Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Can Track Subway Riders' Movements By Smartphone Accelerometer

Posted by samzenpus on from the all-the-better-to-follow-you-with dept.

Patrick O'Neill writes: Tens of millions of daily subway riders around the world can be tracked through their smartphones by a new attack, according to research from China's Nanjing University. The new attack even works underground and doesn't utilize GPS or cell networks. Instead, the attacker steals data from a phone's accelerometer. Because each subway in the world has a unique movement fingerprint, the phone's motion sensor can give away a person's daily movements with up to 92% accuracy.

45 of 69 comments (clear)

  1. Yay by bobstreo · · Score: 3, Insightful

    Now if there were any subways anywhere near where I lived.

    If the accelerometer has such poor security, what other components/sensors are vulnerable?

    1. Re:Yay by Imagix · · Score: 5, Informative

      Read the article closer. Nowhere does it say that a stock phone is susceptible to this sort of attack. The story is presuming that malware has been installed onto the phone. Then, shockingly, software that has been granted access to the hardware can read the hardware. Inertial navigation systems have been in use since at least WW II. And if you have software on the phone that has purloined access to the accelerometer... it would like also have access to the wifi, cell and GPS stuff too.

    2. Re:Yay by msauve · · Score: 1

      Yep, and since when is someone who writes such an app a "hacker?" They may be a reprobate, but they haven't hacked anything.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:Yay by AK+Marc · · Score: 1

      Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

      --
      Learn to love Alaska
    4. Re:Yay by tlhIngan · · Score: 4, Insightful

      Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

      Because the accelerometer is often free to use. Accessing GPS requires permission and often has an indicator.

      With this, an app can use the accelerometer surreptitiously while leaving no indication that movement is being tracked - so many apps use it that no one gives a second thought. Using GPS often brings up an alert so the user knows they're being tracked. If your app uses the accelerometer anyways, you can sell that information for tracking. Whereas If you app suddenly popped up "MyCoolApp needs to use the GPS - Allow/Deny?" then people get suspicious.

      At least it does on iOS. I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

    5. Re:Yay by viperidaenz · · Score: 1

      On Android you need to grant the permission and an icon is shown at the top of the screen when the high-accuracy (GPS) location service is active.

      I don't believe there is a notification when low accuracy location is active (the one that uses cell towers and wifi signals) but the permission still needs to be granted

    6. Re:Yay by AK+Marc · · Score: 1

      I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

      They aren't nagware. If you give permission to install, and it requires GPS access, it can turn it on and off without "notification" (though, dependent on phone, there will be an icon in the display that will turn on, but I'm not sure if that's required). "Location services" doesn't turn on the GPS icon unless using GPS, and location services rarely use GPS because of the unreliability and power drain.

      --
      Learn to love Alaska
    7. Re:Yay by Dr_Barnowl · · Score: 1

      The flashbang is designed to release it quickly.

      The phone isn't. You'd have to physically modify the battery, you can't just make them explode from software.

  2. Obvious solution by transporter_ii · · Score: 2, Interesting

    Everyone just needs to pool their phones and then everyone use a random phone for the day. Sort of a TOR operating at the physical level. An app that made encrypted VoIP calls could probably allow you to even use the same phone number by just logging in through the random phone of the day.

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
    1. Re:Obvious solution by Anonymous Coward · · Score: 1

      Socially, it may be nice to call random people every day from a random phone, but from a business point of view I don't know how well that will work - unless you are a telemarketer.

    2. Re:Obvious solution by dsmatthews9379 · · Score: 1

      Except you can still be identified by your gait pattern "Identifying users of portable devices from gait pattern with accelerometers" http://ieeexplore.ieee.org/xpl...

    3. Re:Obvious solution by thegarbz · · Score: 1

      That's an obvious solution until you try to call someone, though I fondly remember my highschool days of prank dialling random numbers and having conversation with some interesting characters.

  3. One more hacker tool among many by Tablizer · · Score: 3, Insightful

    If a hacker has access to accelerometer data, he/she probably has access to lots of OTHER personal info also.

    --
    Table-ized A.I.
    1. Re:One more hacker tool among many by thegarbz · · Score: 2

      What makes you say that? A typical app that exposes this data for the user will demand access to accelerometer and the internet (for ads). It logically does not follow that they'd have access to any other data unless the user gave them such access.

