Minute manufacturing imperfections in popular accelerometers cause that hardware to emit uniquely identifiable data that could give third parties the ability to single out specific mobile devices, regardless of any privacy protections deployed on them.

In a paper published by the University of South Carolina and the University of Illinois’ systems network research group, researchers say that each accelerometer has its own fingerprint. Thus, when presented with the same stimuli, each sensor chip responds in a sightly different way.

“The differences in responses are subtle enough that they do not affect most of the higher-level functions computed on them,” the group claims. “Nonetheless, upon close inspection, these fingerprints emerge with consistency, and can even be somewhat independent of the stimulus that generates them.”

If this research were to stand outside the lab, it would have enormous implications in the ever-growing mobile advertising industry.

If this research were to stand outside the lab, it would have enormous implications in the ever-growing mobile advertising industry. That industry is largely supported by the sale of information collected about specific users to third party ad firms that then use the information to generate tailored advertisements.

One of the researchers involved in this work, Romit Roy Choudhury, told MIT Technology Review editor David Talbot that applications can measure accelerometer data without permission – even if they are not permitted to access personal information or location data.

In their study – which examined 80 stand-alone accelerometer chips, 25 Android devices, and two tablets – the researchers were able to discern the correct device or chip simply by examining the data it output 96 percent of the time.

These fingerprints along with a crowd-sourced, cloud-based application, the paper asserts, could segregate any accelerometer-containing device from any other similarly outfitted device. This, in turn, would enable the possibility of tracking specific user-devices – and thus specific users – over space and time. Whether for malicious or commercial purposes, the researchers claim that such tracking would be trivial to perform and almost impossible to counteract.

An accelerometer is a device that measures acceleration. In this context though, an accelerometer refers to the hardware built into mobile and other devices that determines device orientation and displays the user interface accordingly.

As noted in their conclusion, the reason manufacturing imperfections exist in accelerometer chips has to do with central component of this hardware: an electro-mechanical moving part built into every accelerometer that is the key to its functioning. These moving parts are susceptible to manufacturing imperfections that cause them to display diverse behaviors, though this diversity is not particularly conspicuous.

“However, when the properties of these imperfections are deliberately extracted, they lead to a sensor fingerprint, adequate to identify a device, and even an user,” the researchers concluded. “Our results on 80 standalone accelerometer chips, 25 Android phones, and 2 tablets offer confidence that such fingerprints exist, and are visible even in real, uncontrolled environments.”

The research group next plans to test their experiment further in a commercial-grade evaluation before seeking out ways to scrub accelerometer hardware of these fingerprints.

You can find the full (and mathematically dense) research paper here [PDF] along with some slides here [PDF].

Categories: Mobile Security, Privacy

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>