Researchers at Cambridge University have found an ingenious way to uniquely identify iPhones and iPads by examining data gathered from a device’s accelerometer, gyroscope and magnetometer sensors.
Rather like the already known issue of browser fingerprinting, distinctive signatures derived from a smartphone’s sensors could be gathered in what the boffins are calling a “callibration fingerprinting attack”.
Presented this week at the IEEE Symposium on Security and Privacy 2019, the researchers claim:
- The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
- The attack takes less than one second to generate a fingerprint.
- The attack can generate a globally unique fingerprint for iOS devices.
- The calibration fingerprint never changes, even after a factory reset.
- The attack provides an effective means to track you as you browse across the web and move between apps on your phone.
In short, as you surf the web you could be tracked without your knowledge. Even a factory reset of your smartphone won’t change its fingerprint.
One of the researchers, Dr Alastair Beresford, told The Register that Apple devices were ironically at risk more than most Android devices because of the iPhone and iPad’s greater accuracy.
The researchers informed Apple of the problem, and iOS users are advised that they can mitigate against the attacks by updating their devices to iOS 12.2 which by default removes access to motion sensors from Mobile Safari.