Any kind of ability to sample data from a device should be thoroughly analyzed for fingerprinting side-channels as part of the underlying specification as a mandatory section. Is this not actually done?
Is there any kind of similar calibration that is done on thr camera sensor (e.g. for color correction) that can be teased out of the resultant
image files? What about in RAW mode?
How about a sound recording? Does the microphone have any kind of correction factors you might be able to observe somehow?
Similarly for color temperature of the screen. Maybe there is an unexpected side-channel to get at those correction values as well, although this one seems trickier because how would you sample the screen output remotely?
Apparently, prior to iOS 12.2, Apple did not require the user to grant a website permission to access motion & orientation sensor data . They have since introduced an off-by-default toggle to globally enable access to this sensor data. Unfortunately, it seems to be all-or-nothing - if you want to allow any site access to this data, you need to allow every site access to this data. Hopefully this is a temporary band-aid fix and Apple will introduce per-site permission a la camera/microphone/location permission prompts.
I wonder if any other data sources exist which don’t require user permission.
There really should not. Apple should know better than this and give these sensors the same permission requirements as direct GPS location, i.e. per app / per website.
To be fair, Apple had a 129 days head start, and took 234 days to issue a fix:
> How did vendors respond to this attack?
> We followed a coordinated disclosure procedure and reported this vulnerability to Apple on 3rd August 2018. On iOS 12.2, Apple adopted our suggestion and added random noise to the ADC outputs (CVE-2019-8541). Apple also removed access to motion sensors from Mobile Safari by default. This vulnerability was disclosed to Google on 10th December 2018. Google has contacted us and is investigating this issue.
>In the case of iOS devices, the SensorID includes both the calibration fingerprint of the gyroscope (GyroID) and magnetometer (MagID). In the case of Google Pixel 2 and 3, the SensorID includes the calibration fingerprint of the accelerometer (AccelID).
You can also stop websites from doing this by turning off JS in browsers like Firefox Focus or using something like NoScript.
>We only have access to a few Pixel devices,and therefore we are unable to perform the same analysis as we have done on iOS devices to determine whether the fingerprint we obtain for Pixel devices is globally unique or not. The IMU in other Android devices is also likely factory calibrated but the calibration is typically restricted to offsets(i.e., bias compensation). Our approach targets the gain matrix and cannot recover bias compensation.
If you want "to be fair", why not mention all these details too?
Hopefully the random value isn’t being changed for each sample, but every minute or hour or such.
They can only add so much noise before impacting the actual results, right?
Recall that our approach to recover the gain matrix is based on the fact that the values in the ADC output, A, are all integers. This property allows us to recover the values of ΔA using Equation 6. However, if we add random noise ε ∈ R3×1, from the uniform distribution in the range [−0.5, 0.5], to each ADC output A. Then we have:
O = G(A + ε) + B (12)
Alternatively, we could round the factory calibrated sensor output to the nearest multiple of the nominal gain to prevent recovering the gain matrix. This approach is more practical to apply and it does not require knowing the gain matrix in advance. Therefore, mobile browsers can adopt this approach to protect user privacy.
It will not stop Kalman filter
Just axe it away Apple
I don't understand why it wouldn't be happening in practice.
This is scary.
I do not like when a company like Facebook would use this data, but it is a tradeoff for allowing other companies to use it.
Not sure if someone from CloudFlare, Akamai, or another company (Coinbase?) can publicly comment on what they do.
Would be nice if the browsers would at least notify of its use.
Feel free to enlighten me if someone has a better solution for all of this.
However, considering contactless was pretty rare even in the US until recently, it’s wise to have other solutions - and cover other use cases like online banking, loan applications etc etc.
2-factor authentication doesn't necessarily imply SMS. TOTP apps like Google Authenticator are reasonably secure.
Finally auth doesn't have to be 100% bulletproof (in fact, fingerprinting isn't either), it just has to solve the majority of problems. There's always someone that's going to be stupid enough to get compromised despite all the security solutions, but as long as the majority of users is safe then all is good.
I can. During a short stint in an ad tech company in Shanghai in 2016 (my second time in ad tech after running an ad farm myself in my teen years), I noticed that Samsung Internet (a browser) does not require permission for sensor data. Then, just few month later, Chrome team put sensors live without them too.
