[sensors] Access to magnetometer and potential security & privacy issues (#394) from Nikolay Matyunin via GitHub on 2019-10-11 (public-device-apis-log@w3.org from October 2019)

From: Nikolay Matyunin via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Oct 2019 14:25:23 +0000
To: public-device-apis-log@w3.org
Message-ID: <issues.opened-505884836-1570803922-sysbot+gh@w3.org>

MTuner has just created a new issue for https://github.com/w3c/sensors:

== Access to magnetometer and potential security & privacy issues ==
I would like to share potential privacy issues regarding magnetometer sensors, as an addition to the listed in the current [Working Draft](https://w3c.github.io/magnetometer/#security-and-privacy). 

- Magnetometer  measurements can be used to identify running apps or webpages, as the sensor is disturbed by the device's CPU activity [[Matyunin et al.]](https://arxiv.org/pdf/1906.11117.pdf ). I am a co-author of this paper.
- Magnetometer measurements can be used to fingerprint the device [[J.Zhang et al.](https://www.ieee-security.org/TC/SP2019/papers/405.pdf ), [B.Perez et al.](https://seclab.bu.edu/papers/magnetometer-wisec2019.pdf)]. 

As we discuss in the paper, the Secure context and Limited sampling frequency do limit the attack vectors, but do not prevent the side channel completely. Therefore, we think it is better to ask a user for a permission (to not grant it by default) and/or further decrease the sampling frequency.

Do you know if there are any plans to release the Magnetometer interface in Chrome or other browsers (without the #enable-generic-sensor-extra-classes flag)?

Please view or discuss this issue at https://github.com/w3c/sensors/issues/394 using your GitHub account

Received on Friday, 11 October 2019 14:25:25 UTC