On 21. Oct 2019, at 22.40, Pete Snyder <psnyder@brave.com> wrote: In the meantime though, was wondering if your group was familiar with this work [1] on using sensor APIs for permission less fingerprinting, if the standard has been updated to fix / prevent these attacks, and if not, how the standard should be adopted to fix. (TL;DR; you can derive devices w/ ~67 bit identifiers if they have accelerometers installed, using the sensor APIs). Thanks for the pointer. This paper published after the specs reached CR has not been discussed in the group. Other similar fingerprinting vectors brought to the group’s attention have been considered, however: https://w3c.github.io/sensors/#device-fingerprinting We could add this paper to the list of references for completeness. Mitigations are discussed in: https://w3c.github.io/sensors/#mitigation-strategies We could consider adding the other proposed mitigation (add uniformly distributed random noise to ADC outputs before calibration is applied) to the mitigations section. Permissions is already covered and the specs define hooks for prompting. As a general comment, it *seems* this particular attack was fixed in more recent iOS versions and on most or all(?) Android devices tested there was less entropy, so no global uniqueness. Suggestions (and PRs) from PING welcome. Thanks, -Anssi Refs: 1: https://www.repository.cam.ac.uk/bitstream/handle/1810/294227/405.pdf?sequence=3
Received on Monday, 21 October 2019 21:09:45 UTC