Re: Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks

Nick, thank you for sharing this, this is incredibly useful work. CDT has
heard reports that some tracking providers may abuse sensors that have a
legitimate use. To give a hypothetical example, a game that utilizes the
accellerometer to n to move the player's character around the map might
also utilize this data for fingerprinting purposes as well. This is
especially troubling to me because accelerometer inputs, unlike input from
other sensors like cameras and microphones, does not require special
permission.

The paper also speculated that such permissions could go beyond merely
identifying users, and start doing things like inferring keystrokes.
Previous literature has in fact shown that accelerometer data can be used
to infer passwords[1], and that these attacks are not merely
theoretical[2], so I hope now that we've seen that these sensors can be
used to de-anonymize and phish users, mobile browser makers will consider
whether the benefits of asking for permission to access the slight
usability costs of additional dialogs.

The paper expresses concern that users will merely "click through"
accelerometer permission requests. I don't have data to prove or refute
that specific claim. But if anyone were to obtain some, I suspect the FTC's
Privacycon[3] would welcome studies testing that theory any findings on
such matters. (And the CFP explicitly states that works submitted to
academic conferences may also be presented there)

[1] ACCessory: Password Inference using Accelerometers on Smartphones
http://www.hotmobile.org/2012/papers/HotMobile12-final42.pdf

[2] Practicality of Accelerometer Side Channels on Smartphones
https://www.cs.swarthmore.edu/~aviv/papers/aviv-acsac12-accel.pdf

[3] https://www.ftc.gov/privacycon-call-for-presentations



/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

/*******************************************/

On Thu, Jun 23, 2016 at 5:41 PM, Nick Doty <npdoty@ischool.berkeley.edu>
wrote:

> Hi public-privacy,
>
> Attached is a workshop paper from the Mobile Security Technologies (MoST)
> 2016 workshop at IEEE Security & Privacy last month. It may be of interest
> to our community, as it's suggesting that: 1) motion and orientation data
> can be used for cross-origin fingerprinting and, perhaps more novel for us,
> 2) motion and orientation sensors could potentially be used to gather the
> content typed into a soft-keyboard for a different iframe.
>
> I think perhaps the general risk to be aware of here is that sensor data
> is inherently cross-origin and so if those APIs are accessible to different
> origins, they can allow correlation or inference of data in ways that are
> unexpected.
>
> Thanks,
> Nick
>
>

Received on Friday, 1 July 2016 19:03:43 UTC