Hackers Can Track Subway Riders' Movements By Smartphone Accelerometer

Patrick O'Neill writes: Tens of millions of daily subway riders around the world can be tracked through their smartphones by a new attack, according to research from China's Nanjing University. The new attack even works underground and doesn't utilize GPS or cell networks. Instead, the attacker steals data from a phone's accelerometer. Because each subway in the world has a unique movement fingerprint, the phone's motion sensor can give away a person's daily movements with up to 92% accuracy.

Yay

[bobstreo]

Now if there were any subways anywhere near where I lived.

If the accelerometer has such poor security, what other components/sensors are vulnerable?

Re:Yay

[Imagix]

Read the article closer. Nowhere does it say that a stock phone is susceptible to this sort of attack. The story is presuming that malware has been installed onto the phone. Then, shockingly, software that has been granted access to the hardware can read the hardware. Inertial navigation systems have been in use since at least WW II. And if you have software on the phone that has purloined access to the accelerometer... it would like also have access to the wifi, cell and GPS stuff too.

Re:Yay

[msauve]

Yep, and since when is someone who writes such an app a "hacker?" They may be a reprobate, but they haven't hacked anything.

Re:Yay

[AK+Marc]

Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

Re:Yay

[tlhIngan]

Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

Because the accelerometer is often free to use. Accessing GPS requires permission and often has an indicator.

With this, an app can use the accelerometer surreptitiously while leaving no indication that movement is being tracked - so many apps use it that no one gives a second thought. Using GPS often brings up an alert so the user knows they're being tracked. If your app uses the accelerometer anyways, you can sell that information for tracking. Whereas If you app suddenly popped up "MyCoolApp needs to use the GPS - Allow/Deny?" then people get suspicious.

At least it does on iOS. I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

Re:Yay

That "malware" could be any app. Accelerometer access is not guarded by a permission in Android. An app that needs no permissions at all could still do this (or count your steps, or read your passwords as you tap them on the screen, or read what you type into your keyboard on the same desk...).

Re:Yay

[viperidaenz]

On Android you need to grant the permission and an icon is shown at the top of the screen when the high-accuracy (GPS) location service is active.

I don't believe there is a notification when low accuracy location is active (the one that uses cell towers and wifi signals) but the permission still needs to be granted

Re:Yay

On my phone, all web pages have access to the accelerometer data without needing to ask for permission. This is the usual case, since it is a standard web feature to provide orientation data. This means that advertisers can target ads to people in the context of their likely destinations.

Re:Yay

[AK+Marc]

I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

They aren't nagware. If you give permission to install, and it requires GPS access, it can turn it on and off without "notification" (though, dependent on phone, there will be an icon in the display that will turn on, but I'm not sure if that's required). "Location services" doesn't turn on the GPS icon unless using GPS, and location services rarely use GPS because of the unreliability and power drain.

Re:Yay

If the accelerometer has such poor security

Yes, each individual component in the phone should be by default inaccesible to all apps, and permission granted on a case by case basis. That would be the most secure phone ever, because it wouldn't be long before the user smashed it against a wall.

Re:Yay

[Dr_Barnowl]

The flashbang is designed to release it quickly.

The phone isn't. You'd have to physically modify the battery, you can't just make them explode from software.

Re:Yay

A web page do not need permission:
http://www.albertosarullo.com/demos/accelerometer/
So if you read the news on the way to work, the news site (and the advertisers) know where you are.

And?

If you can get malware on the phone to read the accelerator then the game is over anyway. At that point you can steal text messages, email, passwords, etc. Who cares if they went from subway station A to B? They can get that info when they pop up above ground.

Obvious solution

[transporter_ii]

Everyone just needs to pool their phones and then everyone use a random phone for the day. Sort of a TOR operating at the physical level. An app that made encrypted VoIP calls could probably allow you to even use the same phone number by just logging in through the random phone of the day.

Re:Obvious solution

Socially, it may be nice to call random people every day from a random phone, but from a business point of view I don't know how well that will work - unless you are a telemarketer.

Re:Obvious solution

[dsmatthews9379]

Except you can still be identified by your gait pattern "Identifying users of portable devices from gait pattern with accelerometers" http://ieeexplore.ieee.org/xpl...

