Fingerprinting iPhones with the built-in gyroscope

Graham Cluley

Holding iphone

Holding iphone

Researchers at Cambridge University have found an ingenious way to uniquely identify iPhones and iPads by examining data gathered from a device’s accelerometer, gyroscope and magnetometer sensors.

Rather like the already known issue of browser fingerprinting, distinctive signatures derived from a smartphone’s sensors could be gathered in what the boffins are calling a “callibration fingerprinting attack”.

Presented this week at the IEEE Symposium on Security and Privacy 2019, the researchers claim:

  • The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
  • The attack takes less than one second to generate a fingerprint.
  • The attack can generate a globally unique fingerprint for iOS devices.
  • The calibration fingerprint never changes, even after a factory reset.
  • The attack provides an effective means to track you as you browse across the web and move between apps on your phone.

In short, as you surf the web you could be tracked without your knowledge. Even a factory reset of your smartphone won’t change its fingerprint.

One of the researchers, Dr Alastair Beresford, told The Register that Apple devices were ironically at risk more than most Android devices because of the iPhone and iPad’s greater accuracy.

The researchers informed Apple of the problem, and iOS users are advised that they can mitigate against the attacks by updating their devices to iOS 12.2 which by default removes access to motion sensors from Mobile Safari.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.