Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes from Maryam Mehrnezhad (PGR) on 2015-08-10 (public-geolocation@w3.org from August 2015)

From: Maryam Mehrnezhad (PGR) <m.mehrnezhad@newcastle.ac.uk>
Date: Mon, 10 Aug 2015 13:08:11 +0000
To: "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-ID: <DB5PR07MB09498349940B81103B562379DB700@DB5PR07MB0949.eurprd07.prod.outlook.com>

Dear Sir/ Madam,

I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).

The results of our work show that it is possible to infer user's touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.

A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user's PINs will be published soon.

We would be very happy to provide you with more information in regards to this problem.


Best Regards,
Maryam Mehrnezhad
PhD Student in Computing Science
Centre of Software Reliability (CSR), Claremont tower
School of Computing Science, Newcastle University
http://www.ncl.ac.uk/csr/people/student/m.mehrnezhad
Newcastle Upon Tyne, UK
NE1 7RU
Email: m.mehrnezhad@ncl.ac.uk
Telephone: +44 191 208 5153
Fax: +44 191 208 8232

Received on Tuesday, 11 August 2015 09:00:24 UTC