Every Move You Make

Exploring Pratical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures

Presenter: Wenqing Fan

Authors: Anupam Das, Nikita Borisov, Edward Chou

Intro

User tracking

Browser Fingerprinting (without cookies)

Mobile browsers give web pages access to internal motion sensors

 

Smartphones Fingerprinting

Questions

How effective ?

Defense without losing usability ?

Data Collection

Samples and data streams

  • 300 participants
  • 45 brands
  • accelerometer and gyroscope

 

  • \(\vec{a_g}=(a_{gx},a_{gy},a_{gz})\)   acceleration including gravity
  • \(\vec{a}=(a_x,a_y,a_z)\)          acceleration without gravity
  • \(\vec{\omega}=(\omega_x,\omega_y,\omega_z)\)        rotational rate
  • \(\psi_g,\psi\)                            azimuth with(out) gravity
  • \(\theta_g,\theta\)                              inclination with(out) gravity

 

  • ...400 features

Features

Features

Classifier and metrics

  • Python scikit-learn lib

 

  • Accuracy = Samples correctly classified / Total test samples

Fingerprinting

in Practise

  • Sensor characteristic affected by phone position

 

  • Require phone to be repositioned between 2 sessions

 

  • Previous work overestimated accuracy

Overfitting

More data streams

4

400

Combining classifiers - Library

  • Hard (weighted) voting classifiers
  • Soft (weighted) voting classifiers

 

  • Weight: Accuracy

Combining classifiers - New approach

  • Eliminate redundant classifiers, e.g. GNB
  • Find a consensus set by top prediction
  • Pick a class from the consensus set based on Borda count

*Borda count: # of classes ranked below

Combining auxiliary info

  • e.g. User-Agent ?

 

  • \(log_2k\) bits of entropy

 ➡️ distinguish k devices

 

  • New approach (Voting) outperforms RF and ExTree classifiers

Defenses

Countermeasures

Quantization

Obfuscation

Obfuscation

  • add noise with affine transformation
s^O=s^M\cdot g^O + o^O
  • \(s^M\)  original signal
  • \(g^O\)   random obfuscation param: gain
  • \(o^O\)   random obfuscation param: offset

Obfuscation - Problem

  • Visit 2 websites without re-randomization
    • Link 2 visits' fingerprints

 

  • Visit 2 websites with re-randomization
    • Link 2 visits in other ways
    • Signal processing to reduce the noise

Quantization

  • Convert accelerometer data into polar vector \(<r,\theta,\psi>\)
function quantization(val, bin_size) {
    // val: raw value
    // bin_size: quantization size
    return round(val / bin_size) * bin_size;
}
  • bin_size
    • \(\theta,\psi\):   \(6\degree\)
    • \(r\):        \(1\ ms^{-2}\)
  • \(<r,\theta,\psi> \Rightarrow <\hat{r},\hat{\theta},\hat{\psi}> \Rightarrow\) Cartesian coordinate system

Quantization - Bin size

Effectiveness

Usability

Usage Scenarios

Detect orientation change to adjust page layout

Sensor-sensitive apps

Tilt-based video games that read sensor data

Survey

  • 5 Levels
  • 3 mitigations applied: baseline, obfuscation, quantization
  • Objective metrics: time spent, restarts
  • Subjective ratings

Survey results

  • Level difficulty greatly impacts both objective and subjective metrics...
  • But mitigations does not

Survey results - problem

  • Training effect

 

  • Game with longer duration
  • Single user's performance

Extra topics

  • Accelerometer: No need for permission request
    • ​Webview / PWA ?

 

  • Accelerometer ➡️ Leak speech patterns without microphone
    • ​Loud audio impacts accelerometer

 

  • Use sensors to detect running environment
    • Sandboxes usually don't have valid sensor readings
    • Only runs in real devices

Conclusions

Conclusions

  • Mobile sensor fingerprinting
    • Need extra info to work well
    • Combined classifiers => Better accuracy
    • Realistic threat

 

  • Mitigations
    • Unlikely to affect most apps
    • No significant impact on sensor-sensitive apps
Made with Slides.com