Re:Obvious solution

[thegarbz]

That's an obvious solution until you try to call someone, though I fondly remember my highschool days of prank dialling random numbers and having conversation with some interesting characters.

Re:Obvious solution

And they all laughed that the Ministry of Silly Walks would never serve any practical purpose.

Re:Obvious solution

No, what really needs to happen it that people actually turn their phone off at least once in their lives. Seriously, you really don't need to always leave on or use your phone every 5 minutes, every day.

One more hacker tool among many

[Tablizer]

If a hacker has access to accelerometer data, he/she probably has access to lots of OTHER personal info also.

Re:One more hacker tool among many

[thegarbz]

What makes you say that? A typical app that exposes this data for the user will demand access to accelerometer and the internet (for ads). It logically does not follow that they'd have access to any other data unless the user gave them such access.

Re:One more hacker tool among many

[Dog-Cow]

Apparently you enjoy speaking from ignorance. Perhaps you should use an iOS or Android device more more than 3.2 femtoseconds. You might learn that apps don't require a user's explicit permission to access the accelerometer, but do for accessing any private data.

Re:One more hacker tool among many

[Athanasius]

Unless it's a rooted Android phone running Xposed/Xprivacy, and thus supplying false sensor data (optionally per app).

Horrible Summary

The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

Re:Horrible Summary

[Em+Adespoton]

The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

Oh Wow! So the hacker has installed something like MotionX -- commercial software for iOS that's been around forever and does pretty much this (although I don't think it contains subway lines in its accelerometer fingerprint list).

Add to the list of paranoid gear

Tin foil hat, now tin foil pocket.

Re:Add to the list of paranoid gear

[turkeydance]

isn't tin-foil pocket old news? you know, those lined wallets which will block proximity readers.

Re:Add to the list of paranoid gear

[Em+Adespoton]

They don't tend to block acceleration, nor do they block data exfiltration when you remove your phone from them to make/receive calls.

Re:Add to the list of paranoid gear

[plover]

But you could make a whole lot of money if you could develop a "tin-foil accelerometer blocker". Every starship a hundred years from now is going to need inertial dampeners!

Re:Add to the list of paranoid gear

[weilawei]

A sufficiently massive or energetic object works just fine as an inertial dampener. That mosquito flying back and forth? Critically damped by the nearest hardcover book.

Progress!

[Livius]

The privacy concerns are troubling, but I can't help thinking that's pretty cool.

Re:Progress!

yep, it's a trippy dichotomy. nuclear explosions are stunningly beautiful, very creepy.

Inertial Navigation System = Hacking!?!

I find myself in the position asking, what's the news!?
And Hacker ??!?! .. Where is the hacking?

Ohh they needed a bad guy with a bad reputation.

Also hackers most likely beat you up the moment you engage in demonstrations (walking arround in circles = constant acceleration) and spray tear gas at you from 100m away because they have a GPS-enabled sniper rifle?

Ohh my fault that would be the chinese police and not a hacker.

"Summing" up the story:
Chinese Computer Scientists just found a copy of Newtons physics book. And were supprised to find that when you integrate accelerometer readings you first get the velocity and after another integration step you get the distance traveled in 3 dimensions +3 angles?

"accel (dt) -> velocity(dt) -> distance"

Some GPS-Navs have also accelerometers, to cover the dead zones for example when you are driving through a tunnel.

Also that unique movement character .. ohh please that's not research that's obvious, it goes for streets & walk ways too.

And the second best way to track peoples movement would be their cell data information, every cell tower can be uniquely identified, and a cell phone connects to three .. and when you keep track of these ..

The first best way is to access the gps data.

You and your government know where you were - also the "hacker" with the intent to kill, rape, rob or stalk you.

These malicous hackers must be known to be do-badders that try to know where you are, aren't hey?

"Up To"

[Dwedit]

Because 0% accuracy is also "Up To 92%" accuracy.

Re:"Up To"

[thegarbz]

Given the limited number of possible start / stop cycles a subway will experience along with curves in the track and a standard response expected from coming into and leaving a station (I'm guessing 5Gs would be a bit much for anything other than hitting another train), I'm going to say the answer is probably far closer to 92% than it is to 0%.

Re:"Up To"

[adolf]

Add the error and difficulty of subtracting rider movement (remember, a phone's accelerometer is not something that is fixed to the chassis of the vehicle, but instead is something loosely carried by a squishy human being) and I'm going to say the answer is probably far closer to 0% than it is 92%.

