Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses

Modern smartphones contain motion sensors, such as accelerometers and gyroscopes. These sensors have many useful applications; however, they can also be used to uniquely identify a phone by measuring anomalies in the signals, which are a result of manufacturing imperfections. Such measurements can be conducted surreptitiously by web page publishers or advertisers and can thus be used to track users across applications, websites, and visits. We analyze how well sensor fingerprinting works under realworld constraints. We first develop a highly accurate fingerprinting mechanism that combines multiple motion sensors and makes use of inaudible audio stimulation to improve detection. We evaluate this mechanism using measurements from a large collection of smartphones, in both lab and public conditions. We then analyze techniques to mitigate sensor fingerprinting either by calibrating the sensors to eliminate the signal anomalies, or by adding noise that obfuscates the anomalies. We evaluate the impact of calibration and obfuscation techniques on the classifier accuracy; we also look at how such mitigation techniques impact the utility of the motion sensors.

[1]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[2]  S. Nasiri,et al.  DEVELOPMENT OF HIGH-PERFORMANCE, HIGH-VOLUME CONSUMER MEMS GYROSCOPES , 2010 .

[3]  Nikita Borisov,et al.  Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components , 2014, CCS.

[4]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[5]  Arun Ross,et al.  Information fusion in biometrics , 2003, Pattern Recognit. Lett..

[6]  Gabi Nakibly,et al.  Mobile Device Identification via Sensor Fingerprinting , 2014, ArXiv.

[7]  Urs Hengartner,et al.  Two Novel Defenses against Motion-Based Keystroke Inference Attacks , 2014, ArXiv.

[8]  Xiangyu Liu,et al.  Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound , 2014, CCS.

[9]  L. E. Langley,et al.  Specific emitter identification (SEI) and classical parameter fusion technology , 1993, Proceedings of WESCON '93.

[10]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[11]  Mani Mina,et al.  Device Identification via Analog Signal Fingerprinting: A Matched Filter Approach , 2006, NDSS.

[12]  Guy Lapalme,et al.  A systematic analysis of performance measures for classification tasks , 2009, Inf. Process. Manag..

[13]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[14]  Sneha Kumar Kasera,et al.  Robust location distinction using temporal link signatures , 2007, MobiCom '07.

[15]  M. Riezenman Cellular security: better, but foes still lurk , 2000 .

[16]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[17]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[18]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[19]  Claude Castelluccia,et al.  On the uniqueness of Web browsing history patterns , 2014, Ann. des Télécommunications.

[20]  Tzi-cker Chiueh,et al.  Sequence Number-Based MAC Address Spoof Detection , 2005, RAID.

[21]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[22]  Rong Zheng,et al.  Device fingerprinting to enhance wireless security using nonparametric Bayesian method , 2011, 2011 Proceedings IEEE INFOCOM.

[23]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[24]  Wenyuan Xu,et al.  AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable , 2014, NDSS.

[25]  Gavin Brown,et al.  Conditional Likelihood Maximisation: A Unifying Framework for Information Theoretic Feature Selection , 2012, J. Mach. Learn. Res..

[26]  Simon A. Cole,et al.  Suspect Identities , 2001 .

[27]  Nikita Borisov,et al.  Exploring Ways To Mitigate Sensor-Based Smartphone Fingerprinting , 2015, ArXiv.

[28]  Donald F. Towsley,et al.  Estimation and removal of clock skew from network delay measurements , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[29]  김정민,et al.  Cubic Spline Interpolation을 이용한 얼굴 영상의 단순화 , 2010 .

[30]  Desmond Loh Chin Choong,et al.  Identifying unique devices through wireless fingerprinting , 2008, WiSec '08.

[31]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[32]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[33]  Damon McCoy,et al.  Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting , 2006, USENIX Security Symposium.

[34]  Wenyuan Xu,et al.  Securing wireless systems via lower layer enforcements , 2006, WiSe '06.