I remembered reading about Kalman techniques used in radionav in high school, and it instantly came into my head that you can as easily reverse the process to substract clean, kalman filtered, signal from noisy one to get an "anti-pattern."
And with it you can easily do whatever you want from FFT, to reverse manchester coding, to more esoteric techniques to quantitise it.
Everybody in the collective got quite fired up with it, thinking about it being a "that's it" moment for us to do some sweet arbitrage on ad exchanges with it. We were few weeks from filling a patent, but it was decided to keep it hidden after all with logic that: 1. big ads will shoot us down, 2. botters will get whiff of it, 3. patents don't work for "small" companies
I got symbolic premium, arbitrage results were far from super good as originally expected. At that point we found a silly thing: 20 to 30% of MoPub traffic had accelerometers and gyros playing same data in a 5 second loop!
Later after I left the company, I learned of ours sales people finally managing to sell it under wraps to "somebody big" , whose identity I was not told
I do remember right around that time flaming on bugzilla with either google or mozilla employees who claimed that you can't extract fingerprint from 60 hz data, and me claiming otherwise to no avail.
My point was to put mandatory permission prompt on it, and I remember being turned down.
I’m still surprised this wasn’t caught sooner as many techniques have been used over the years to effectively fingerprint devices.
Unfortunately I am having trouble finding the name of it now.
Of course irrationality will prevail when it comes to any comments about ads on HN though.
Elucidation would be appreciated: How does irrationality prevail?
The ignorance that advertising itself is a fine model that subsidizes 99% of the content on the internet and allows for fast, easy, and egalitarian access for billions of people, as well as increased opportunity for creators of all kinds.
And finally the obliviousness to the technical and business solutions that already exist to make the experience better instead of going down an endless arms race where nobody wins.
I think wording it as "tremendous value" is a stretch but that's just me. Also, businesses are fully able to grow without the likes of the two biggest companies. So, not every business has those companies as a key ingredient. It's not a "too big too fail", doomsday scenario, where the (business) wold is entirely dependent on the two companies to exist, yeah?
>The ignorance that advertising itself is a fine model that subsidizes 99% of the content on the internet and allows for fast, easy, and egalitarian access for billions of people, as well as increased opportunity for creators of all kinds.
You're delineating in your own retort and creating double-speak. Advertising, as a whole, can be fine but the two aforementioned companies can be total shit. That doesn't create a dichotomy or ignorance.
You're already speaking about your audience as unwilling to view your arguments but you treat them as ignorant, which means you're unwilling to be malliable in your own view and see it from their perspective. Isn't that ignorance, in and of itself? :)
>And finally the(y are) obliviousness to the technical and business solutions that already exist to make the experience better instead of going down an endless arms race where nobody wins.
I don't think taking a stance that your solutions are the only ones that work and because no one will accept them, it's an arms race to the bottom is conducive to anything. If anything, that leads directly to your aforementioned arms race to the bottom.
To spin it a different way and benefit your supposed enemy in discourse: Advertising markets worked fine before the two big companies, yeah? The internet still existed? Pages were able to be reached in a fast, easy, egalitarian, and free way, yeah?
Aside from that model being "dead", simply because it's no longer used, why do you believe that this is such an implicitly binary situation of the two companies must exist and be allowed free rampant growth or nothing at all?
I hope that you take this as constructive criticism but it would seem to me, from this exchange, that it's you who's coming to these conversations not willing to listen.
Advertising is a core part of the marketing necessary to grow a business and thus a core part of the overall economy. It will always exist and be served by major companies from the sheer size of the total spend, whether it's Google and Facebook or someone else. And advertising is the only model that has paid for the vast majority of commercial content online today, and is incomparable to some time in the past where that didn't exist.
You can search my name if you want the background  because I'm not what you assume I am. Regulation and privacy are not the problem, it's the lack of any cooperation and workable solutions. Adtech looks for efficiency, not more workarounds to battle giant corporations like Apple which ignore industry concerns while being contradictory in their own actions.
Does this mean anything?
The system was built with security as a first principle, not something added after the fact.
Since humans are not perfect, you could say the statement is effectively ‘Security as a Primary Design [Goal]’.