Re:"Up To"

[thegarbz]

Except for the bit where I said "standard response". I'm going to assume you're not an expert in signal processing. Actually I don't need to assume it, you've pretty much stated it.

I'm not sure where you get your cynical view of the world from, but in cases where anyone has every described "up to 92%" I've never seen anything close to 0% as the true result.

Re:"Up To"

[Neil+Boekend]

Rider movement is eliminated by calculating the second integral from the acceleration. That gives you the difference in location. You then average the position over a couple of seconds (as an filter for the user movement) and then you compare it with different possible tracks. The track that has the highest match score wins.
If you have multiple possible tracks you use the average data of multiple days to get a better accuracy for daily commutes. The right track will next to always increase in score.

To me the hardest part would be the comparison of the track and the relative position data, and that is only hard to me because right now I don't feel like spending an hour of googling on how to do it because it is a solved problem.

Re:Do you like RIDING LONG THIN TUBES? Join GayWAD

The title made me laugh. For once, this troll is on topic.

deres haxx0rz in ur fone tracking ur subway

because only hackers could possibly do that, or have the interest to do it. Not other people. ESPECIALLY NOT the law-abiding people in law enforcement. They would never do that even if they could, which they can't, because they're not HACKERS.

because only HACKERS can HACK like HACKERS being HACKERS do, that's why.

Please, stuff it with the breathless bullshit. The truth is bad enough without meaningless embellishments for doubleplus extra scare value.

Re:deres haxx0rz in ur fone tracking ur subway

[viperidaenz]

Why would law enforcement want to do this?
They can just get your location from your cell carrier.

Re:deres haxx0rz in ur fone tracking ur subway

You can make the exact same argument for this "stingray" or "IMSI catcher" device, or for government-malware certain governments install wholesale, or a bunch of other things various governments across the world do, in fact. Think about it and perchance you'll spot the second whoosh without help.

Re:deres haxx0rz in ur fone tracking ur subway

[Dog-Cow]

The second whoosh is not transmitting accelerometer data, so he doesn't know where it is.

Good Luck

[dohzer]

Here in Melbourne, Australia our train system has a unique movement footprint.
Accellerating and breaking for no reason, trains that skip stations or terminate at random ones; this baby's got it all. Good luck decoding the position from that.

Re:Good Luck

[CrimsonAvenger]

Accellerating and breaking for no reason

They're breaking for no reason? You should be able to fix that....

Re:Good Luck

[sd4f]

Sydney is similar. But the thing is dead reckoning, while not perfect due to cumulative error, will generally be able to resolve changes such as a train accelerating and braking. It would also be relatively straight forward to see that a person is moving along a train corridor, so they could make fairly easy assumptions.

What could potentially break tracking through accelerometer dead reckoning is by moving the phone around in the pocket and changing its orientation. But even that, could be potentially resolved, as I believe all phone accelerometers these days are six axis devices, so they can measure static rotation.

Re:Good Luck

See, it's a feature. The train operators were smart enough to foresee this type of malware and have been trying to protect their riders.

Re:Good Luck

[Dragonslicer]

Accellerating and breaking for no reason

They're breaking for no reason?

Clearly you've never been to Boston.

Well on some platforms its a feature...

iOS and presumably other platforms use the accellerometer & gyroscopes for purposes like this and to provide inertial navigation. Its quite accurate at locating you in a subway. I catch the train home a few times a week and its really quite remarkable.

To do signature matching of accelleration/decelleration patterns at specific stations would require low level access to the accelerometer data, or to bypass user consent on location services (on iOS)

I'm not sure on Android, but on WinMo and iOS you'd need to be jailbroken for this attack to work. (there is no low level API available unless you are in a rooted/jailbroken state).

Its a cool hack, but the preconditions for it being used as a surveillance mechanism are very significant compromises.

Example "threat" from TFA

"Another interesting example is that if the attacker finds Alice and Bob often visit the same stations at similar non-working times, he may infer that Bob is dating Alice."

Man, that is scary! Good thing megacorps can't do that sort of...oh wait.

