Fingerprinting iPhones with the built-in gyroscope

Holding iphone

Researchers at Cambridge University have found an ingenious way to uniquely identify iPhones and iPads by examining data gathered from a device’s accelerometer, gyroscope and magnetometer sensors.

Rather like the already known issue of browser fingerprinting, distinctive signatures derived from a smartphone’s sensors could be gathered in what the boffins are calling a “callibration fingerprinting attack”.

Presented this week at the IEEE Symposium on Security and Privacy 2019, the researchers claim:

Sign up to our free newsletter.
Security news, advice, and tips.
  • The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
  • The attack takes less than one second to generate a fingerprint.
  • The attack can generate a globally unique fingerprint for iOS devices.
  • The calibration fingerprint never changes, even after a factory reset.
  • The attack provides an effective means to track you as you browse across the web and move between apps on your phone.

In short, as you surf the web you could be tracked without your knowledge. Even a factory reset of your smartphone won’t change its fingerprint.

One of the researchers, Dr Alastair Beresford, told The Register that Apple devices were ironically at risk more than most Android devices because of the iPhone and iPad’s greater accuracy.

The researchers informed Apple of the problem, and iOS users are advised that they can mitigate against the attacks by updating their devices to iOS 12.2 which by default removes access to motion sensors from Mobile Safari.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.