Re: Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes from Nicholas Doty on 2015-08-11 (public-geolocation@w3.org from August 2015)

From: Nicholas Doty <npdoty@ischool.berkeley.edu>
Date: Tue, 11 Aug 2015 15:34:19 -0700
To: "Maryam Mehrnezhad (PGR)" <m.mehrnezhad@newcastle.ac.uk>
Cc: "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-Id: <870B0214-0575-4FC0-84B9-44DFB973B34F@ischool.berkeley.edu>

Thanks for the info, Maryam. Have you also followed up with the affected browser vendors directly?

Based on the poster, the "other tab" instances sound the most concerning to me. We have discussed for other specifications adding a normative requirement about limiting sensor readings to the active tab or active browsing context, because of a number of different privacy leakages. (For example, events triggered by sensor activity that are triggered for background tabs can help an attacker identify that two different browsing contexts are the same user/device.) This would be an issue to address for any future iterations on this document; or, as I understand to be more likely, for the generic sensor API specification.

I'd be interested in hearing more about the intra-tab attacks (an iframe that gets notification into user activity on the embedding page) and what kinds of privacy issues might arise in those cases.

Accelerometer data is also the kind of data that can be used for cross-device leakage. For example, there are papers on inferring the content typed on one device based on the vibrations felt by another device; e.g. http://dl.acm.org/citation.cfm?id=2046771 <http://dl.acm.org/citation.cfm?id=2046771>
That may be a harder problem to solve with a specification change alone, but would be worth describing in a privacy considerations section.

—Nick

> On Aug 10, 2015, at 6:08 AM, Maryam Mehrnezhad (PGR) <m.mehrnezhad@newcastle.ac.uk> wrote:
> 
> Dear Sir/ Madam,
> 
> I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/ <http://www.w3.org/TR/orientation-event/>).
> 
> The results of our work show that it is possible to infer user’s touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.
> 
> A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650 <http://dl.acm.org/citation.cfm?id=2714650>). The detailed version of the paper including attacks on user’s PINs will be published soon.
> 
> We would be very happy to provide you with more information in regards to this problem.
> 
> 
> Best Regards,
> Maryam Mehrnezhad
> PhD Student in Computing Science
> Centre of Software Reliability (CSR), Claremont tower
> School of Computing Science, Newcastle University
> http://www.ncl.ac.uk/csr/people/student/m.mehrnezhad <http://www.ncl.ac.uk/csr/people/student/m.mehrnezhad>
> Newcastle Upon Tyne, UK
> NE1 7RU
> Email: m.mehrnezhad@ncl.ac.uk <mailto:m.mehrnezhad@ncl.ac.uk>
> Telephone: +44 191 208 5153
> Fax: +44 191 208 8232

Received on Tuesday, 11 August 2015 22:34:54 UTC