Criminals have devised a new malware tactic which is known as the SensorID attack and it is capable of overcoming the security of Android and iOS devices. It is designed to track users by abusing the sensors of these devices. The implications of this vulnerability are very serious as this allows hackers to easily penetrate these devices. It is tracked in the CVE-2019-8541 advisory.
CVE-2019-8541: The SensorID Attack Is Used To Spy Android and iOS Devices
Security researchers have uncovered a new novel malware attack technique which relies on acquiring sensors data by hackers from victim devices — as it turns out this includes both Android and iOS owners. It is called SensorsID and it can be used to track owners across the Internet. This is caused by a weakness in the factory-set calibration details — they can be accessed freely by applications without asking for specific permissions. It is described as harvesting of data from the following components:
- Gyroscope
- Magnetometer
- Accelerometer
The SensorID attack is carried out by analyzing the data which is accessible both by websites and apps. This means that hackers can easily create such data capture elements in order to track the users across the Internet. Once they acquire a unique signature it can be used to fingerprint the victim device which is valid across the whole Internet. What’s more worrying about this particular attack is that it impacts iOS devices more than Android. The reason for this is that by default the sensors are calibrated on the assembly line wherein most Android devices calibrate themselves upon certain events such as initial setup and etc. The reason why this attack is deemed so dangerous is that each set of extracted fingerprints can be used as a unique identifier. This sensor calibration fingerprint will never change even when making a factory reset.
Apple released a patch for iOS which has corrected the issue back in March addressing the issue. The solution was to add random noise in the calibration output. The associated vulnerability is tracked in CVE-2019-8541 which describes the abuse of this technique in web browsers. Its description reads the following:
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka “Chakra Scripting Engine Memory Corruption Vulnerability.” This affects Microsoft Edge, ChakraCore
The full security report can be accessed here. Worried users can see if their device is affected by navigating to this demo page.