Researchers at Cambridge University’s Computer Laboratory have developed a fingerprinting attack that allows iOS and Android devices to be tracked across the internet.

When you visit a website, your web browser provides a range of information to the website, including the name and version of your browser, screen size, fonts installed, and so on. This information can be used to track you by generating generate a distinctive signature, or device fingerprint, to identify you.

A device fingerprint allows websites to detect your return visits or track you as you browse from one website to the next across the Internet. Such techniques can be used to protect against identity theft or credit card fraud, but also allow advertisers to monitor your activities and build a user profile of the websites you visit (and therefore a view on your personal interests). Browser vendors have long worried about the potential privacy invasion from device fingerprinting and have included measures to prevent such tracking. For example, on iOS, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings, and eliminate cross-domain tracking.

In a paper presented on 21st May at IEEE Symposium on Security and Privacy 2019 (IEEE S&P'19), security researchers described how they developed a new type of fingerprinting attack, the calibration fingerprinting attack. Their attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint.

Their attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you. It takes less than one second to generate a fingerprint, and can generate a globally unique fingerprint for iOS devices. In addition, the calibration fingerprint never changes, even after a factory reset. This means that such a potential attack provides an effective means to track you as you browse across the web and move between apps on your phone.

The researchers took advantage of the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors. This calibration data when used as the fingerprint. They found that the gyroscope and magnetometer on iOS devices are factory calibrated and the calibration data differs from device to device. In addition, they also found that the accelerometer of Google Pixel 2 and Pixel 3 can also be fingerprinted by their approach.

The exploitation of this vulnerability requires no special permission from the user.

The researchers determined that Safari, Chrome, Firefox, Opera, Brave and Firefox Focus are all vulnerable to their attack.

Following our disclosure, Apple has patched this vulnerability in iOS 12.2. If you have an iPhone and have not updated to 12.2, it would be a good idea to do so now.

They also informed Google in December 2018 and Google is currently “investigating the issue”. Thus far, Google hasn’t released a patch.

Android phones are generally less susceptible to attack because many of them are lower level phones that do not have calibrated sensors. The researchers were only able to test a small number of Android phones and, with a notable exception, were unable to create a fingerprint from the phones they tested.

To prevent this fingerprinting attack, the researchers recommend the addition of uniformly distributed random noise to the output of the sensor before any calibration is applied or round the calibrated sensor output to the nearest multiple of nominal gain.

The researchers know of no cases where the attack they’ve demonstrated has been exploited in the wild. However, they also point out that the sensor data that’s the basis for the attack is easily accessed and is known to be gathered by at least 2,653 of Alexa’s top 100,000 websites.