Connect with us


Android and iOS devices impacted by new sensor calibration attack



A new device fingerprinting technique can track Android and iOS devices across the Internet by using factory-set sensor calibration details that any app or website can obtain without special permissions.

This new technique — called a calibration fingerprinting attack, or SensorID — works by using calibration details from gyroscope and magnetometer sensors on iOS; and calibration details from accelerometer, gyroscope, and magnetometer sensors on Android devices.

According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones’ sensors.

How does this technique work?

“Our approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps,” the research team said in a research paper published yesterday.

“Our analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors [in their devices’ sensors],” researchers said.

This calibration data can then be used as a fingerprint, producing a unique identifier that advertising or analytics firms can use to track a user as they navigate across the internet.

Furthermore, because the calibration sensor fingerprint is the same when extracted using an app or via a website, this technique can also be used to track users as they switch between browsers and third-party apps, allowing analytics firms to get a full view of what users are doing on their devices.

In addition, the technique also does not pose any technical difficulties for the entity that does all the tracking.

“Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device,” researchers said.

“We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either,” they added.

The sensor calibration fingerprint also never changes, even after a factory reset, allowing tracking entities access to an identifier as unique and persistent as an IMEI code.

Further, this type of tracking is also silent and invisible to users. This is because apps or websites accessing sensor calibration details to compute a device’s fingerprint don’t need any special permission to do so.

Patched in iOS, but not Android

The three-person research team who discovered this new tracking vector said they notified both Apple and Google in August 2018, and December 2018, respectively

Apple patched this issue (CVE-2019-8541) with the release of iOS 12.2 in March this year by adding random noise to the sensor calibration output. This means that starting with iOS 12.2, iPhones and iPads will generate a new fingerprint with every sensor calibration query, making this type of user tracking useless.

Furthermore, to remove any other potential headaches, Apple also removed websites’ ability to access motion sensor data from Mobile Safari.

But while Apple was more prompt to fix this issue, Google was not, and only told researchers they would investigate.

This is most likely because iOS devices are more exposed to this type of tracking than Android smartphones, where a large chunk of the ecosystem is made up of low-cost devices that use uncalibrated motion sensors.

According to the research team, the tracking method they discovered was, indeed, more dangerous to Apple devices, mainly because of device homogeneity and Apple’s tendency to ship higher-quality handsets with very precise (calibrated) motion sensors.

However, similar top-range Android smartphones were also vulnerable. During their tests, researchers said their technique successfully generated sensor calibration fingerprints for Pixel 2 and Pixel 3 devices.

More details about this research are available in a whitepaper titled “SensorID: Sensor Calibration Fingerprinting for Smartphones,” that was presented yesterday at the IEEE Symposium on Security and Privacy 2019 (IEEE S&P’19).

A demo page where users can see if their device is vulnerable and generate a sensor calibration fingerprint is also available.

More vulnerability reports:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.


Instagram tests ditching video posts in favor of Reels – TechCrunch



Instagram is testing a change that turns video posts into Reels, the company confirmed to TechCrunch. The company says the change, which is currently being tested with select users around the world, is part of Instagram’s plan to simplify video on the app.

“We’re testing this feature as part of our efforts to simplify and improve the video experience on Instagram,” a spokesperson from Meta said in an email.

A screenshot posted on Twitter by social media consultant Matt Navarra shows that people who are part of the test will see an in-app message that says “video posts are now shared as Reels.”

The message indicates that if your account is public and you post a video that ends up being turned into a Reel, anyone can discover your Reel and use your original audio to create their own Reel. If your account is set to private, your Reel will only be visible to your followers. The message also notes that once you post a Reel, anyone can create a remix with your Reel if your account is public. However, you can prevent people from remixing your Reels in your account settings.

As with any other test, it’s unknown when or if Instagram plans to roll out the change more widely. If the change does become permanent, it may pose some challenges. For example, it could be difficult to post a horizontal video if it gets uploaded in a vertical Reels format. In addition, Instagram did not say how this change will affect current videos on Instagram.

The test comes as Meta has been betting big on Reels. As part of its Q1 2022 earnings, the company revealed that Reels now make up more than 20% of the time that people spend on Instagram. It’s not surprising that Instagram is looking to expand Reels even more by replacing video posts altogether. If the company does end up making this change permanent, it could boast about people spending even more time viewing Reels. 

Last year, Instagram head Adam Mosseri said the app was “no longer a photo-sharing app,” noting the company was prioritizing a shift into video amid significant competition from TikTok and YouTube. The company then took a step toward its larger goal of making video a more central part of the Instagram experience by combining IGTV’s long-form video and Instagram Feed videos into a new format simply called “Instagram Video.”

If Instagram decides to turn all video uploads into Reels, it would consolidate the company’s video elements even further. Last year, when Mosseri laid out Instagram’s priorities for 2022, he said the company would double down on video and focus on Reels. He even hinted that Instagram would consolidate all of its video products around Reels and continue to grow the short-form product, which indicates that this change may have always been the plan.

Continue Reading


Crypto wants its own iPhone – TechCrunch



Image Credits: TechCrunch

Apple’s relative hostility to the desires of crypto developers hasn’t gone unnoticed, and as the industry buckles down for a bear market, some of its proponents are pushing forward plans to rebuild the iPhone with their own industry’s best interests at heart.

Hello and welcome back to the Chain Reaction podcast, where we unpack and explain the latest crypto news, drama and trends, breaking it down block by block for the crypto curious.

This week, my co-host Anita was off, so I was joined by TC+ Senior Crypto Reporter Jacquie Melinek, who discussed some of the wild happenings in crypto, including FTX’s flirtations with Robinhood and the latest drama at Celsius.

We also talked about the big surprise announcement of the week: the Solana-backed Saga smartphone. The new device will operate with crypto capabilities baked into its silicon while serving as a regular Android-based smartphone as well. The device doesn’t ship until next year, allegedly, and Jacquie and I had plenty of thoughts, so listen along above!

Our guest: Doodles CEO Julian Holguin

This week, I chatted with Julian Holguin, who is the CEO of the NFT project Doodles. The collection of 10,000 NFT profile pictures is one of the most popular crypto projects on the web and Holguin just banked funding from Alexis Ohanian to push the startup behind the art even further.

Chain Reaction podcast episodes come out every Thursday at 12:00 p.m. PDT. Subscribe to us on Apple, Spotify or your alternative podcast platform of choice to keep up with us every week.

Continue Reading


Visby Medical tests positive for a Series E extension at $1B+ valuation – TechCrunch



Medical diagnostics company Visby Medical raised $100 million in a Series E round earlier this year. Today, the company told me it extended that round by an additional $35 million at the same valuation as the rest of the round. This financing will enable Visby Medical to scale production capacity from tens to hundreds of thousands of monthly tests. It will also further expand its product lineup to include COVID + influenza A/B combination testing, antimicrobial resistance panels, and deliver at-home PCR diagnostics to consumers.

“The valuation is just over $1B post-money,” a spokesperson for the company told TechCrunch over email. “The extension is at the same valuation as the rest of the round, which we think demonstrates that these are long-term investors, not influenced by short-term fluctuations in the public markets.”

The company told me it consciously sought out investors that would be eager to continue to invest long-term. The original $100 million was led by Ping An Voyager Partners and joined by the Healthcare of Ontario Pension Plan (HOOPP). The round also included participation by existing investors including John Doerr, Cedars Sinai Medical Center, ND Capital, Artiman Ventures, Pitango Venture Capital, Blue Water Life Science Advisors and Nissim Capital.

The extension round of an additional $35 million was led by Lightrock, who joined existing Series E investors including John Doerr, Cedars Sinai Medical Center, ND Capital, Artiman Ventures, Pitango Venture Capital, Blue Water Life Science Advisors and J Ventures.

“At Visby Medical, we are revolutionizing patient care by developing diagnostics that healthcare providers can use to test for any infection at anytime, anywhere,” said Visby Medical Founder and CEO Adam de la Zerda, PhD in a statement to TechCrunch. “Especially during these times of market slowdown, our investors have shown significant confidence in Visby’s innovative technology and mission. This funding will enable us to further our goal to provide the world’s first instrument-free handheld PCR platform to accurately and rapidly test for a variety of serious infections to anyone who needs it.”

Visby’s PCR diagnostic technology is being developed in multiple therapeutic areas and is aimed to address a critical and growing global need: to combat the significant rise in infectious diseases, including on-the-spot STI rapid testing solutions.

The financing goes to show that there’s still money out there, and it’s encouraging to see that companies are more forthcoming about announcing both round extensions — which traditionally have been frowned upon by the investment community — and valuations as part of their funding journey.

Continue Reading