.00 y z − 0.02 − 0.04 − 0.06 0 500 1000 1500 2000 0 500 1000 1500 2000 Sequence � 11
Samsung Galaxy S8 iPhone X Δ A i = 1 0.06 Difference between Gyroscope Outputs (deg/s) 0.04 nominal gain 0.02 nominal gain Axis x 0.00 y z − 0.02 − 0.04 Δ A i = − 1 − 0.06 0 500 1000 1500 2000 0 500 1000 1500 2000 Sequence � 12
�������������� � �� ���������������� �� ������������������ � ������������������ � ���������������������� � ���������������������� Generation of the Calibration Fingerprint ~ Update G Failed Not Complete Pass Δ A G BOTH APPROACHES IMPROVED APPROACH � 13
� 14
Calibration Fingerprint for Magnetometer iPhone 5S iPhone 6S iPhone 8 iPhone XS Max Difference between Magnetometer Outputs ( µ T) Difference between Magnetometer Outputs ( µ T) Difference between Magnetometer Outputs ( µ T) Difference between Magnetometer Outputs ( µ T) 0.4 0.1 0.1 0.1 0.2 0.0 0.0 0.0 0.0 − 0.2 − 0.1 − 0.1 − 0.1 − 0.4 0 500 1000 1500 2000 0 500 1000 1500 2000 0 500 1000 1500 2000 0 500 1000 1500 2000 Sequence Sequence Sequence Sequence Axis x y z Axis x y z Axis x y z Axis x y z � 15
Definition of the SensorID We refer to the collection of distinctive sensor calibration fingerprints as the SensorID . For iOS devices, the SensorID includes: • GyroID (Gyroscope Fingerprint) • MagID (Magnetometer Fingerprint) For Google Pixel 2/3, the SensorID includes: • AccID (Accelerometer Fingerprint) � 16
Example GyroID of an iPhone XS: 14 − 36 − 11 GyroID = 11 33 22 − 4 − 25 18 MagID of an iPhone XS: 7 2 − 47 MagID = − 6 30 61 69 29 75 AccID of an Pixel 3: 0.994785 0 0 AccID = 0 1.004922 0 0 0 0.995183 � 17
SensorID Uniqueness Analysis � 18
SensorID Uniqueness Analysis We collected motion sensor data from 870 iOS devices via crowdsourcing and estimated their SensorID. We found there is a strong correlation between some values in the SensorID. For the same device model, values in the SensorID follow normal distribution. � 19
G[1,1] G[1,2] G[1,3] Fig: Scatter plot matrix of G[2,1] elements in the GyroID G[2,2] (693 iOS devices) G[2,3] G[3,1] G[3,2] G 11 G 12 G 13 G 21 G 22 G 23 GyroID = G[3,3] G 31 G 32 G 33 G[1,1] G[1,2] G[1,3] G[2,1] G[2,2] G[2,3] G[3,1] G[3,2] G[3,3] 20 �
SensorID Uniqueness Analysis For iPhone 6S, we estimate the GyroID has 42 bits of entropy and the MagID has 25 bits of entropy. For 131M iPhone 6S devices, the chance of two iPhone 6S devices having the same SensorID is around 0.0058%. � 21
Countermeasures Option 1 - Adding noise: O = G ( A + ϵ ) + B ϵ i ∼ U ( − 0.5,0.5) Option 2 - Rounding the sensor outputs: Manufacturers could round the factory calibrated sensor output to the nearest multiple of the nominal gain to prevent recovering the gain matrix. Option 3 - Remove access to motion sensors � 22
Results • Calibration fingerprinting attack is easy to conduct by a website or an app in under 1 second, requires no special permissions, does not require user interaction. • We collect motion sensor data from 870 iOS devices and show that our approach can generate a globally unique fingerprint (67 bits of entropy for the iPhone 6S). • Apple adopted our suggestion of adding noise and removed sensor access by default in Mobile Safari on iOS 12.2 (CVE-2019-8541). � 23
• Calibration fingerprinting attack is easy to conduct by a website or an app in under 1 second, requires no special permissions, does not require user interaction. • We collect motion sensor data from 870 iOS devices and show that our approach can generate a globally unique identifier (67 bits of entropy for the iPhone 6S). • Apple adopted our suggestion of adding noise and removed sensor access by default in Mobile Safari on iOS 12.2 (CVE-2019-8541). For more details, visit: Stan Zhang https://sensorid.cl.cam.ac.uk jz448@cl.cam.ac.uk
Recommend
More recommend