W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2016

Re: Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks

From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
Date: Mon, 4 Jul 2016 21:17:59 +0100
Message-ID: <CAC1M5qoG+et1sg1POiRAj3XuFd6DCmk-ijdbMJURcjUy91JWXw@mail.gmail.com>
To: Greg Norcie <norcie@cdt.org>
Cc: Nick Doty <npdoty@ischool.berkeley.edu>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>

Thanks a lot. This is informative and it's in line with our current focus
on sensors privacy assessments. Readout of same or similar values by
different origins (e.g. [1]), even browsers is one thing we need to keep an
eye on.
We definitely need to assess this from a broad point of view.

Best regards

[1] https://github.com/w3c/sensors/issues/100

2016-07-01 20:02 GMT+01:00 Greg Norcie <gnorcie@cdt.org>:

> Nick, thank you for sharing this, this is incredibly useful work. CDT has
> heard reports that some tracking providers may abuse sensors that have a
> legitimate use. To give a hypothetical example, a game that utilizes the
> accellerometer to n to move the player's character around the map might
> also utilize this data for fingerprinting purposes as well. This is
> especially troubling to me because accelerometer inputs, unlike input from
> other sensors like cameras and microphones, does not require special
> permission.
> The paper also speculated that such permissions could go beyond merely
> identifying users, and start doing things like inferring keystrokes.
> Previous literature has in fact shown that accelerometer data can be used
> to infer passwords[1], and that these attacks are not merely
> theoretical[2], so I hope now that we've seen that these sensors can be
> used to de-anonymize and phish users, mobile browser makers will consider
> whether the benefits of asking for permission to access the slight
> usability costs of additional dialogs.
> The paper expresses concern that users will merely "click through"
> accelerometer permission requests. I don't have data to prove or refute
> that specific claim. But if anyone were to obtain some, I suspect the FTC's
> Privacycon[3] would welcome studies testing that theory any findings on
> such matters. (And the CFP explicitly states that works submitted to
> academic conferences may also be presented there)
> [1] ACCessory: Password Inference using Accelerometers on Smartphones
> http://www.hotmobile.org/2012/papers/HotMobile12-final42.pdf
> [2] Practicality of Accelerometer Side Channels on Smartphones
> https://www.cs.swarthmore.edu/~aviv/papers/aviv-acsac12-accel.pdf
> [3] https://www.ftc.gov/privacycon-call-for-presentations
> /********************************************/
> Greg Norcie (norcie@cdt.org)
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
> /*******************************************/
> On Thu, Jun 23, 2016 at 5:41 PM, Nick Doty <npdoty@ischool.berkeley.edu>
> wrote:
>> Hi public-privacy,
>> Attached is a workshop paper from the Mobile Security Technologies (MoST)
>> 2016 workshop at IEEE Security & Privacy last month. It may be of interest
>> to our community, as it's suggesting that: 1) motion and orientation data
>> can be used for cross-origin fingerprinting and, perhaps more novel for us,
>> 2) motion and orientation sensors could potentially be used to gather the
>> content typed into a soft-keyboard for a different iframe.
>> I think perhaps the general risk to be aware of here is that sensor data
>> is inherently cross-origin and so if those APIs are accessible to different
>> origins, they can allow correlation or inference of data in ways that are
>> unexpected.
>> Thanks,
>> Nick
Received on Monday, 4 July 2016 20:18:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:33 UTC