Re: Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks


Thanks a lot. This is informative and it's in line with our current focus
on sensors privacy assessments. Readout of same or similar values by
different origins (e.g. [1]), even browsers is one thing we need to keep an
eye on.
We definitely need to assess this from a broad point of view.

Best regards


2016-07-01 20:02 GMT+01:00 Greg Norcie <>:

> Nick, thank you for sharing this, this is incredibly useful work. CDT has
> heard reports that some tracking providers may abuse sensors that have a
> legitimate use. To give a hypothetical example, a game that utilizes the
> accellerometer to n to move the player's character around the map might
> also utilize this data for fingerprinting purposes as well. This is
> especially troubling to me because accelerometer inputs, unlike input from
> other sensors like cameras and microphones, does not require special
> permission.
> The paper also speculated that such permissions could go beyond merely
> identifying users, and start doing things like inferring keystrokes.
> Previous literature has in fact shown that accelerometer data can be used
> to infer passwords[1], and that these attacks are not merely
> theoretical[2], so I hope now that we've seen that these sensors can be
> used to de-anonymize and phish users, mobile browser makers will consider
> whether the benefits of asking for permission to access the slight
> usability costs of additional dialogs.
> The paper expresses concern that users will merely "click through"
> accelerometer permission requests. I don't have data to prove or refute
> that specific claim. But if anyone were to obtain some, I suspect the FTC's
> Privacycon[3] would welcome studies testing that theory any findings on
> such matters. (And the CFP explicitly states that works submitted to
> academic conferences may also be presented there)
> [1] ACCessory: Password Inference using Accelerometers on Smartphones
> [2] Practicality of Accelerometer Side Channels on Smartphones
> [3]
> /********************************************/
> Greg Norcie (
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP:
> /*******************************************/
> On Thu, Jun 23, 2016 at 5:41 PM, Nick Doty <>
> wrote:
>> Hi public-privacy,
>> Attached is a workshop paper from the Mobile Security Technologies (MoST)
>> 2016 workshop at IEEE Security & Privacy last month. It may be of interest
>> to our community, as it's suggesting that: 1) motion and orientation data
>> can be used for cross-origin fingerprinting and, perhaps more novel for us,
>> 2) motion and orientation sensors could potentially be used to gather the
>> content typed into a soft-keyboard for a different iframe.
>> I think perhaps the general risk to be aware of here is that sensor data
>> is inherently cross-origin and so if those APIs are accessible to different
>> origins, they can allow correlation or inference of data in ways that are
>> unexpected.
>> Thanks,
>> Nick

Received on Monday, 4 July 2016 20:18:31 UTC