SensorID, the calibration fingerprinting attack

    Over the years, app security has improved enough that developers must request permissions to areas of your smartphone that their applications need to access. Now we have some control over which apps have access to things such as your camera or extended storage. But did you know that there are still parts of your phone that require no permissions whatsoever? The average smartphone can have over a dozen sensors in it from accelerometers and gyroscopes to proximity sensors and GPS. When these sensors are calibrated at the factory, each one comes off the line with tiny imperfections. This results in each phone having its own unique fingerprint baked right into the firmware and accessible from any application or website.

    SensorID, the calibration fingerprinting attack, uses the calibration data from iOS magnetometers and gyroscopes and Android accelerometers, magnetometers, and gyroscopes to create a unique profile of a phone. Because this type of a fingerprint doesn’t change, a user could potentially be tracked across any application and on any website without ever knowing about it. The calibration data can be pulled from a device nearly instantly and requires little more than an app download or some JavaScript. 

    Apple devices are disproportionately impacted by SensorID due to the more rigorous calibration processes they go through at the factory, but the good news is that Apple addressed the issue in their March release of iOS 12.2. Junk data is now added to the calibration data to eliminate the fingerprint.
On the other hand, Google has yet to address the vulnerability, leaving some Android devices still open to this attack. It’s mainly the higher-end Androids that are vulnerable as the less expensive devices often skip the sensor calibration step to save on cost, thus there exists no calibration data on the device to exploit. Google researchers are supposedly looking into the issue. 

    Even if your device is open to a calibration fingerprinting attack, there are still plenty of simpler attacks that cyber criminals (or advertisers) are more likely to leverage before one like SensorID.

    While that’s not exactly comforting, hopefully SensorID has been cut off at the pass before it could become a bigger problem. 
Sources

https://nakedsecurity.sophos.com/2019/06/03/your-phones-sensors-could-be-used-as-a-cookie-you-cant-delete/

https://www.zdnet.com/article/android-and-ios-devices-impacted-by-newsensor-calibration-attack/

https://www.ieee-security.org/TC/SP2019/papers/405.pdf