The signals produced by smartphones turn out to be so identifiable that it may never be possible to use one anonymously. Even basic privacy may be difficult to achieve.
Despite all the standardization and quality control that go into accelerometers and other sensors built into smartphones, each sensor contains enough tiny, unique imperfections to identify, not only the physical component, but also the data it records, researchers from the University of Illinois, the University of South Carolina, and Zhejiang University report.
"Even if you erase the app in the phone, or even erase and reinstall all software the fingerprint still stays inherent," Romit Roy Choudhury, the UI associate professor of electrical engineering and computer science who led the team, said in a press release. "That's a serious threat."
By analyzing data from the accelerometers from more than 100 devices, the team was able to determine that tiny differences in the data recorded by the accelerometers were unique to the sensor itself, rather than reflecting flaws or differences in materials or environment from a particular plant of production line.
The differences are enough to identify a particular accelerometer with 96% accuracy, Sanorita Dey, a University of Illinois graduate student and member of the research team, said in the release. "We do not need to know any other information about the phone -- no phone number or SIM card number. Just by looking at the data, we can tell you which device it's coming from. It's almost like another identifier."
The team presented its findings at the Network and Distributed System Security Symposium in February in San Diego.
Though the team looked only at accelerometers, the results suggest that data from gyroscopes, magnetometers, microphones, cameras, and other devices could also contain markers that would identify them uniquely as having been recorded with a specific device. The implication is that even consumers trying to protect their identities by refusing to share their location data, name, or other personal information might still be identified and tracked individually by apps that collect sensor data and use cloud-based applications for part of their functions.
Even a pedometer app that counts a user's steps with accelerometer data (and calculates distance travelled or calories burned by sending the data to a cloud service) not only could identify the device itself, but also could get a rough idea of its location from the cellphone towers that provide the network connection.
The team's findings confirm what a Virginia Tech team reported in September (subscription required). That team found that the unique response of an accelerometer or other MEMS sensor to an electric charge is idiosyncratic enough to identify the device from which it came. The paper suggested that sensor-data fingerprints might be useful for identifying and authenticating devices attached to the Internet of Things.
Right now, Dey said, there are no regulations on app vendors collecting that data or limiting its use.
Google did build a set of controls into a beta version of Android 4.4.2 that would have allowed users to decide which apps should have access to data from sensors, address books, or other onboard resources. But company called the inclusion of the controls was "accidental," and it removed them just one day after the digital-privacy guru Peter Eckersley posted an article describing the controls, telling consumers how to use them, and praising Google for offering them.
Choudhury said that, even if broader analysis shows that the markers from an individual sensor aren't 100% unique, they are unusual enough that it would be possible to identify the device from which the data came by analyzing data from more than one sensor.
Even without access to sensor data, it's actually pretty easy to identify most smartphones. Most ship with WiFi configurations designed to make connecting to a wireless network as easy as possible for nontechnical users. That means the phones constantly probe their immediate area for wireless network access points to which they have connected before, or they connect automatically to unsecured WLANs as their owners pass by.
The volume of metadata is so rich and so potentially useful to attackers -- even without access to data from applications on the phone -- that researchers at SensePost Labs try to warn consumers about it with stunts like flying a quadcopter drone with a WiFi access point over crowds of London commuters to collect MAC addresses, network SSIDs, and geolocation data from hundreds of smartphones at a time. This data would make relatively simple to conduct man-in-the-middle attacks or just to identify an individual smartphone by its network and location history.
It's not even necessary to get that specific or interact that much with one smartphone to identify it as unique. In June 2013, researchers at Technical University of Dresden published a paper that said variations in the performance of the power amplifiers, oscillators, signal mixers, and other components of a cellphone radio transmitter leave patterns in the analog radio signal that become a uniquely identifiable pattern of errors after the signal is converted from analog to digital.
That makes it possible to identify and track individual phones passively by their radio "fingerprints" without doing anything but listen to it, and to identify a specific phone even if the SIM card has been replaced or its unique identifying numbers have been altered, according to Jakob Hasse, lead researcher for the paper, which was presented at an ACM Workshop.
"Our method does not send anything to the mobile phones. It works completely passively and just listens to the ongoing transmissions of a mobile phone -- it cannot be detected," Hasse told New Scientist.