Their findings have been backed by other industry experts, who agree this opens up a new attack technique against mobile device users.
The University of Illinois-led team tested more than 100 ‘accelerometer' motion detector chips, including 80 individual chips used in the latest smartphones and tablets such as the Samsung Galaxy S III and Kindle Fire, along with 25 Android phones across five ranges - the Nexus One, Nexus S, Samsung Galaxy Nexus, Samsung Galaxy S3 and HTC Incredible Two – and two tablets, the HTC MyTouch and Samsung Galaxy Tab 2.
They found that tiny manufacturing imperfections in the chips – which are used for screen rotation, recognising user gestures, and apps like motion-enabled games or fitness monitoring - produce different responses to the same motion. This provided a near unique 'fingerprint' for each device even in “real, uncontrolled environments”.
The researchers examined more than 5,000 sensor traces and recorded a 96 percent success rate in identifying the chips and devices, concluding: “Smartphone/tablet accelerometers possess unique fingerprints, which can be exploited for tracking users. As standard components inside smartphones and tablets, accelerometers' fingerprints create new threats in mobile apps — tracking users without cookies or device IDs.”
The researchers say the main threat is from advertisers. With more than 700,000 apps available in the Google Play and App Store, most of them offered for free with ads, advertisers are seeking to track users and their online habits, posing a threat to privacy.
They say: “An accelerometer fingerprint can serve as an electronic cookie, empowering an adversary to consolidate data per user, and track them over space and time. Alarmingly, such a cookie is hard to erase, unless the accelerometer wears out to the degree that its fingerprint becomes inconsistent. We have not noticed any evidence of this in the nine months of experimentation with 107 accelerometers.”
They added: “Our attempts to scrub off the fingerprint (without affecting the high level functions such as step-count) did not meet immediate success.”
Analysing their findings, smartphone expert Rob Miller, a security consultant at MWR InfoSecurity, agreed that blocking such attacks would be difficult.
He told SCMagazineUK.com via email: “A user preventing the attack basically has to not install apps, especially those with advertising libraries as it wouldn't be obvious from the Google Play store that an app has this behaviour. It would need to be prevented at the operating system level, which would be difficult for Google/Apple/Microsoft to do well.”
Miller added: “A user *may* be able to prevent this through advanced behaviour such as rooting their device and using custom software but this is advanced behaviour and there probably isn't a great deal of benefit.”
Paco Hope, principal consultant with software security consulting firm Cigital, said the research “looks legit and interesting”.
He told SC: “There are lots of different ways to uniquely identify a device. The motion sensors are especially interesting because, at the moment, they don't require special permissions. We saw the same thing with IMEI numbers a few years back. Apple's response was to prevent apps from accessing that value entirely.
“The right answer in this case is probably similar: apply counter-measures to anonymise the signature of the sensors. We could ask the user for permission, but users rarely understand the implications of choices like that.
“From the user's perspective, asking permission becomes a binary question: allow this app to violate your privacy and you get to play with the dancing pigs, or don't allow it and you can't. People will choose dancing pigs every time. We have to make a secure choice for the user without impairing the valuable use of the sensors.”
The researchers focused on the threat from advertisers. Asked if the flaw could also be used by cyber criminals or spies, Miller said: “Anyone who can get you to install an app onto the device could do it. But if the user suddenly started using a new phone or a friend's phone, the technique wouldn't tell you that. It's probably therefore of less use. I can't see an immediate cybercriminal angle to it and I'm sure espionage teams have far better techniques available.”
The researchers believe the technique can scale up to allow large numbers of different ‘fingerprints' and users to be detected, but have currently not tested this. They added: “To the best of our knowledge, this is the first work to attempt device identification based on fingerprints of accelerometers.”
The paper, ‘AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable' was produced by Sanorita Dey, Nirupam Roy and Romit Roy Choudhury of the University of Illinois, and Wenyuan Xu and Srihari Nelakuditi from the University of South Carolina.