Forgot your password?
typodupeerror
Cellphones Handhelds Privacy

Sensor Characteristics Uniquely Identify Individual Phones 69

Posted by Soulskill
from the your-accelerometer-has-betrayed-you dept.
An anonymous reader writes "SFGate reports that Stanford researchers have figured out a way to generate a unique fingerprint from a cell phone's suite of built-in sensors. The tiny accelerometers, gyroscopes, microphones, and speakers in cell phones have characteristics that vary slightly from handset to handset, and these variations may contain enough information to uniquely identify a given handset. How that information might get from the phone to a third party varies (the article describes a JavaScript snippet reading the Z-axis accelerometer, though it says little about how the user might block such information from being read), but the possibility for abuse is certainly troubling."
This discussion has been archived. No new comments can be posted.

Sensor Characteristics Uniquely Identify Individual Phones

Comments Filter:
  • Great! (Score:4, Funny)

    by nospam007 (722110) * on Friday October 11, 2013 @09:37AM (#45100721)

    Now I have to drop my phone from time to time to fool the NSA.

    • Shoot... I already drop my phone enough as it is. There is no way the NSA spy tools on it will work properly, unless they have a compensation for that...
  • ... nothing new. (Score:5, Interesting)

    by nbvb (32836) on Friday October 11, 2013 @09:44AM (#45100775) Journal

    Cell phones have been identifiable by RF fingerprinting for many, many years.

    Was a common anti-fraud technique in the analog cellular days.

  • Uh, so what? (Score:4, Insightful)

    by Anonymous Coward on Friday October 11, 2013 @09:45AM (#45100781)

    The possibility for abuse is troubling. Really?

    Android: android.telephony.TelephonyManager.getDeviceId()
    iOS: NSString* uniqueID = [UIDevice currentDevice].uniqueIdentifier;
    WindPhone: Dunno don't do anything for it, I assume it's part of the API as well.

    So yes, tell me more about this "troubling" ability to build a fingerprint of questionable accuracy on a device to uniquely ID it even when you can just READ THE UNIQUE DEVICE ID right from it to start with.

    • by Rosyna (80334)

      The iOS version no longer works.

    • by P-niiice (1703362)
      As bad as letting the big data companies have your whole life is the fact that Americans are becoming paranoid.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Paranoid Americans is a GOOD thing! A few more people are actually waking up to the $hit that is happening.

  • How long ... (Score:5, Insightful)

    by gstoddart (321705) on Friday October 11, 2013 @09:46AM (#45100783) Homepage

    How long before we have Minority Report type crimes?

    "Sir, you're going to have to have to come with us. Our metadata surveillance indicates you are likely to commit a crime, and our tracking of your phone indicates you were recently at a hardware store. We need to take you to the internment camp."

    Some days I just want to turn into Reg the Blank and hide.

    When they can know everything about you even when you've done nothing wrong, you're not so much free anymore as you are being allowed to pretend you are until such time as they decide to cart you off.

    • Why would you carry your phone when attempting to commit a crime in the first place? (Or why would anyone want to carry any phone anywhere in the zeroth place...)
      • Because people look at me weird when I break out my Handheld Ham Radio when I am in the store to talk to my wife... Also, people seem to think because I have a radio that I must know where to find size 20 for their kid and get pissed when I say I dont work there. "Then why do you have a radio!"
      • Absolutely, so that I can tweet about it while I'm there and upload pictures to Facebook.

      • by lxs (131946)

        I don't want to be identified as one of those phoneless criminals I read about on Slashdot.

        • I don't want to be identified as one of those phoneless criminals I read about on Slashdot.

          It's better to be a phoney criminal, then? ;-)

      • Re: (Score:2, Insightful)

        by Dr. Zim (21278)

        Because we're not all judgmental pricks that think our way is the only way to live. When my 81 year old mother needs a ride to the store, I want her to call me. When my daughter misses the bus home and I'm at a client site, I want her to call me. Just because you're happy to be incommunicado, doesn't make that an option for people with responsibilities. Go pat yourself on the back for being a Ludite and crawl back in your hole.

        • I'm not a Luddite, it's just that in line with RMS, I simply think that even nowadays, many a person can still have a normal life without exposing himself to constant tracking. Also please rescind from talking about "judgmental pricks" while at the same time using the words "incommunicado", "people with responsibilities", "Luddite" and "crawl back in your hole" in the very same post. It sort of smells of hypocrisy.
  • "Code running on the website in the device’s mobile browser"

    So what I'd like to know is this (for all you people out there who write web code for mobile devices): what are the differences between what access different platforms give to those sensors? Obviously Android provides all the access that's needed; the example in the article refers to it working on a Galaxy Nexus. But what about Windows Mobile/IOS/Blackberry? Do they all have APIs to expose that functionality to something running in a brows

  • by dryriver (1010635) on Friday October 11, 2013 @10:13AM (#45101029)
    A statistical analysis of your online writing-style identifies you. CCTV cameras identify you from your gait (the "way you walk"). And now your smartphone sensors give away what smartphone you are using (... useful to "backdoor" the device, I presume?). My question to these scientist: Why do you create this tech? Do you not care about the privacy of the common man, or indeed the technological future your children will be forced to live in? My 2 Cents on this, and similar efforts to "ID people"....
    • by rasmusbr (2186518) on Friday October 11, 2013 @10:28AM (#45101155)

      Because there are lots of people who want PhD:s, but not a lot of creativity to go around and even less funding to go around for creative and truly novel projects

      You can bet that this has already been done in the industry so it's not like they're inventing anything that doesn't already exist.

