Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures

Open access

Abstract

The ability to track users’ activities across different websites and visits is a key tool in advertising and surveillance. The HTML5 DeviceMotion interface creates a new opportunity for such tracking via fingerprinting of smartphone motion sensors. We study the feasibility of carrying out such fingerprinting under real-world constraints and on a large scale. In particular, we collect measurements from several hundred users under realistic scenarios and show that the state-of-the-art techniques provide very low accuracy in these settings. We then improve fingerprinting accuracy by changing the classifier as well as incorporating auxiliary information. We also show how to perform fingerprinting in an open-world scenario where one must distinguish between known and previously unseen users.

We next consider the problem of developing fingerprinting countermeasures; we evaluate the usability of a previously proposed obfuscation technique and a newly developed quantization technique via a large-scale user study. We find that both techniques are able to drastically reduce fingerprinting accuracy without significantly impacting the utility of the sensors in web applications.

[2] Amazon Mechanical Turk. https://www.mturk.com/mturk/welcome.

[4] Apple places kill date on apps that use ‘UDID’ device identifiers. http://www.zdnet.com/article/apple-places-killdate-on-apps-that-use-udid-device-identifiers/.

[5] Mobile apps overtake PC Internet usage in U.S. http://money.cnn.com/2014/02/28/technology/mobile/mobileapps-internet/.

[6] Percentage of all global web pages served to mobile phones from 2009 to 2016. http://www.statista.com/statistics/241462/global-mobile-phone-website-traffic-share/.

[8] We Spend More Time On Smartphones Than Traditional PCs: Nielsen. http://www.ibtimes.com/we-spend-more-time-smartphones-traditional-pcs-nielsen-1557807.

[9] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 674–689, 2014.

[10] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security (CCS), pages 1129–1140, 2013.

[11] Duncan Black, Robert Albert Newing, Iain McLean, Alistair McMillan, and Burt L Monroe. The theory of committees and elections. Springer, 1958.

[12] Hristo Bojinov, Yan Michalevsky, Gabi Nakibly, and Dan Boneh. Mobile Device Identification via Sensor Fingerprinting. CoRR, abs/1408.1416, 2014. urlhttp://arxiv.org/abs/1408.1416.

[13] G. Brown, A. Pocock, M.-J. Zhao, and M. Luján. Conditional likelihood maximisation: A unifying framework for information theoretic feature selection. The Journal of Machine Learning Research, 13:27–66, 2012.

[14] Anupam Das, Nikita Borisov, and Matthew Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 441–452, 2014.

[15] Anupam Das, Nikita Borisov, and Matthew Caesar. Exploring Ways To Mitigate Sensor-Based Smartphone Fingerprinting. CoRR, abs/1503.01874, 2015.

[16] Anupam Das, Nikita Borisov, and Matthew Caesar. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS), 2016.

[17] Jean Charles de Borda. Mémoire sur les élections au scrutin, histoire de l’académie royale des sciences. Paris, France, 1781.

[18] Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS), 2014.

[19] Peter Eckersley. How Unique is Your Web Browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS), pages 1–18, 2010.

[20] Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van Randwyk, and Douglas Sicker. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. In Proceedings of the 15th Conference on USENIX Security Symposium, 2006.

[21] Tin Kam Ho, Jonathan J. Hull, and Sargur N. Srihari. Decision combination in multiple classifier systems. IEEE transactions on pattern analysis and machine intelligence, 16(1):66–75, 1994.

[22] Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. On the Robustness of Mobile Device Fingerprinting: Can Mobile Users Escape Modern Web-Tracking Mechanisms? In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pages 191–200. ACM, 2015.

[23] Tadayoshi Kohno:2005, Andre Broido, and K. C. Claffy. Remote Physical Device Fingerprinting. IEEE Transaction on Dependable Secure Computing, 2(2):93–108, 2005.

[24] Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. Fingerprinting Mobile Devices Using Personalized Configurations. Proceedings on Privacy Enhancing Technologies (PoPETs), 2016(1):4–19, 2017.

[25] Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P), pages 878–894, 2016.

[26] Zang Li, Wenyuan Xu, Rob Miller, and Wade Trappe. Securing Wireless Systems via Lower Layer Enforcements. In Proceedings of the 5th ACM Workshop on Wireless Security (WiSe), pages 33–42, 2006.

[27] Gordon Lyon. Nmap: a free network mapping and security scanning tool. http://nmap.org/.

[28] S.B. Moon, P. Skelly, and D. Towsley. Estimation and removal of clock skew from network delay measurements. In Proceedings of the 18th Annual IEEE International Conference on Computer Communications (INFOCOM), pages 227–234, 1999.

[29] Keaton Mowery and Hovav Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of Web 2.0 Security and Privacy Workshop (W2SP), 2012.

[30] Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 19th ACM SIGSAC conference on Computer and Communications Security (CCS), pages 736–747, 2012.

[31] Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. In Proceedings of the 24th International Conference on World Wide Web (WWW), pages 820–830, 2015.

[32] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery: A privacy analysis of the HTML5 Battery Status API. Cryptology ePrint Archive, Report 2015/616, 2015. http://eprint.iacr.org/2015/616.

[33] Lukasz Olejnik, Claude Castelluccia, and Artur Janc. Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns. In 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs), 2012.

[34] Neal Patwari and Sneha K. Kasera. Robust Location Distinction Using Temporal Link Signatures. In Proceedings of the 13th Annual ACM International Conference on Mobile Computing and Networking (MobiCom), pages 111–122, 2007.

[35] M.J. Riezenman. Cellular security: better, but foes still lurk. IEEE Spectrum, 37(6):39–42, 2000.

[36] Jan Spooren, Davy Preuveneers, and Wouter Joosen. Mobile Device Fingerprinting Considered Harmful for Risk-based Authentication. In Proceedings of the 8th European Workshop on System Security (EuroSec), pages 1–6. ACM, 2015.

[37] Fyodor Yarochkin, Meder Kydyraliev, and Ofir Arkin. Xprobe project. http://ofirarkin.wordpress.com/xprobe/.

[38] Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 429–440, 2014.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 620 418 31
PDF Downloads 329 239 17