Wednesday, August 20, 2014

Recent Stanford Security Research

A couple of interesting research papers from Stanford University.  I may decide to cover these in more detail in the future but for now I provide the links.

Mobile Device Identification via Sensor Fingerprinting
This research is significant since your mobile device can be fingerprinted uniquely like the HTML 5 canvas attack.  This is similar to the canvas attack in that it bypasses any cookie policies or device hardware policies for reading mobile IMEI numbers, etc.  Users can be tracked without their knowledge or consent.

Gyrophone: Recognizing Speech From Gyroscope Signals
This research describes using the gyroscope on mobile devices as a microphone to listen to sounds or conversations in the vicinity of the phone.  This is interesting since any privileges assigned to the microphone are not applicable to the gyroscope.

With canvas fingerprinting, and the new weaknesses discovered by Stanford, there is a trend where device sensors are used in ways outside their design parameters.  If your a hardware manufacturer, threat modeling your hardware devices with your engineering teams is probably a great exercise.

A few ideas to stimulate some thought, it may be possible to determine if a mobile device is being held by the capacitive properties of the human body on microwave transmitter power.  Exfiltrating data from mobile devices by modulating GSM, WIFI, or BlueTooth to transmit over other harmonics.  Listening to conversations by picking up background IR modulated on reflected glass in the room over mobile IR sensors.  Using the capacitive touch sensitive keypads in new and creative ways?  We have already seen add-hoc audio computer mesh networks transmitting ultrasonics over PC mic\speakers.  It's likely this can be done using mobile as well.  Imagine bots running on your mobile devices transmitting data to other bots over add-hoc audio mesh networks - creepy.  Even more creepy, many of device hacks are not detectable by carrier network security controls.  The value of this research is not so much in the research itself but the new approaches it stimulates.  Guaranteed we will see more research using device sensors in new and creative ways we previously didn't imagine possible.

--Milton

Share It!