      By the way, it ought to be reasonably straightforward to get a fingerprint out of the totality of sensor data that a phone generates during the course of a week or so even if the sensors were flawless. After all, we all have different habits, different gaits, etc. Odds are someone is already doing that.

    • 99% of us agree with you.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      IAMA scientist who creates such things. So here's my answer to your question: we create this kind of tech to allow law enforcement to identify individuals (in a very broad sense of all these terms), so we can lock them in (this is supposed to be very unsurprising).

      If the tech in question is "fingerprint" (real ones, with your fingers), law enforcement is "police" (and not military/counter-terrorism/political) and individual is "criminal", I think pretty much everybody agrees that it is a good thing (you mig

    • by Aaden42 (198257)

      Why do you create this tech?

      The same reason that white hat security researchers look for holes in software. Sure, finding those holes and eventually releasing patches can help hackers identify exploits that might still be unpatched on some machines, but *not* finding those holes doesn’t mean they automatically go unfound. If a white hat didn’t find & announce it, there’s still a pretty good chance a black hat (or the NSA...) found it and is exploiting it in the wild. I’d hones

    • by Kjella (173770)

      Businesses want to track you because there's money in data mining and profiling. Governments want to track you for surveillance and control. You think you'd be one iota less tracked if nobody in academia did? No, you'd just not realize it but I guess ignorance is bliss...

    • by Anonymous Coward

      Yeah, let's blame it on the scientists who publish it. Like we scapegoat the whitehats that report vulnerabilities in software. I cannot tell if you're kidding or not. Hopefully you can tell, now, that reporting these results means that people need to sanitize this information, and/or demand that manufacturers help sanitize/restrict access to this data.

      If you didn't know it, the "bad guys" would still know it, and be using it without your knowledge.

  • by Anonymous Coward

    It isn't sufficient anymore to block apps from getting some information (besides, some apps play miffed if they don't get this or that). What the OS should do is empower the user to tell "controlled lies".

    For example: fuzz geo data by some controllable amount (or "I'm always in Trondheim, Norway"). Fuzz accelerometer, voice, and so on.

    By default apply some sensible random fuzzing (just a tad above the instrument's accuracy, for example). Make the "lying strategies" configurable per-app.

  • by Rambo Tribble (1273454) on Friday October 11, 2013 @10:20AM (#45101071)
    I was of the impression that anything that accesses the cell network already has a unique IMEI adddress and that devices that access networks have a unique MAC address. What does this provide that they don't? It would seem this information could be spoofed at least as easily as such hardware addresses.
  • Every mobile phone, GSM modem or device with a built-in phone / modem has a unique 15 digit IMEI number.

  • I recall reading something earlier in the year that researchers (maybe it was our friends at NS*) are able to uniquely identify cell phones based on some type of timing difference in gsm trasmissions. Bottom line, if you use a phone someone can figure out its you.

  • Does this scale? (Score:4, Informative)

    by mbone (558574) on Friday October 11, 2013 @10:33AM (#45101211)

    If you look at the graph in the article (which talks about flipping the phone, but seems to actually be measurements of flat vs standing vertical), the variations are constrained to be (in the Sz axis) from 0.994 to 1.004, or a variation of 0.008, and the Sz repeatability is worse than 0.00025. So, this would work if the number of phones was ~ 30, but would be "confusion limited" for a larger number. Likewise, in the Oz axis the (different ?!?) units run from -0.2 to 0.4, a variation of 0.6, and the uncertainty is > 0.02, so the number of phones that could be distinguished is ~ 30. Combine these two axes, and no more than ~ 30^2 or 900 phones could be distinguished. There are obviously more than 900 phones in the world.

    Even if all 3 sensors are independent and equally sensitive, that only gets you the ability to track 900^3 or ~ 700 million devices, which is a lot, but still likely not enough, as the distribution of errors is not likely to be uniform, but gaussian or some other distribution, and that will lower the effective sensitivity, as would any correlation between the sensor errors.

    Note also that quartz crystals (I believe that these are piezoelectric sensors) are notorious not only for being individually imperfect, but also for drifting with time and (especially) temperature, which might also substantially reduce repeatability.

    So, I suspect this is not likely to work well in practice.

    What this could do is make the rare phone (one with by chance a particularly bad sensor) easily identifiable...

  • Pity their research was so slow. Steve Gibson of grc.com and the "Security Now!" podcast is in talks with the W3C about his new SQRL authentication protocol. Uniquely individual, completely anonymous.

  • The tricky bit is remembering to change the speed setting every morning...
  • The nice thing about a person's actual fingerprints is that they don't change over time. As one poster pointed out, oscillators do drift over time. I can't help but think that the components they're trying to measure also will change in the tested characteristics as they age. If a digital fingerprint doesn't stay constant over the life of the device, is it really of any value?

  • This paper [sersc.org] explains how these principles can be used for key-generation.

    Interesting how this provides potential for both security and privacy invasion.

The Universe is populated by stable things. -- Richard Dawkins

Working...