Re: Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks

Hello,

Thanks a lot. This is informative and it's in line with our current focus
on sensors privacy assessments. Readout of same or similar values by
different origins (e.g. [1]), even browsers is one thing we need to keep an
eye on.
We definitely need to assess this from a broad point of view.

Best regards
Lukasz

[1] https://github.com/w3c/sensors/issues/100

2016-07-01 20:02 GMT+01:00 Greg Norcie <gnorcie@cdt.org>:

> Nick, thank you for sharing this, this is incredibly useful work. CDT has
> heard reports that some tracking providers may abuse sensors that have a
> legitimate use. To give a hypothetical example, a game that utilizes the
> accellerometer to n to move the player's character around the map might
> also utilize this data for fingerprinting purposes as well. This is
> especially troubling to me because accelerometer inputs, unlike input from
> other sensors like cameras and microphones, does not require special
> permission.
>
> The paper also speculated that such permissions could go beyond merely
> identifying users, and start doing things like inferring keystrokes.
> Previous literature has in fact shown that accelerometer data can be used
> to infer passwords[1], and that these attacks are not merely
> theoretical[2], so I hope now that we've seen that these sensors can be
> used to de-anonymize and phish users, mobile browser makers will consider
> whether the benefits of asking for permission to access the slight
> usability costs of additional dialogs.
>
> The paper expresses concern that users will merely "click through"
> accelerometer permission requests. I don't have data to prove or refute
> that specific claim. But if anyone were to obtain some, I suspect the FTC's
> Privacycon[3] would welcome studies testing that theory any findings on
> such matters. (And the CFP explicitly states that works submitted to
> academic conferences may also be presented there)
>
> [1] ACCessory: Password Inference using Accelerometers on Smartphones
> http://www.hotmobile.org/2012/papers/HotMobile12-final42.pdf
>
> [2] Practicality of Accelerometer Side Channels on Smartphones
> https://www.cs.swarthmore.edu/~aviv/papers/aviv-acsac12-accel.pdf
>
> [3] https://www.ftc.gov/privacycon-call-for-presentations
>
>
>
> /********************************************/
> Greg Norcie (norcie@cdt.org)
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
>
> /*******************************************/
>
> On Thu, Jun 23, 2016 at 5:41 PM, Nick Doty <npdoty@ischool.berkeley.edu>
> wrote:
>
>> Hi public-privacy,
>>
>> Attached is a workshop paper from the Mobile Security Technologies (MoST)
>> 2016 workshop at IEEE Security & Privacy last month. It may be of interest
>> to our community, as it's suggesting that: 1) motion and orientation data
>> can be used for cross-origin fingerprinting and, perhaps more novel for us,
>> 2) motion and orientation sensors could potentially be used to gather the
>> content typed into a soft-keyboard for a different iframe.
>>
>> I think perhaps the general risk to be aware of here is that sensor data
>> is inherently cross-origin and so if those APIs are accessible to different
>> origins, they can allow correlation or inference of data in ways that are
>> unexpected.
>>
>> Thanks,
>> Nick
>>
>>
>

Received on Monday, 4 July 2016 20:18:31 UTC