Stanford researchers demonstrate how smartphone fingerprint sensors can be used to spy on you


Security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat.

And that was it. In a matter of seconds, the device had given up its “fingerprints.”

Code running on the website in the device’s mobile browser measured the tiniest defects in the device’s accelerometer — the sensor that detects movement — producing a unique set of numbers that advertisers could exploit to identify and track most smartphones.  

It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint (see below for a further explanation). Marketers could use the ID the same way they use cookies — the small files that download from websites to desktops — to  identify a particular user, monitor their online actions and target ads accordingly.

It’s a novel approach that raises a new set of privacy concerns: Users couldn’t delete the ID like browser cookies, couldn’t mask it by adjusting app privacy preferences — and wouldn’t even know their device had been tagged.

“I don’t know if it’s been thought of before,” said Dan Auerbach, staff technologist at the Electronic Frontier Foundation. “It’s very alarming.”

Bojinov, a Ph.D. candidate in computer science at Stanford originally from Bulgaria, set out about a year ago with several collaborators at the Stanford Security Lab to test whether it was technically feasible to identify devices using various sensors. Bojinov wanted to make device manufacturers, software designers, policymakers and advocates aware of this potential avenue for tracking, in the hope that the industry would take steps to guard against it.

“People need to consider the whole system when they think about privacy,” Bojinov said.

The Stanford research team, which plans to publish its results in the months ahead, was also able to identify phones using the microphone and speaker. They found they could produce a unique “frequency response curve,” based on how devices play and record a common set of frequencies (see the explanation below).

Meanwhile, a team at the Technical University of Dresden in Germany recently developed a tracking method that exploited variations in the radio signal of cell phones, according to a story in New Scientist. The “collection of components like power amplifiers, oscillators and signal mixers … can all introduce radio signal inaccuracies,” researcher Jakob Hasse explained.

Wired Opinion article today raises the possibility that the M7 coprocessor in Apple’s new iPhone could create another avenue for data collection.

Asked if this sort of work risks putting ideas into the heads of online advertisers, Bojinov said he’d be surprised if someone in the industry wasn’t already exploring these approaches.

The private sector and U.S. government have repeatedly demonstrated a willingness to make use of mobile phone’s hardware in ways users wouldn’t expect. Apps like Color, Shopkick and IntoNow activated smartphone microphones to detect when people were in the same room, entered a particular store or watched a specific TV show, as Computerworld reported.

Likewise, the FBI has famously flipped on the microphones of investigation targets to eavesdrop on conversations. 

145 of the internet’s top websites secretly track your device fingerprint:

A new study by KU Leuven-iMinds researchers has uncovered that 145 of the Internet’s 10,000 top websites use hidden scripts to extract a device fingerprint from users’ browsers. Device fingerprinting circumvents legal restrictions imposed on the use of cookies and ignores the Do Not Track HTTP header. The findings suggest that secret tracking is more widespread than previously thought.  

Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts. A 2010 study by the Electronic Frontier Foundation (EFF) showed that, for the vast majority of browsers, the combination of these properties is unique, and thus functions as a ‘fingerprint’ that can be used to track users without relying on cookies. Device fingerprinting targets either Flash, the ubiquitous browser plugin for playing animations, videos and sound files, or JavaScript, a common programming language for web applications.

This is the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet. The team of KU Leuven-iMinds researchers analysed the Internet’s top 10,000 websites and discovered that 145 of them (almost 1.5%) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user’s original IP address when visiting a website through a third party (a so-called proxy).

The study also found that 404 of the top 1 million sites use JavaScript-based fingerprinting, which allows sites to track non-Flash mobile phones and devices. The fingerprinting scripts were found to be probing a long list of fonts – sometimes up to 500 – by measuring the width and the height of secretly-printed strings on the page.

The researchers identified a total of 16 new providers of device fingerprinting, only one of which had been identified in prior research. In another surprising finding, the researchers found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.

The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.

Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets.

To detect websites using device fingerprinting technologies, the researchers developed a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts. This tool will be freely available at for other researchers to use and build upon.

The findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin.

One thought on “Stanford researchers demonstrate how smartphone fingerprint sensors can be used to spy on you

  1. Well if you own a cellphone, you’re volunteering to be spied upon, and agreeing to share the details of your every move with the government.

    Another way of putting that would be: “If you own a cell phone, you’re an idiot.”

    Do you really have to be reachable at all times? My land line and answering machine handle all my communication needs, and I’ll never “need” a cell phone because I’ve never grown accustomed to having one.

Join the Conversation

Your email address will not be published. Required fields are marked *