Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

device calibration of accelerometers may reveal precise hardware fingerprint #54

Closed
npdoty opened this issue Feb 13, 2020 · 1 comment · Fixed by #82
Closed

device calibration of accelerometers may reveal precise hardware fingerprint #54

npdoty opened this issue Feb 13, 2020 · 1 comment · Fixed by #82
Labels
privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on.

Comments

@npdoty
Copy link

npdoty commented Feb 13, 2020

This paper focuses on orientation sensors, but also notes a similar risk in accelerometer sensors for at least some devices:
Zhang, Jiexin, Alastair R. Beresford, and Ian Sheret. “SensorID: Sensor Calibration Fingerprinting for Smartphones.” In 2019 IEEE Symposium on Security and Privacy (SP), 638–55. San Francisco, CA, USA: IEEE, 2019. https://doi.org/10.1109/SP.2019.00072.

High-resolution reporting of accelerometer values may provide an attacker access to the factory-set calibration of the sensor, which is a persistent, cross-origin identifier allowing for device fingerprinting. This is a serious privacy concern.

Based on related concerns noted in device orientation, specifying a particular rounding threshold for this API may mitigate the threat for all (or almost all) devices. Paul Jensen recommends rounding to 0.1 m/s^2. Currently the spec doesn't speak to precision, except through use of the double datatype.

This is a separate attack from the AccelPrint work that's already been cited in the Generic Sensor API, but it's possible the attack and potential mitigations are related. (The AccelPrint paper doesn't seem to quite get into what all the sources of the fingerprint are or what methods are sufficient mitigation.)
@reillyeon reillyeon mentioned this issue Feb 14, 2020
Open
@samuelweiler samuelweiler added the privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. label Dec 3, 2020
@w3cbot w3cbot mentioned this issue Dec 3, 2020
Open
@anssiko anssiko mentioned this issue Jun 27, 2024
Open
@reillyeon
Copy link
Member

Discussed at the TPAC 2024 F2F. We think this and #57 are the same issue. @anssiko will be resolving that issue by adding a normative requirement similar to the mitigation in [DEVICE-ORIENTATION].

anssiko added a commit that referenced this issue Oct 8, 2024
@anssiko
Add Accelerometer reading quantization algorithm
1603d21 
This mitigates sensor calibration fingerprinting [SENSORID] and
other similar attacks per W3C Privacy Interest Group's recommendation.

Fix #54
Fix #57
anssiko added a commit that referenced this issue Oct 8, 2024
@anssiko
Add Accelerometer reading quantization algorithm
7bec023 
This mitigates sensor calibration fingerprinting [SENSORID] and
attacks that rely on high precision sensor readings per
W3C Privacy Interest Group's recommendation.

Fix #54
Fix #57
@anssiko anssiko mentioned this issue Oct 8, 2024
Merged
anssiko added a commit that referenced this issue Oct 9, 2024
@anssiko
Add Accelerometer reading quantization algorithm (#82)
00ba971 
This mitigates sensor calibration fingerprinting [SENSORID] and
attacks that rely on high precision sensor readings per
W3C Privacy Interest Group's recommendation.

Fix #54
Fix #57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Accelerometer reading quantization algorithm w3c/accelerometer
3 participants
@npdoty @reillyeon @samuelweiler