Researchers at the University of Cambridge can spy on users by hacking embedded sensors on iPhones and Pixel smartphones made by Google. For Apple, it took several months to correct the flaw. At Android, we have not reacted yet.
A team of researchers from the University of Cambridge in the United Kingdom has discovered a technique that tracks users’ activity on their smartphone or tablet, both on the web and through applications. This technique, called SensorID, does not require any special authorization and is based on the factory calibration of the sensors of the device.
Some manufacturers calibrate sensors on their mobile devices in the plant to improve accuracy. This concerns the gyroscope and the magnetometer on Apple mobile devices and Android devices, plus the accelerometer on them. The researchers discovered that it was possible to access calibration information on all these devices to create a unique identifier without any special authorization, as soon as the method uses an application or visits a website.
A unique fingerprint that can not be reset
This identifier, an exact imprint of the device, could be used by advertisers to target their ads. There are already some techniques that create ids to track users, but SensorID has the distinction of being freely accessible both from an application and via a website, and of being impossible to change. Even a complete reset of the smartphone does not affect the factory calibration.
Currently, researchers are not aware of using the SensorID to track users. However, the calibration information is freely accessible and is collected by at least 2,653 sites among the top 100,000 most visited websites in the Alexa rankings.
An update for iOS, Android still exposed
Apple systematically calibrating the sensors of iPhone, iPad and iPod Touch, all recent iOS devices are concerned, namely the iPhone models from the iPhone 5s, the iPad Air and newer, and the iPod Touch 6 e generation or more. Android side, this practice is much less common and mainly concerns more high-end devices.
Researchers only had access to a small number of Android smartphones, and most were not compatible with this technique. They were able, however, to create a unique identifier with Google’s Pixel 2 and 3, and did not indicate which other models were tested. It is therefore impossible to know for the moment which Android devices are concerned apart from the two pixels.
The researchers warned, as early as August 2018, that Apple released a fix in March with the update of iOS 12.2. So make sure you have updated your device to be protected. Google was notified in December 2018 and, for now, says lead the investigation, but has not yet released a fix. Therefore, it is currently impossible for Android users to know if they are affected or how to fix this vulnerability.