Make Accelerometer Access Restricted

This isn't the first exploit which uses the accelerometers: Both reading taps on the display to snoop passwords and reading the vibrations of key presses on a nearby keyboard to reconstruct typed sentences have already been demonstrated. Yet access to the full raw accelerometer data is still not guarded by a permission in Android. Not only should this data only be available to apps if the user explicitly allows it, there should also be less intrusive filtered access, where the app only receives events like "display down", "falling", "double tap", etc., so that most apps won't need full accelerometer access for benign functions. And of course there should be a way to "allow" access, but withhold actual data from the app. That should be added for most existing permissions actually, not just accelerometer access.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:No, this is not how phones work,

Nah, you're missing the point. Starts and stops will have 'fingerprints', spacing between stops will show up, things like that. Kinda cool research.

They should ride the MBTA Red Line

That particular subway system sways left to right, forward and backward. And drivers - there are two types. There are the cowboys who when they KNOW they have a packed train will come to sudden stops. Then there are the good ones, mostly the female drivers who gradually slow the trains.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Cryptonomicon

With a little more hacking, they could use the flashing light on Android phones to transmit the data.

Analog hole, bitches!

using WiFi IDs is much simpler

[YesIAmAScript]

Who cares about this? Simply tracking which WiFi station IDs the phone sees is a lot better way of tracking where the person is.

If you can hack into their phone, you can find them. No need for fancy long-term acceleration tracking either.

Pay phones!

[swb]

In the late 1970s in junior high we would ride the bus and get off at random stops and write down pay phone numbers. Then when we got home we would call the numbers and do all sorts of gags.

The one that inexplicably worked well was telling people that had won money from a radio station. Why they believed that an 8th grader sounded like a disk jockey is still beyond me.

It's almost kind of sad that kids of today can't get that experience. There's very few pay phones left and I bet none of them accept incoming calls. It was also pretty safe from a get in trouble perspective. Call logging and tracing would have been a huge endeavor and we never called any one pay phone more than a few times or suggested anything violent or even all that ribald.

Hackers not the ones who will use this

The method should work, but I somehow doubt that "hackers" will be the ones bothering to use it. Much more likely to be used by police and intelligence agencies IMHO.

Mind you I would have thought that on a train you could triangulate with mobile repeaters and such much more easily,

Re:Hackers not the ones who will use this

[plover]

Mind you I would have thought that on a train you could triangulate with mobile repeaters and such much more easily,

Not underground, where cell service is blocked by a hundred feet of rock and dirt.

Re: No, this is not how phones work,

Plus heuristics like the fingerprint of a train coming to a stop (and being stationary - no jagged movements and train like swaying). Train is stopped and person walking? Probably just got to a station nearest where dead reckoning says you should be.

The actual interesting bit

[Prune]

As soon as I saw the summary, I wondered how they're able to do decent dead reckoning using the mediocre quality cell phone accelerometers; in the general case, the integration would give drift pretty quickly. We're not dealing with ICBM-quality accelerometers here. So the interesting bit is how they're able to make use of information that specializes the problem (the location of subway stations) together with machine learning to do much better than the general case. The paper is worth a read.

Unique movement fingerprint??

[Viol8]

Sorry, but who comes up with this shit? Apart from not knowing the start location and orientation of the phone, electric trains are all pretty similar these days and besides which how will they take account of non station stops at reds, bad riding suspension on certain trains, fast/slow drivers etc etc?

What a crock of ....

Apart from that the accelerometers on your average consumer device arn't even that accurate. After a few minutes it'll be hopelessly lost.

Re:Unique movement fingerprint??

the wonders of modern instrumentation. this seems patently trivial. apparently you've never heard of inertial navigation. This is easier than that just inertial signal processing. I'll start logging data tonight on the train. We have technically 3 trains models running (but basically) on our LRT. I wager I can distinguish between each train, the train operator, as well as the tracks its running on based on accelerometer data. The real key will be how much track is required to lock into low uncertainty. I know of one particular feature on my 12 minute, 4.67 mile track that must be sufficiently unique. Alternatively accessing timetable of the initial guess could further corroborate the tracking.

Re:Unique movement fingerprint??

[Viol8]

"I wager I can distinguish between each train, the train operator, as well as the tracks its running on based on accelerometer data."

Yeah. right.

Am I the only one thinking how useful this is

[sabbede]

For a municipal transportation chief?