W3C home > Mailing lists > Public > public-geolocation@w3.org > August 2015

Re: Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes

From: Michael[tm] Smith <mike@w3.org>
Date: Tue, 11 Aug 2015 18:20:08 +0900
To: "Maryam Mehrnezhad (PGR)" <m.mehrnezhad@newcastle.ac.uk>
Cc: "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-ID: <20150811092008.GK963@sideshowbarker.net>
"Maryam Mehrnezhad (PGR)" <m.mehrnezhad@newcastle.ac.uk>, 2015-08-10 13:08 +0000:
> Archived-At: <http://www.w3.org/mid/DB5PR07MB09498349940B81103B562379DB700@DB5PR07MB0949.eurprd07.prod.outlook.com>
> 
> Dear Sir/ Madam,
> 
> I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).
> 
> The results of our work show that it is possible to infer user's touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.
> 
> A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user's PINs will be published soon.
> 
> We would be very happy to provide you with more information in regards to this problem.

Is the full text of the paper publicly available somewhere so that we can
read it and analyze the claims?

-- 
Michael[tm] Smith https://people.w3.org/mike

Received on Tuesday, 11 August 2015 09:20:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 11 August 2015 09:20:34 UTC