SIMonline online service will help maintain your privacy, it’s very simple to buy a virtual number for SMS and not think about spam on your phone.
Confirming the concept of a new type of privacy attack called “fingerprint calibration”, it uses data from Apple iPhone sensors to create a unique fingerprint in the world for any particular mobile user. Researchers said it provides an unusually effective means of tracking people as they browse the mobile network and move between applications on their phones.
In addition, this approach also affects Google’s Pixel phones that run on Android.
A research team from Cambridge University in the UK released their results this week, showing that data collected from accelerometer, gyroscope and magnetometer sensors found on smartphones can be used to generate a calibration fingerprint in less than a second - and that it never changes , even after resetting.
An attack can also be launched by any website that a person visits through a mobile browser or any application, without the need for explicit confirmation or consent from the target.
In the case of Apple, the problem is related to the lack of iOS 12.1 and earlier versions, so iPhone users should upgrade to the latest version of the OS as soon as possible. Google has not yet solved this problem, researchers say.
Next-Generation Fingerprinting
The device’s fingerprint allows websites to detect repeat visits or track users, and in its innocuous form can be used to protect against identity theft or credit card fraud; advertisers often also rely on this to create a user profile for targeted ads.
Fingerprints are usually composed with fairly simple information: the name and version of your browser, screen size, installed fonts, and so on. And browsers are increasingly using blocking mechanisms to thwart such efforts in the name of privacy: for example, on Apple iOS for iPhone, Mobile Safari uses smart prevention tracking to restrict the use of cookies, restrict access to unique device settings and eliminate cross-domain tracking.
However, on any iOS device with a version lower than 12.2, including the latest versions of the iPhone XS, iPhone XS Max and iPhone XR, you can circumvent these protections by taking advantage of the fact that the motion sensors used in modern smartphones use what is called microprocessing. to mimic the mechanical parts found in traditional touch devices, according to the article.
“MEMS sensors are usually less accurate than their optical counterparts due to various types of errors,” the team said. “In general, these errors can be classified as deterministic and random. Sensor calibration is the process of identifying and eliminating deterministic sensor errors. ”
Websites and applications can access data from sensors without special permission from users. Analyzing this freely available information, the researchers found that it was possible to display factory calibration data for each device that manufacturers embed in the smartphone’s firmware to compensate for these systematic manufacturing errors. This calibration data can then be used as a fingerprint, because, despite the apparent uniformity, each Apple iPhone is slightly different - even if two devices belong to the same batch.
“We found that the gyroscope and magnetometer on iOS devices were factory calibrated, and the calibration data is different from device to device,” the researchers said. “Retrieving calibration data usually takes less than one second and is independent of the position or orientation of the device.”
To create a globally unique calibration footprint, you need to add a little more information, for example, from traditional sources of fingerprinting.
“We have demonstrated that our approach can produce globally unique fingerprints for iOS devices from the installed application - about 67 bits of entropy for the iPhone 6S,” they said. "The calibration fingerprints generated by the website are less unique (~ 42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting methods, and together they are likely to form a globally unique fingerprint for iOS devices."
A longitudinal study also showed that the fingerprint of the calibration fingerprint, which the researchers called “SensorID,” does not change over time and does not depend on conditions.
“We have not observed any changes in the SensorID of our test devices over the past six months,” they wrote. “Our data set includes devices running iOS 9/10/11/12. We tested compass calibration, resetting and updating iOS (to iOS 12.1); SensorID always remains unchanged. We also tried to measure the sensor data in different places and at different temperatures; we confirm that these factors also do not change the SensorID. ”
Widely exploited
In terms of the applicability of the SensorID approach, the research team found that both major browsers (Safari, Chrome, Firefox and Opera), as well as browsers with increased privacy (Brave and Firefox Focus) are vulnerable to attack, even in fingerprint protection mode.
In addition, according to the study, 2,653 of the 100,000 most popular Alexa websites access traffic data, including more than 100 sites that filter motion data on remote servers.
"This is troublesome, since it is likely that SensorID can be calculated using filtered data, which allows you to retrospectively take fingerprints from the device," the researchers write.
However, you can mitigate the vendor-side calibration fingerprint attack by adding evenly distributed random noise to the sensor outputs before applying factory-level calibration — something that Apple has been doing since iOS 12.2.
“Alternatively, suppliers can round off the sensor outputs to the nearest multiple of the nominal gain,” the document says.
In the meantime, privacy-oriented mobile browsers can add an option that disables access to motion sensors via JavaScript.
“This can help protect Android devices and iOS devices that no longer receive updates from Apple,” the document says.
Google pixel devices
Although much of the research has focused on the iPhone, Apple is not the only vendor affected: the team found that the Google Pixel 2 and Pixel 3 accelerometer can also be fingerprinted using this approach.
However, the fingerprint has less individual entropy and is unlikely to be globally unique - this means that for other types of fingerprints to be fully tracked for a particular device, it is also necessary to collect other types of fingerprint data.
In addition, the document notes that other Android devices that are also factory calibrated may be vulnerable, but are beyond the scope of testing.
While Apple was solving the problem, Google, which was notified in December of the attack vector, is still in the process of "investigating this problem."
