recommended reading

Phones Are Giving Away Your Location, Regardless of Your Privacy Settings

Oleksiy Mark/Shutterstock.com

Sensors in your phone that collect seemingly harmless data could leave you vulnerable to cyber attack, according to new research. And saying no to apps that ask for your location is not enough to prevent the tracking of your device.

A new study has found evidence that accelerometers—which sense motion in your smartphone and are used for applications from pedometers to gaming—leave “unique, trackable fingerprints” that can be used to identify you and monitor your phone. Here’s how it works, according to University of Illinois electrical and computer engineering professor Romit Roy Choudhury and his team: Tiny imperfections during the manufacturing process make a unique fingerprint on your accelerometer data. The researchers compared it to cutting out sugar cookies with a cookie cutter—they may look the same, but each one is slightly, imperceptibly different.

When that data is sent to the cloud for processing, your phone’s particular signal can be used to identify you. In other words, the same data that helps you control Flappy Bird can be used to pinpoint your location. Choudhury’s team was able to identify individual phones with 96% accuracy. “Even if you erase the app in the phone, or even erase and reinstall all software,” Choudhury said in a press release, “the fingerprint still stays inherent. That’s a serious threat.”

Moreover, Choudhury suggested that other sensors might be just as vulnerable: Cameras, microphones, and gyroscopes could be leaving their smudgy prints all over the cloud as well, making it even easier for crooks to identify a phone. “Imagine that your right hand fingerprint, by some chance, matches with mine,” Choudhury said. “But your left-hand fingerprint also matching with mine is extremely unlikely. So even if accelerometers don’t have unique fingerprints across millions of devices, we believe that by combining with other sensors such as the gyroscope, it might still be possible to track a particular device over time and space.”

There’s not much that can be done to address this issue at this point, Choudhury said. It’s basically impossible to manufacture millions of cellphone components without each one being the tiniest bit unique, and there’s no good way to mask these signals to attackers. One way of maintaining privacy would be to cut off the flow of data from smartphones to the cloud—so, giving apps processed information instead of raw data to send to the cloud for processing would do the trick. But today’s mobile devices lack the processing power (and battery capacity) to do so.

So for now, this just serves as yet another reminder that even innocuous, seemingly anonymous data is information that can be exploited.

(Image via Oleksiy Mark/Shutterstock.com)

Reprinted with permission from Quartz. The original story can be found here

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.