- From: Nick Doty via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Feb 2020 23:24:35 +0000
- To: public-device-apis-log@w3.org
npdoty has just created a new issue for https://github.com/w3c/accelerometer: == device calibration of accelerometers may reveal precise hardware fingerprint == This paper focuses on orientation sensors, but also notes a similar risk in accelerometer sensors for at least some devices: Zhang, Jiexin, Alastair R. Beresford, and Ian Sheret. “[SensorID: Sensor Calibration Fingerprinting for Smartphones](https://www.ieee-security.org/TC/SP2019/papers/405.pdf ).” In 2019 IEEE Symposium on Security and Privacy (SP), 638–55. San Francisco, CA, USA: IEEE, 2019. https://doi.org/10.1109/SP.2019.00072. High-resolution reporting of accelerometer values may provide an attacker access to the factory-set calibration of the sensor, which is a persistent, cross-origin identifier allowing for device fingerprinting. This is a serious privacy concern. Based on related concerns noted in device orientation, specifying a particular rounding threshold for this API may mitigate the threat for all (or almost all) devices. Paul Jensen [recommends rounding to 0.1 m/s^2](https://lists.w3.org/Archives/Public/public-privacy/2020JanMar/0023.html). Currently the spec doesn't speak to precision, except through use of the double datatype. This is a separate attack from the AccelPrint work that's already been cited in the Generic Sensor API, but it's possible the attack and potential mitigations are related. (The AccelPrint paper doesn't seem to quite get into what all the sources of the fingerprint are or what methods are sufficient mitigation.) Please view or discuss this issue at https://github.com/w3c/accelerometer/issues/54 using your GitHub account
Received on Thursday, 13 February 2020 23:24:37 UTC