Scientists track smartphone users in cities with sensor data
Scientists at Northeastern University were able to track smartphone users without using location or Wi-Fi permissions. They did this with an app that collected data from sensors such as the gyroscope.
Using data from the gyroscope, accelerometer and magnetometer, the scientists were able to determine a route that the user of the app had traveled by car. This data was collected by an app masquerading as an app with a different function. According to the researchers, no special permission is required to access the data from the sensors, making it accessible for any app without this being clear to the users. Normally, users can be tracked via the location services or Wi-Fi connection of a smartphone, but these do require the necessary permissions.
To reach this conclusion, the scientists conducted a number of experiments in their research. They simulated routes in eleven different cities, including Berlin, London, Madrid and Paris. Based on data from OpenStreetMap, an algorithm was then able to identify a certain number of possible routes. It turned out that with a probability of more than 50 percent, the algorithm was able to generate a list of ten routes, one of which was the actual route. This was possible, for example, by comparing the data from the smartphone sensors with the bends in the road.
They also conducted experiments in which test subjects actually took to the road in the cities of Boston and Waltham and covered a total of more than 980 km. A list of ten routes with a probability of thirty percent and sixty percent, respectively, could be drawn up. As soon as a test person started driving, the data collection by the app also started. The experiment was set up in such a way that the smartphone had to be present in the car at a fixed location. The researchers state that it is also possible to have the app distinguish the difference between the movements of the user and that of the car. It is also possible to determine the user’s location on the basis of an IP address, which makes it clear in advance in which city he is located.
While the researchers’ findings don’t seem exceptionally accurate at this point, the study does indicate the potential of these types of side channel attacks. The scientists therefore recommend making access to data from sensors dependent on permissions. Also, the user should be made aware of the fact that sensor data is being accessed, as is the case with location data and Wi-Fi.