Researchers discover tilt, swipe sensors can track mobile users

A team of US researchers has revealed that attackers can use smartphone and tablet 'tilt' and 'swipe' motion sensors - which cannot be blocked - to secretly track users.

Their findings have been backed by other industry experts, who agree this opens up a new attack technique against mobile device users.

The University of Illinois-led team tested more than 100 ‘accelerometer' motion detector chips, including 80 individual chips used in the latest smartphones and tablets such as the Samsung Galaxy S III and Kindle Fire, along with 25 Android phones across five ranges - the Nexus One, Nexus S, Samsung Galaxy Nexus, Samsung Galaxy S3 and HTC Incredible Two – and two tablets, the HTC MyTouch and Samsung Galaxy Tab 2.

They found that tiny manufacturing imperfections in the chips – which are used for screen rotation, recognising user gestures, and apps like motion-enabled games or fitness monitoring - produce different responses to the same motion. This provided a near unique 'fingerprint' for each device even in “real, uncontrolled environments”.

The researchers examined more than 5,000 sensor traces and recorded a 96 percent success rate in identifying the chips and devices.

"As standard components inside smartphones and tablets, accelerometers' fingerprints create new threats in mobile apps — tracking users without cookies or device IDs,” they concluded.

The researchers said the main threat comes from advertisers. With more than 700,000 apps available in the Google Play and App Store, and most of them offered for free with ads, advertisers are seeking to track users and their online habits, posing a threat to privacy.

Under recent changes to US and European law, advertisers can no longer use cookies to do this, but this new technique provides “cookie-less methods to identify devices” - and the researchers concede they have not found a way to fix it.

“An accelerometer fingerprint can serve as an electronic cookie, empowering an adversary to consolidate data per user, and track them over space and time. Alarmingly, such a cookie is hard to erase, unless the accelerometer wears out to the degree that its fingerprint becomes inconsistent. We have not noticed any evidence of this in the nine months of experimentation with 107 accelerometers.”

“Our attempts to scrub off the fingerprint (without affecting the high level functions such as step-count) did not meet immediate success.”

Analysing their findings, smartphone expert Rob Miller, a security consultant at MWR InfoSecurity, agreed that blocking such attacks would be difficult.

He told SCMagazineUK.com via email that “a user preventing the attack basically has to not install apps, especially those with advertising libraries as it wouldn't be obvious from the Google Play store that an app has this behaviour.

"It would need to be prevented at the operating system level, which would be difficult for Google/Apple/Microsoft to do well.”

He added that a user may be able to prevent this through advanced behaviour such as rooting their device and using custom software "but this is advanced behaviour and there probably isn't a great deal of benefit”.

Paco Hope, principal consultant with software security consulting firm Cigital, said the research “looks legitimate and interesting”.

“There are lots of different ways to uniquely identify a device. The motion sensors are especially interesting because, at the moment, they don't require special permissions. We saw the same thing with IMEI numbers a few years back. Apple's response was to prevent apps from accessing that value entirely.

“The right answer in this case is probably similar: apply counter-measures to anonymise the signature of the sensors. We could ask the user for permission, but users rarely understand the implications of choices like that.

“From the user's perspective, asking permission becomes a binary question: allow this app to violate your privacy and you get to play with the dancing pigs, or don't allow it and you can't. People will choose dancing pigs every time. We have to make a secure choice for the user without impairing the valuable use of the sensors.”

The researchers focused on the threat from advertisers. Asked if the flaw could also be used by cyber criminals or spies, Miller said he couldn't see an immediate cybercriminal angle to it.