Hackers Can Track Subway Riders' Movements By Smartphone Accelerometer

Patrick O'Neill writes: Tens of millions of daily subway riders around the world can be tracked through their smartphones by a new attack, according to research from China's Nanjing University. The new attack even works underground and doesn't utilize GPS or cell networks. Instead, the attacker steals data from a phone's accelerometer. Because each subway in the world has a unique movement fingerprint, the phone's motion sensor can give away a person's daily movements with up to 92% accuracy.

Yay

[bobstreo]

Now if there were any subways anywhere near where I lived.

If the accelerometer has such poor security, what other components/sensors are vulnerable?

Re:

[Dr_Barnowl]

The flashbang is designed to release it quickly.

The phone isn't. You'd have to physically modify the battery, you can't just make them explode from software.

Re:Yay

[Imagix]

Read the article closer. Nowhere does it say that a stock phone is susceptible to this sort of attack. The story is presuming that malware has been installed onto the phone. Then, shockingly, software that has been granted access to the hardware can read the hardware. Inertial navigation systems have been in use since at least WW II. And if you have software on the phone that has purloined access to the accelerometer... it would like also have access to the wifi, cell and GPS stuff too.

Re:

[msauve]

Yep, and since when is someone who writes such an app a "hacker?" They may be a reprobate, but they haven't hacked anything.

Re:

[AK Marc]

Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

Re:Yay

[tlhIngan]

Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

Because the accelerometer is often free to use. Accessing GPS requires permission and often has an indicator.

With this, an app can use the accelerometer surreptitiously while leaving no indication that movement is being tracked - so many apps use it that no one gives a second thought. Using GPS often brings up an alert so the user knows they're being tracked. If your app uses the accelerometer anyways, you can sell that information for tracking. Whereas If you app suddenly popped up "MyCoolApp needs to use the GPS - Allow/Deny?" then people get suspicious.

At least it does on iOS. I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

Re:

[viperidaenz]

On Android you need to grant the permission and an icon is shown at the top of the screen when the high-accuracy (GPS) location service is active.

I don't believe there is a notification when low accuracy location is active (the one that uses cell towers and wifi signals) but the permission still needs to be granted

Re:

[AK Marc]

I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

They aren't nagware. If you give permission to install, and it requires GPS access, it can turn it on and off without "notification" (though, dependent on phone, there will be an icon in the display that will turn on, but I'm not sure if that's required). "Location services" doesn't turn on the GPS icon unless using GPS, and location services rarely use GPS because of the unreliability and power drain.

Obvious solution

[transporter_ii]

Everyone just needs to pool their phones and then everyone use a random phone for the day. Sort of a TOR operating at the physical level. An app that made encrypted VoIP calls could probably allow you to even use the same phone number by just logging in through the random phone of the day.

Re:

[Anonymous Coward]

Socially, it may be nice to call random people every day from a random phone, but from a business point of view I don't know how well that will work - unless you are a telemarketer.

Re:

[Daniel Matthews]

Except you can still be identified by your gait pattern "Identifying users of portable devices from gait pattern with accelerometers" http://ieeexplore.ieee.org/xpl... [ieee.org]

Re:

[thegarbz]

That's an obvious solution until you try to call someone, though I fondly remember my highschool days of prank dialling random numbers and having conversation with some interesting characters.

Pay phones!

[swb]

In the late 1970s in junior high we would ride the bus and get off at random stops and write down pay phone numbers. Then when we got home we would call the numbers and do all sorts of gags.

The one that inexplicably worked well was telling people that had won money from a radio station. Why they believed that an 8th grader sounded like a disk jockey is still beyond me.

It's almost kind of sad that kids of today can't get that experience. There's very few pay phones left and I bet none of them accept incoming calls. It was also pretty safe from a get in trouble perspective. Call logging and tracing would have been a huge endeavor and we never called any one pay phone more than a few times or suggested anything violent or even all that ribald.

One more hacker tool among many

[Tablizer]

If a hacker has access to accelerometer data, he/she probably has access to lots of OTHER personal info also.

Re:

[thegarbz]

What makes you say that? A typical app that exposes this data for the user will demand access to accelerometer and the internet (for ads). It logically does not follow that they'd have access to any other data unless the user gave them such access.

Re:

[Dog-Cow]

Apparently you enjoy speaking from ignorance. Perhaps you should use an iOS or Android device more more than 3.2 femtoseconds. You might learn that apps don't require a user's explicit permission to access the accelerometer, but do for accessing any private data.

Re:

[Athanasius]

Unless it's a rooted Android phone running Xposed/Xprivacy, and thus supplying false sensor data (optionally per app).

Horrible Summary

[Anonymous Coward]

The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

Re:

[Em Adespoton]

The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

Oh Wow! So the hacker has installed something like MotionX -- commercial software for iOS that's been around forever and does pretty much this (although I don't think it contains subway lines in its accelerometer fingerprint list).

Re:

[account_deleted]

Comment removed based on user account deletion

Add to the list of paranoid gear

[Anonymous Coward]

Tin foil hat, now tin foil pocket.

Re:

[turkeydance]

isn't tin-foil pocket old news? you know, those lined wallets which will block proximity readers.

