When a user visits a website, his/her web browser provides a whole lot of information to the website visited including version and name of browser, fonts installed and so on. Authors of websites can use this information provided to better the services provided to the users so as this it can also be used to track the user by generating a distinctive signature or device fingerprint in order to identify you.
A device fingerprint allows websites to detect your return visits or track you as you browse from one website to the next across the Internet. Such techniques can be used to protect against identity theft or credit card fraud, but also allow advertisers to monitor your activities and build a user profile of the websites you visit (and therefore a view into your personal interests). Browser vendors have long worried about the potential privacy invasion from device fingerprinting and have included measures to prevent such tracking. For example, on iOS, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings, and eliminate cross-domain tracking.
We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint. Overall, our attack has the following advantages:
The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
The attack takes less than one second to generate a fingerprint.
The attack can generate a globally unique fingerprint for iOS devices.
The calibration fingerprint never changes, even after a factory reset.
The attack provides an effective means to track you as you browse across the web and move between apps on your phone.
By Jiexin Zhang, Alastair R. Beresford and Ian Sheret
0 Comments