Do Smartphone Sensors Present Security Risk? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Do Smartphone Sensors Present Security Risk?

Variations in how different smartphone accelerometers record data raise concerns that advertisers, intelligence agencies or others could use this information to identify individual devices.

Privacy alert: Every smartphone's sensors record data in slightly different ways, and those differences are substantial enough to be measured and used to identify the device.

That warning comes via security researcher Hristo Bojinov, a computer science Ph.D. candidate at Stanford University who's been working with a team of researchers to test whether the sensors inside smartphones might pose a privacy risk, the San Francisco Chronicle first reported.

To date, the Stanford researchers have discovered that the accelerometers built into smartphones, which measure device acceleration and orientation -- used, for example, by the operating system to rotate displays -- don't all record reality in quite the same way.

[ Is the mobile malware threat overblown? Read Google: Don't Fear Android Malware. ]

For example, when a smartphone is resting flat on a tabletop, the reading generated by the accelerometer -- which measures acceleration along the Z-axis, which in this example would be a line rising perpendicularly from the smartphone -- should be -1 when it's lying face up, or +1 when lying face down. But in reality, a face-down device generates a Z-axis measurement that's more akin to 1.00281308281.

That result was generated via the Stanford Sensor ID Experiment website, which the researchers wrote in JavaScript to see the Z-axis measurements being returned by any given smartphone. (Anyone can use the website to test a device.) Their finding, which will be detailed in a forthcoming research paper, is that the measurements returned by any given device are unique enough to fingerprint -- or uniquely identify -- that device.

Who might want to track smartphones in this manner? As The Verge reported, such fingerprinting could serve as yet another tool for advertisers to identify unique devices, and by extension the identity of the person using them.

"People need to consider the whole system when they think about privacy," Stanford researcher Bojinov told the San Francisco Chronicle, noting that he wouldn't be surprised if advertisers had already discovered some of these tracking techniques themselves. By highlighting the fact that smartphone sensors produce data in unique ways, Bojinov said he hoped that smartphone manufacturers and software developers might be able to find ways of safeguarding such data gathering against improper use.

Furthermore, accelerometers aren't the only way that smartphones can be fingerprinted. For example, Sara M. Watson, a fellow at the Berkman Center for Internet and Society at Harvard University, recently wrote in a Wired opinion piece that the new M7 motion processor in the Apple 5s smartphones has been designed to continually record data from the device's accelerometer, compass and gyroscope sensors, which could be used by so-called quantified self apps that serve as personal activity trackers. But the sensor data could easily be collected by apps -- or even third parties -- without the owner's knowledge.

Of course, advertisers aren't the only potential organizations that might have their eye on this type of data, and fears over government tracking have been growing since former NSA contractor Edward Snowden began sharing confidential agency documents with select journalists this past summer. So what's the likelihood that the NSA isn't already tracking smartphones using these types of obscure -- if not hitherto unknown -- techniques?

In fact, sensor data might not even be required to create fingerprint phones. For example, one 2009 document recently released by the NSA detailed an "analytical tool" -- the name of which was redacted -- for identifying the date and time that a phone first went online, as well as the date and time that a phone last went offline. It also gets the total number of calls, and the ratio of unique contacts to calls, but not the specific numbers contacted, according Cato Institute research fellow Julian Sanchez's reading of the document.

What's the use of this type of information? "One possibility that jumps out at me -- and perhaps anyone else who's a fan of The Wire -- is that this is the kind of information you would want if you were trying to identify disposable prepaid 'burner' phones being used by a target who routinely cycles through cell phones as a counter-surveillance tactic," Sanchez said on the Just Security forum. "The number of unique contacts and call/contact ratio would act as a kind of rough fingerprint -- you'd assume a phone being used for dedicated clandestine purposes to be fairly consistent on that score -- while the first/last call dates help build a timeline: You're looking for a series of phones that are used for a standard amount of time, and then go dead just as the next phone goes online."

In that example, the pattern of usage -- rather than the device itself -- could be used to fingerprint a device. From a privacy and tracking standpoint, in other words, sometimes being unique has its downsides.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Apprentice
10/14/2013 | 9:29:38 PM
re: Do Smartphone Sensors Present Security Risk?
I'm bullish on the potential for the internet of things to change the way a lot of industries operate, but if that's to come, people are going to have to understand that exposing more data means potential vectors for compromising that data. I guess the best thing we can hope for is that the amount of data outstrips the ability of negative actors to abuse it.
Commentary
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll