WORLD
Smartphones Leave Identifiable 'Fingerprints'
Baku, April 30 (AZERTAC). The signals produced by smartphones turn out to be so identifiable that it may never be possible to use one anonymously. Even basic privacy may be difficult to achieve.
Despite all the standardization and quality control that go into accelerometers and other sensors built into smartphones, each sensor contains enough tiny, unique imperfections to identify, not only the physical component, but also the data it records, researchers from the University of Illinois, the University of South Carolina, and Zhejiang University report.
"Even if you erase the app in the phone, or even erase and reinstall all software the fingerprint still stays inherent," Romit Roy Choudhury, the UI associate professor of electrical engineering and computer science who led the team, said in a press release. "That's a serious threat."
By analyzing data from the accelerometers from more than 100 devices, the team was able to determine that tiny differences in the data recorded by the accelerometers were unique to the sensor itself, rather than reflecting flaws or differences in materials or environment from a particular plant of production line.
The differences are enough to identify a particular accelerometer with 96% accuracy, Sanorita Dey, a University of Illinois graduate student and member of the research team, said in the release. "We do not need to know any other information about the phone -- no phone number or SIM card number. Just by looking at the data, we can tell you which device it's coming from. It's almost like another identifier."
The team presented its findings at the Network and Distributed System Security Symposium in February in San Diego.
Though the team looked only at accelerometers, the results suggest that data from gyroscopes, magnetometers, microphones, cameras, and other devices could also contain markers that would identify them uniquely as having been recorded with a specific device. The implication is that even consumers trying to protect their identities by refusing to share their location data, name, or other personal information might still be identified and tracked individually by apps that collect sensor data and use cloud-based applications for part of their functions.
Even a pedometer app that counts a user's steps with accelerometer data (and calculates distance travelled or calories burned by sending the data to a cloud service) not only could identify the device itself, but also could get a rough idea of its location from the cellphone towers that provide the network connection.
The team's findings confirm what a Virginia Tech team reported in September (subscription required). That team found that the unique response of an accelerometer or other MEMS sensor to an electric charge is idiosyncratic enough to identify the device from which it came. The paper suggested that sensor-data fingerprints might be useful for identifying and authenticating devices attached to the Internet of Things.
Hristo Bojinov, a Ph.D. candidate at Stanford University, has found that signals from microphones and speakers are as identifiable as accelerometers, and that all three are accessible enough that JavaScript apps downloaded in a mobile browser can collect the data and upload it to a website for identification.
Right now, Dey said, there are no regulations on app vendors collecting that data or limiting its use.
Google did build a set of controls into a beta version of Android 4.4.2 that would have allowed users to decide which apps should have access to data from sensors, address books, or other onboard resources. But company called the inclusion of the controls was "accidental," and it removed them just one day after the digital-privacy guru Peter Eckersley posted an article describing the controls, telling consumers how to use them, and praising Google for offering them.