The accelerometers in smartphones are great things — they change the orientation of the screen and let you play all kinds of cool games. But they’re also big privacy risks. A researcher at Stanford has found that an accelerometer can help identify a smartphone — and its user.
Every accelerometer has defects. Usually the flaws are too small to notice, and they don’t matter to the device’s functioning. Each defect, though, is unique. That means every phone’s accelerometer will generate slightly different numbers when the phone is standing still or when it moves.
Hristo Bojinov, a security researcher at Stanford, found that a relatively simple program running on a website in the device’s mobile browser can measure those defects, and come up with a “fingerprint” for the phone. He discovered the vulnerability while he was looking for ways to identify devices via their sensors, and his results will be published in the coming months.
Bojinov did an experiment where users visited a web site with their mobile devices, so they were willing participants. They were directed by the site to move the phone in a certain way. (You can visit the site at http://sensor-id.com/). The code on the site records the responses of the accelerometers.
In this case the phone owners are working with the researchers, but the same code could be built into a website invisibly. The scary bit is that you wouldn’t ever know your device was “tagged.” Unlike cookies, which can be deleted, or even some kinds of spyware or malware, this kind of identifier is built into the very architecture of the phone. Every time the web browser visits a site, a program on the site can query the accelerometers and match the numbers it gets to a database.
Accelerometers aren’t the only sensors that can work as identifiers. Bojinov also found that the frequency response of the phone’s microphone can work in a similar way. Microphones also respond a tad differently on each device, and by looking at several frequencies it’s possible to identify an individual phone. That process is a bit different and requires that the user download an app, but the principle is similar — small differences in hardware that end up being unique.
The experiment highlights the fact that even taking precautions with what software you put on your smartphone, there are still security holes, and that makes privacy advocates nervous. Law enforcement agencies have already made use of microphones to eavesdrop on suspects. And there are rumors the NSA can even track cell phones when they are turned off.
Credit: Wikimedia Commons