Sensors in your phone that collect seemingly harmless data could leave you vulnerable to cyber attack, according to new research. And saying no to apps that ask for your location is not enough to prevent the tracking of your device.
A new study has found evidence that accelerometers—which sense motion in your smartphone and are used for applications from pedometers to gaming—leave “unique, trackable fingerprints” that can be used to identify you and monitor your phone. Here’s how it works, according to University of Illinois electrical and computer engineering professor Romit Roy Choudhury and his team: Tiny imperfections during the manufacturing process make a unique fingerprint on your accelerometer data. The researchers compared it to cutting out sugar cookies with a cookie cutter—they may look the same, but each one is slightly, imperceptibly different.
When that data is sent to the cloud for processing, your phone’s particular signal can be used to identify you. In other words, the same data that helps you control Flappy Bird can be used to pinpoint your location. Choudhury’s team was able to identify individual phones with 96% accuracy. “Even if you erase the app in the phone, or even erase and reinstall all software,” Choudhury said in a press release, “the fingerprint still stays inherent. That’s a serious threat.”
Moreover, Choudhury suggested that other sensors might be just as vulnerable: Cameras, microphones, and gyroscopes could be leaving their smudgy prints all over the cloud as well, making it even easier for crooks to identify a phone. “Imagine that your right hand fingerprint, by some chance, matches with mine,” Choudhury said. “But your left-hand fingerprint also matching with mine is extremely unlikely. So even if accelerometers don’t have unique fingerprints across millions of devices, we believe that by combining with other sensors such as the gyroscope, it might still be possible to track a particular device over time and space.”
There’s not much that can be done to address this issue at this point, Choudhury said. It’s basically impossible to manufacture millions of cellphone components without each one being the tiniest bit unique, and there’s no good way to mask these signals to attackers. One way of maintaining privacy would be to cut off the flow of data from smartphones to the cloud—so, giving apps processed information instead of raw data to send to the cloud for processing would do the trick. But today’s mobile devices lack the processing power (and battery capacity) to do so.
So for now, this just serves as yet another reminder that even innocuous, seemingly anonymous data is information that can be exploited.