Web application security courses specialists published a proof of concept for a new attack variant known as “calibration fingerprinting”, which uses sensor data from Apple devices to generate a unique fingerprint for each user of mobile equipment in the world. According to experts, this can provide the threat actors with a highly effective way to carry out data collecting and tracking activities against smartphone users.
In their proof of concept, experts have shown that data collected from the accelerometer, gyroscope, and magnetometer of smartphones can be used to generate a fingerprint in less than a second. This fingerprint will always be the same, not even restart the smartphone to its factory settings would affect it.
Experts say that the attack can be launched from any malicious website through a web browser, as well as through any mobile application, without the need for the user to grant any permission.
Deploying this attack on Apple devices is possible thanks to a security error in the iOS 12.1 operating system and earlier versions. Web application security courses experts recommend that users upgrade to the latest version of the OS available for their devices. According to the experts, it is also possible to deploy this attack against Google’s Pixel smartphones, although the company has not stated about it.
The fingerprint of a device allows websites that the user visits to detect subsequent visits of the same user, as well as some tracking functions and protecting users against some variants of identity fraud or payment card theft. Some companies use this function for targeted advertising campaigns.
Web application security courses experts found that it is possible to bypass these protection mechanisms in any iOS device version 12.2 and earlier, thanks to the “micro fabrication”, method of building motion sensors in modern smartphones.
According to the specialists from the International Institute of Cyber Security (IICS) a first measure of protection against this variant of attack can be the use of mobile browsers with emphasis on users’ privacy, where access to the device’s motion sensors could be disabled.