Re:

[Em Adespoton]

They don't tend to block acceleration, nor do they block data exfiltration when you remove your phone from them to make/receive calls.

Re:

[plover]

But you could make a whole lot of money if you could develop a "tin-foil accelerometer blocker". Every starship a hundred years from now is going to need inertial dampeners!

Re:

[weilawei]

A sufficiently massive or energetic object works just fine as an inertial dampener. That mosquito flying back and forth? Critically damped by the nearest hardcover book.

Progress!

[Livius]

The privacy concerns are troubling, but I can't help thinking that's pretty cool.

"Up To"

[Dwedit]

Because 0% accuracy is also "Up To 92%" accuracy.

Re:

[thegarbz]

Given the limited number of possible start / stop cycles a subway will experience along with curves in the track and a standard response expected from coming into and leaving a station (I'm guessing 5Gs would be a bit much for anything other than hitting another train), I'm going to say the answer is probably far closer to 92% than it is to 0%.

Re:

[adolf]

Add the error and difficulty of subtracting rider movement (remember, a phone's accelerometer is not something that is fixed to the chassis of the vehicle, but instead is something loosely carried by a squishy human being) and I'm going to say the answer is probably far closer to 0% than it is 92%.

Re:

[thegarbz]

Except for the bit where I said "standard response". I'm going to assume you're not an expert in signal processing. Actually I don't need to assume it, you've pretty much stated it.

I'm not sure where you get your cynical view of the world from, but in cases where anyone has every described "up to 92%" I've never seen anything close to 0% as the true result.

Re:

[Neil Boekend]

Rider movement is eliminated by calculating the second integral from the acceleration. That gives you the difference in location. You then average the position over a couple of seconds (as an filter for the user movement) and then you compare it with different possible tracks. The track that has the highest match score wins.
If you have multiple possible tracks you use the average data of multiple days to get a better accuracy for daily commutes. The right track will next to always increase in score.

To me th

Re:

[viperidaenz]

Why would law enforcement want to do this?
They can just get your location from your cell carrier.

Re:

[Dog-Cow]

The second whoosh is not transmitting accelerometer data, so he doesn't know where it is.

Good Luck

[dohzer]

Here in Melbourne, Australia our train system has a unique movement footprint.
Accellerating and breaking for no reason, trains that skip stations or terminate at random ones; this baby's got it all. Good luck decoding the position from that.

Re:

[CrimsonAvenger]

Accellerating and breaking for no reason

They're breaking for no reason? You should be able to fix that....

Re:

[Dragonslicer]

Accellerating and breaking for no reason

They're breaking for no reason?

Clearly you've never been to Boston.

Re:

[sd4f]

Sydney is similar. But the thing is dead reckoning, while not perfect due to cumulative error, will generally be able to resolve changes such as a train accelerating and braking. It would also be relatively straight forward to see that a person is moving along a train corridor, so they could make fairly easy assumptions.

What could potentially break tracking through accelerometer dead reckoning is by moving the phone around in the pocket and changing its orientation. But even that, could be potentially resol

Well on some platforms its a feature...

[Anonymous Coward]

iOS and presumably other platforms use the accellerometer & gyroscopes for purposes like this and to provide inertial navigation. Its quite accurate at locating you in a subway. I catch the train home a few times a week and its really quite remarkable.

To do signature matching of accelleration/decelleration patterns at specific stations would require low level access to the accelerometer data, or to bypass user consent on location services (on iOS)

I'm not sure on Android, but on WinMo and iOS you'd need

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Nah, you're missing the point. Starts and stops will have 'fingerprints', spacing between stops will show up, things like that. Kinda cool research.

using WiFi IDs is much simpler

[YesIAmAScript]

Who cares about this? Simply tracking which WiFi station IDs the phone sees is a lot better way of tracking where the person is.

If you can hack into their phone, you can find them. No need for fancy long-term acceleration tracking either.

Re:

[plover]

Mind you I would have thought that on a train you could triangulate with mobile repeaters and such much more easily,

Not underground, where cell service is blocked by a hundred feet of rock and dirt.

The actual interesting bit

[Prune]

As soon as I saw the summary, I wondered how they're able to do decent dead reckoning using the mediocre quality cell phone accelerometers; in the general case, the integration would give drift pretty quickly. We're not dealing with ICBM-quality accelerometers here. So the interesting bit is how they're able to make use of information that specializes the problem (the location of subway stations) together with machine learning to do much better than the general case. The paper is worth a read.

Unique movement fingerprint??

[Viol8]

Sorry, but who comes up with this shit? Apart from not knowing the start location and orientation of the phone, electric trains are all pretty similar these days and besides which how will they take account of non station stops at reds, bad riding suspension on certain trains, fast/slow drivers etc etc?

What a crock of ....

Apart from that the accelerometers on your average consumer device arn't even that accurate. After a few minutes it'll be hopelessly lost.

Re:

[Viol8]

"I wager I can distinguish between each train, the train operator, as well as the tracks its running on based on accelerometer data."

Yeah. right.

Am I the only one thinking how useful this is

[sabbede]

For a municipal transportation chief?