    2. Re:One more hacker tool among many by Dog-Cow · · Score: 1

      Apparently you enjoy speaking from ignorance. Perhaps you should use an iOS or Android device more more than 3.2 femtoseconds. You might learn that apps don't require a user's explicit permission to access the accelerometer, but do for accessing any private data.

    3. Re:One more hacker tool among many by Athanasius · · Score: 2

      Unless it's a rooted Android phone running Xposed/Xprivacy, and thus supplying false sensor data (optionally per app).

  4. Horrible Summary by Anonymous Coward · · Score: 1

    The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

    All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

    1. Re:Horrible Summary by Em+Adespoton · · Score: 1

      The very premise, prior to the attack, is that the user has opted to run the "hacker"'s malware.

      All they're saying, is that if run malware which watches the accelerometer, the malware can infer your location. And then it still has to transmit this information from your computer to another (unless the malware itself, is what make decisions based on your position).

      Oh Wow! So the hacker has installed something like MotionX -- commercial software for iOS that's been around forever and does pretty much this (although I don't think it contains subway lines in its accelerometer fingerprint list).

  5. Add to the list of paranoid gear by Anonymous Coward · · Score: 1

    Tin foil hat, now tin foil pocket.

    1. Re:Add to the list of paranoid gear by turkeydance · · Score: 1

      isn't tin-foil pocket old news? you know, those lined wallets which will block proximity readers.

    2. Re:Add to the list of paranoid gear by Em+Adespoton · · Score: 3, Insightful

      They don't tend to block acceleration, nor do they block data exfiltration when you remove your phone from them to make/receive calls.

    3. Re:Add to the list of paranoid gear by plover · · Score: 1

      But you could make a whole lot of money if you could develop a "tin-foil accelerometer blocker". Every starship a hundred years from now is going to need inertial dampeners!

      --
      John
    4. Re:Add to the list of paranoid gear by weilawei · · Score: 1

      A sufficiently massive or energetic object works just fine as an inertial dampener. That mosquito flying back and forth? Critically damped by the nearest hardcover book.

  6. Progress! by Livius · · Score: 5, Insightful

    The privacy concerns are troubling, but I can't help thinking that's pretty cool.

  7. "Up To" by Dwedit · · Score: 3, Insightful

    Because 0% accuracy is also "Up To 92%" accuracy.

    1. Re:"Up To" by thegarbz · · Score: 1

      Given the limited number of possible start / stop cycles a subway will experience along with curves in the track and a standard response expected from coming into and leaving a station (I'm guessing 5Gs would be a bit much for anything other than hitting another train), I'm going to say the answer is probably far closer to 92% than it is to 0%.

    2. Re:"Up To" by adolf · · Score: 1

      Add the error and difficulty of subtracting rider movement (remember, a phone's accelerometer is not something that is fixed to the chassis of the vehicle, but instead is something loosely carried by a squishy human being) and I'm going to say the answer is probably far closer to 0% than it is 92%.

      --
      Kid-proof tablet..
    3. Re:"Up To" by thegarbz · · Score: 1

      Except for the bit where I said "standard response". I'm going to assume you're not an expert in signal processing. Actually I don't need to assume it, you've pretty much stated it.

      I'm not sure where you get your cynical view of the world from, but in cases where anyone has every described "up to 92%" I've never seen anything close to 0% as the true result.

    4. Re:"Up To" by Neil+Boekend · · Score: 1

      Rider movement is eliminated by calculating the second integral from the acceleration. That gives you the difference in location. You then average the position over a couple of seconds (as an filter for the user movement) and then you compare it with different possible tracks. The track that has the highest match score wins.
      If you have multiple possible tracks you use the average data of multiple days to get a better accuracy for daily commutes. The right track will next to always increase in score.

      To me the hardest part would be the comparison of the track and the relative position data, and that is only hard to me because right now I don't feel like spending an hour of googling on how to do it because it is a solved problem.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  8. Good Luck by dohzer · · Score: 5, Funny

    Here in Melbourne, Australia our train system has a unique movement footprint.
    Accellerating and breaking for no reason, trains that skip stations or terminate at random ones; this baby's got it all. Good luck decoding the position from that.

