Sensor Characteristics Uniquely Identify Individual Phones 69
An anonymous reader writes "SFGate reports that Stanford researchers have figured out a way to generate a unique fingerprint from a cell phone's suite of built-in sensors. The tiny accelerometers, gyroscopes, microphones, and speakers in cell phones have characteristics that vary slightly from handset to handset, and these variations may contain enough information to uniquely identify a given handset. How that information might get from the phone to a third party varies (the article describes a JavaScript snippet reading the Z-axis accelerometer, though it says little about how the user might block such information from being read), but the possibility for abuse is certainly troubling."
Re:Yawn.... (Score:3, Informative)
Does the MAC ever leave the local network? (Honest question; from my understanding it is only needed in the local network, so propagating it further makes no sense, but then, I'm no networking expert)
It does if an app running on the phone sends it outside the network.
Does this scale? (Score:4, Informative)
If you look at the graph in the article (which talks about flipping the phone, but seems to actually be measurements of flat vs standing vertical), the variations are constrained to be (in the Sz axis) from 0.994 to 1.004, or a variation of 0.008, and the Sz repeatability is worse than 0.00025. So, this would work if the number of phones was ~ 30, but would be "confusion limited" for a larger number. Likewise, in the Oz axis the (different ?!?) units run from -0.2 to 0.4, a variation of 0.6, and the uncertainty is > 0.02, so the number of phones that could be distinguished is ~ 30. Combine these two axes, and no more than ~ 30^2 or 900 phones could be distinguished. There are obviously more than 900 phones in the world.
Even if all 3 sensors are independent and equally sensitive, that only gets you the ability to track 900^3 or ~ 700 million devices, which is a lot, but still likely not enough, as the distribution of errors is not likely to be uniform, but gaussian or some other distribution, and that will lower the effective sensitivity, as would any correlation between the sensor errors.
Note also that quartz crystals (I believe that these are piezoelectric sensors) are notorious not only for being individually imperfect, but also for drifting with time and (especially) temperature, which might also substantially reduce repeatability.
So, I suspect this is not likely to work well in practice.
What this could do is make the rare phone (one with by chance a particularly bad sensor) easily identifiable...