Mobile Device Identification via Sensor Fingerprinting

TL;DR

This paper shows how various sensors on smartphones can be used to create unique hardware fingerprints, enabling device identification and de-anonymization without user permission.

Contribution

It introduces two novel sensor fingerprinting methods, including a browser-accessible accelerometer fingerprint, and provides extensive experimental validation on over 10,000 devices.

Findings

Sensor fingerprints can uniquely identify devices

Accelerometer-based fingerprinting works without user permissions

High entropy allows distinguishing among thousands of devices

Abstract

We demonstrate how the multitude of sensors on a smartphone can be used to construct a reliable hardware fingerprint of the phone. Such a fingerprint can be used to de-anonymize mobile devices as they connect to web sites, and as a second factor in identifying legitimate users to a remote server. We present two implementations: one based on analyzing the frequency response of the speakerphone-microphone system, and another based on analyzing device-specific accelerometer calibration errors. Our accelerometer-based fingerprint is especially interesting because the accelerometer is accessible via JavaScript running in a mobile web browser without requesting any permissions or notifying the user. We present the results of the most extensive sensor fingerprinting experiment done to date, which measured sensor properties from over 10,000 mobile devices. We show that the entropy from sensor fingerprinting is sufficient to uniquely identify a device among thousands of devices, with low probability of collision.