Fingerprinting Smartphones with PUFs (and RTLSDR, NSA)

Random question. Why do American national security insiders always refer to them as “NSA” or “CIA” instead of “the NSA” or “the CIA”?

Anyway.

New research points out that any app with accelerometer access can fingerprint your smartphone, producing a unique ID that won’t change no matter how much IMSI and IMEI and cookie-wiping fudgery you do.

You can also fingerprint phones by sweeping a tone into the earpiece and looking at the microphone’s response… the resulting frequency response curve of the analog output – speaker – cell phone case – microphone – analog input chain is quite unique.

Going even further, an old technique that was apparently popular for fighting cloned *analog* cell fraud — fingerprinting the RF output stage — works great for finding digital phones too.

Ultimately the problem here is identical to the “feature” that physically uncloneable functions (covered here serveral times) take advantage of.

While digital technology abstracts away all the messy analog stuff, ultimately the systems are still imperfect and subject to the laws of physics… laws that the digital system designers usually don’t understand. (And which even the physicists are still figuring out…!)

No, PUF fingerprinting isn’t a problem if you keep the phone operating environment clean… and the adversary doesn’t have a sensitive enough radio intercept system to spot your particular transmitter in a sea of thousands.

But still… the best defense here is to get ahead of the game, and see your smartphone is properly fingerprinted before being led to a “cell” and introduced to its new anger-management-challenged (or…) roommate named Bubba.

Firing up an RTLSDR? Build yourself a planar disc UWB antenna with two pizza pans and hear everything from 2M to the top end of what your rig can do — with no antenna changing. The fun part about planar disc antennas is they’re dead easy to make and the bigger the discs, the lower the frequency response. http://www.wa5vjb.com/references/PlanarDiskAntennas.pdf

The NSA spies on the Mexicans. http://www.spiegel.de/international/world/nsa-hacked-email-account-of-mexican-president-a-928817.html
and http://www.rtoz.org/2013/10/20/nsa-hacked-email-account-of-mexican-president/

http://yro.slashdot.org/comments.pl?sid=4327039&cid=45100775

“Cell phones have been identifiable by RF fingerprinting for many, many years.

Was a common anti-fraud technique in the analog cellular days.”

http://yro.slashdot.org/story/13/10/11/1231240/sensor-characteristics-uniquely-identify-individual-phones
http://www.metafilter.com/132752/Leveraging-Imperfections-of-Sensors-for-Fingerprinting-Smartphones
http://blog.sfgate.com/techchron/2013/10/10/stanford-researchers-discover-alarming-method-for-phone-tracking-fingerprinting-through-sensor-flaws/

“One afternoon late last month, security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat.

And that was it. In a matter of seconds, the device had given up its “fingerprints.”

Code running on the website in the device’s mobile browser measured the tiniest defects in the device’s accelerometer — the sensor that detects movement — producing a unique set of numbers that advertisers could exploit to identify and track most smartphones.

It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint (see below for a further explanation). Marketers could use the ID the same way they use cookies — the small files that download from websites to desktops — to identify a particular user, monitor their online actions and target ads accordingly.

It’s a novel approach that raises a new set of privacy concerns: Users couldn’t delete the ID like browser cookies, couldn’t mask it by adjusting app privacy preferences — and wouldn’t even know their device had been tagged.[…]

Indeed, accelerometers aren’t the only thing to worry about. The Stanford research team, which plans to publish its results in the months ahead, was also able to identify phones using the microphone and speaker. They found they could produce a unique “frequency response curve,” based on how devices play and record a common set of frequencies (see the explanation below).

Meanwhile, a team at the Technical University of Dresden in Germany recently developed a tracking method that exploited variations in the radio signal of cell phones, according to a story in New Scientist. The “collection of components like power amplifiers, oscillators and signal mixers … can all introduce radio signal inaccuracies,” researcher Jakob Hasse explained.

Advertisements
%d bloggers like this: