CYBER NEWS

CVE-2019-8541: SensorID Attack Technique Overcomes Android and iOS Security

Criminals have devised a new malware tactic which is known as the SensorID attack and it is capable of overcoming the security of Android and iOS devices. It is designed to track users by abusing the sensors of these devices. The implications of this vulnerability are very serious as this allows hackers to easily penetrate these devices. It is tracked in the CVE-2019-8541 advisory.




CVE-2019-8541: The SensorID Attack Is Used To Spy Android and iOS Devices

Security researchers have uncovered a new novel malware attack technique which relies on acquiring sensors data by hackers from victim devices — as it turns out this includes both Android and iOS owners. It is called SensorsID and it can be used to track owners across the Internet. This is caused by a weakness in the factory-set calibration details — they can be accessed freely by applications without asking for specific permissions. It is described as harvesting of data from the following components:

  • Gyroscope
  • Magnetometer
  • Accelerometer

The SensorID attack is carried out by analyzing the data which is accessible both by websites and apps. This means that hackers can easily create such data capture elements in order to track the users across the Internet. Once they acquire a unique signature it can be used to fingerprint the victim device which is valid across the whole Internet. What’s more worrying about this particular attack is that it impacts iOS devices more than Android. The reason for this is that by default the sensors are calibrated on the assembly line wherein most Android devices calibrate themselves upon certain events such as initial setup and etc. The reason why this attack is deemed so dangerous is that each set of extracted fingerprints can be used as a unique identifier. This sensor calibration fingerprint will never change even when making a factory reset.

Apple released a patch for iOS which has corrected the issue back in March addressing the issue. The solution was to add random noise in the calibration output. The associated vulnerability is tracked in CVE-2019-8541 which describes the abuse of this technique in web browsers. Its description reads the following:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka “Chakra Scripting Engine Memory Corruption Vulnerability.” This affects Microsoft Edge, ChakraCore

The full security report can be accessed here. Worried users can see if their device is affected by navigating to this demo page.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...