Factory Calibration Fingerprinting of Sensors
Device fingerprinting aims to generate a distinctive signature, or fingerprint, that uniquely identifies individual computing devices. Fingerprints may be a privacy concern since apps and websites can use them to track user activity online. To protect user privacy, both Android and iOS have included a variety of measures to prevent such tracking. In this paper we present a new type of fingerprinting, factory calibration fingerprinting, that bypasses existing tracking protection. Our attack recovers embedded per-device factory calibration data from the accelerometer, gyroscope, and magnetometer sensors that are pervasive in modern smartphones by careful analysis of the sensor output alone. We discuss the factory calibration behaviour of each sensor and show that the calibration fingerprint is fast to generate, does not change over time or after a factory reset, and can be used to track users across apps and websites without any special permission from the user. We find the calibration fingerprint is very likely to be globally unique for iOS devices, with an estimated 67 bits of entropy for the iPhone 6S. In addition, we have analysed 146 Android device models from 11 vendors and found the attack also works on recent Google Pixel devices. For Pixel 4/4 XL, we estimate the calibration fingerprint provides about 57 bits of entropy. Following our disclosures, Apple deployed a mitigation in iOS 12.2 and Google in Android 11. We analyse Apple's fix and show that the mitigation is imperfect although it is likely to be sufficient in most threat models.