Every Move You Make
Exploring Pratical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures
Presenter: Wenqing Fan
Authors: Anupam Das, Nikita Borisov, Edward Chou
Intro
User tracking
Browser Fingerprinting (without cookies)
Mobile browsers give web pages access to internal motion sensors
Smartphones Fingerprinting
Questions
Data Collection
Samples and data streams
- 300 participants
- 45 brands
- accelerometer and gyroscope
- \(\vec{a_g}=(a_{gx},a_{gy},a_{gz})\) acceleration including gravity
- \(\vec{a}=(a_x,a_y,a_z)\) acceleration without gravity
- \(\vec{\omega}=(\omega_x,\omega_y,\omega_z)\) rotational rate
- \(\psi_g,\psi\) azimuth with(out) gravity
- \(\theta_g,\theta\) inclination with(out) gravity
- ...400 features
Features
Features
Classifier and metrics
- Python scikit-learn lib
- Accuracy = Samples correctly classified / Total test samples
Fingerprinting
in Practise
-
Sensor characteristic affected by phone position
- Require phone to be repositioned between 2 sessions
- Previous work overestimated accuracy
Overfitting
More data streams
4
400
Combining classifiers - Library
- Hard (weighted) voting classifiers
- Soft (weighted) voting classifiers
- Weight: Accuracy
Combining classifiers - New approach
- Eliminate redundant classifiers, e.g. GNB
- Find a consensus set by top prediction
- Pick a class from the consensus set based on Borda count
*Borda count: # of classes ranked below
Combining auxiliary info
- e.g. User-Agent ?
- \(log_2k\) bits of entropy
➡️ distinguish k devices
- New approach (Voting) outperforms RF and ExTree classifiers
Defenses
Countermeasures
Quantization
Obfuscation
Obfuscation
- add noise with affine transformation
s^O=s^M\cdot g^O + o^O
- \(s^M\) original signal
- \(g^O\) random obfuscation param: gain
- \(o^O\) random obfuscation param: offset
Obfuscation - Problem
- Visit 2 websites without re-randomization
- Link 2 visits' fingerprints
- Visit 2 websites with re-randomization
- Link 2 visits in other ways
- Signal processing to reduce the noise
Quantization
- Convert accelerometer data into polar vector \(<r,\theta,\psi>\)
function quantization(val, bin_size) {
// val: raw value
// bin_size: quantization size
return round(val / bin_size) * bin_size;
}- bin_size
- \(\theta,\psi\): \(6\degree\)
- \(r\): \(1\ ms^{-2}\)
- \(<r,\theta,\psi> \Rightarrow <\hat{r},\hat{\theta},\hat{\psi}> \Rightarrow\) Cartesian coordinate system
Quantization - Bin size
Effectiveness
Usability
Usage Scenarios
Detect orientation change to adjust page layout
Sensor-sensitive apps
Tilt-based video games that read sensor data
Survey
- 5 Levels
- 3 mitigations applied: baseline, obfuscation, quantization
- Objective metrics: time spent, restarts
- Subjective ratings
Survey results
- Level difficulty greatly impacts both objective and subjective metrics...
- But mitigations does not
Survey results - problem
- Training effect
- Game with longer duration
- Single user's performance
Extra topics
- Accelerometer: No need for permission request
- Webview / PWA ?
-
Accelerometer ➡️ Leak speech patterns without microphone
- Loud audio impacts accelerometer
- Use sensors to detect running environment
- Sandboxes usually don't have valid sensor readings
- Only runs in real devices
Conclusions
Conclusions
- Mobile sensor fingerprinting
- Need extra info to work well
- Combined classifiers => Better accuracy
- Realistic threat
- Mitigations
- Unlikely to affect most apps
- No significant impact on sensor-sensitive apps
Every Move You Make
By Mercury