    1. Re:Good Luck by CrimsonAvenger · · Score: 1

      Accellerating and breaking for no reason

      They're breaking for no reason? You should be able to fix that....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:Good Luck by sd4f · · Score: 1

      Sydney is similar. But the thing is dead reckoning, while not perfect due to cumulative error, will generally be able to resolve changes such as a train accelerating and braking. It would also be relatively straight forward to see that a person is moving along a train corridor, so they could make fairly easy assumptions.

      What could potentially break tracking through accelerometer dead reckoning is by moving the phone around in the pocket and changing its orientation. But even that, could be potentially resolved, as I believe all phone accelerometers these days are six axis devices, so they can measure static rotation.

    3. Re:Good Luck by Dragonslicer · · Score: 2

      Accellerating and breaking for no reason

      They're breaking for no reason?

      Clearly you've never been to Boston.

  9. Well on some platforms its a feature... by Anonymous Coward · · Score: 1

    iOS and presumably other platforms use the accellerometer & gyroscopes for purposes like this and to provide inertial navigation. Its quite accurate at locating you in a subway. I catch the train home a few times a week and its really quite remarkable.

    To do signature matching of accelleration/decelleration patterns at specific stations would require low level access to the accelerometer data, or to bypass user consent on location services (on iOS)

    I'm not sure on Android, but on WinMo and iOS you'd need to be jailbroken for this attack to work. (there is no low level API available unless you are in a rooted/jailbroken state).

    Its a cool hack, but the preconditions for it being used as a surveillance mechanism are very significant compromises.

  10. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  11. Re:deres haxx0rz in ur fone tracking ur subway by viperidaenz · · Score: 1

    Why would law enforcement want to do this?
    They can just get your location from your cell carrier.

  12. Re:No, this is not how phones work, by Anonymous Coward · · Score: 1

    Nah, you're missing the point. Starts and stops will have 'fingerprints', spacing between stops will show up, things like that. Kinda cool research.

  13. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  14. using WiFi IDs is much simpler by YesIAmAScript · · Score: 1

    Who cares about this? Simply tracking which WiFi station IDs the phone sees is a lot better way of tracking where the person is.

    If you can hack into their phone, you can find them. No need for fancy long-term acceleration tracking either.

    --
    http://lkml.org/lkml/2005/8/20/95
  15. Pay phones! by swb · · Score: 3, Interesting

    In the late 1970s in junior high we would ride the bus and get off at random stops and write down pay phone numbers. Then when we got home we would call the numbers and do all sorts of gags.

    The one that inexplicably worked well was telling people that had won money from a radio station. Why they believed that an 8th grader sounded like a disk jockey is still beyond me.

    It's almost kind of sad that kids of today can't get that experience. There's very few pay phones left and I bet none of them accept incoming calls. It was also pretty safe from a get in trouble perspective. Call logging and tracing would have been a huge endeavor and we never called any one pay phone more than a few times or suggested anything violent or even all that ribald.

  16. Re:Hackers not the ones who will use this by plover · · Score: 1

    Mind you I would have thought that on a train you could triangulate with mobile repeaters and such much more easily,

    Not underground, where cell service is blocked by a hundred feet of rock and dirt.

    --
    John
  17. Re:deres haxx0rz in ur fone tracking ur subway by Dog-Cow · · Score: 1

    The second whoosh is not transmitting accelerometer data, so he doesn't know where it is.

  18. The actual interesting bit by Prune · · Score: 1

    As soon as I saw the summary, I wondered how they're able to do decent dead reckoning using the mediocre quality cell phone accelerometers; in the general case, the integration would give drift pretty quickly. We're not dealing with ICBM-quality accelerometers here. So the interesting bit is how they're able to make use of information that specializes the problem (the location of subway stations) together with machine learning to do much better than the general case. The paper is worth a read.

    --
    "Politicians and diapers must be changed often, and for the same reason."
  19. Unique movement fingerprint?? by Viol8 · · Score: 1

    Sorry, but who comes up with this shit? Apart from not knowing the start location and orientation of the phone, electric trains are all pretty similar these days and besides which how will they take account of non station stops at reds, bad riding suspension on certain trains, fast/slow drivers etc etc?

    What a crock of ....

    Apart from that the accelerometers on your average consumer device arn't even that accurate. After a few minutes it'll be hopelessly lost.

  20. Am I the only one thinking how useful this is by sabbede · · Score: 1

    For a municipal transportation chief?