Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Can Track Subway Riders' Movements By Smartphone Accelerometer

Posted by samzenpus on from the all-the-better-to-follow-you-with dept.

Patrick O'Neill writes: Tens of millions of daily subway riders around the world can be tracked through their smartphones by a new attack, according to research from China's Nanjing University. The new attack even works underground and doesn't utilize GPS or cell networks. Instead, the attacker steals data from a phone's accelerometer. Because each subway in the world has a unique movement fingerprint, the phone's motion sensor can give away a person's daily movements with up to 92% accuracy.

13 of 69 comments (clear)

  1. Yay by bobstreo · · Score: 3, Insightful

    Now if there were any subways anywhere near where I lived.

    If the accelerometer has such poor security, what other components/sensors are vulnerable?

    1. Re:Yay by Imagix · · Score: 5, Informative

      Read the article closer. Nowhere does it say that a stock phone is susceptible to this sort of attack. The story is presuming that malware has been installed onto the phone. Then, shockingly, software that has been granted access to the hardware can read the hardware. Inertial navigation systems have been in use since at least WW II. And if you have software on the phone that has purloined access to the accelerometer... it would like also have access to the wifi, cell and GPS stuff too.

    2. Re:Yay by tlhIngan · · Score: 4, Insightful

      Yeah, wouldn't it make sense to see where the GPS signal dies, and when it comes back, and persume they took transport from one position to the other? No inertia guessing needed. The Yellow to the Red line is the only way to connect those dots without looping or doubling back. So why do you need to have the accelerometer to confirm?

      Because the accelerometer is often free to use. Accessing GPS requires permission and often has an indicator.

      With this, an app can use the accelerometer surreptitiously while leaving no indication that movement is being tracked - so many apps use it that no one gives a second thought. Using GPS often brings up an alert so the user knows they're being tracked. If your app uses the accelerometer anyways, you can sell that information for tracking. Whereas If you app suddenly popped up "MyCoolApp needs to use the GPS - Allow/Deny?" then people get suspicious.

      At least it does on iOS. I don't know - do apps have free reign over the GPS on Android or do you get alerts when they attempt to use it?

  2. Obvious solution by transporter_ii · · Score: 2, Interesting

    Everyone just needs to pool their phones and then everyone use a random phone for the day. Sort of a TOR operating at the physical level. An app that made encrypted VoIP calls could probably allow you to even use the same phone number by just logging in through the random phone of the day.

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  3. One more hacker tool among many by Tablizer · · Score: 3, Insightful

    If a hacker has access to accelerometer data, he/she probably has access to lots of OTHER personal info also.

    --
    Table-ized A.I.
    1. Re:One more hacker tool among many by thegarbz · · Score: 2

      What makes you say that? A typical app that exposes this data for the user will demand access to accelerometer and the internet (for ads). It logically does not follow that they'd have access to any other data unless the user gave them such access.

    2. Re:One more hacker tool among many by Athanasius · · Score: 2

      Unless it's a rooted Android phone running Xposed/Xprivacy, and thus supplying false sensor data (optionally per app).

  4. Progress! by Livius · · Score: 5, Insightful

    The privacy concerns are troubling, but I can't help thinking that's pretty cool.

  5. Re:Add to the list of paranoid gear by Em+Adespoton · · Score: 3, Insightful

    They don't tend to block acceleration, nor do they block data exfiltration when you remove your phone from them to make/receive calls.

  6. "Up To" by Dwedit · · Score: 3, Insightful

    Because 0% accuracy is also "Up To 92%" accuracy.

  7. Good Luck by dohzer · · Score: 5, Funny

    Here in Melbourne, Australia our train system has a unique movement footprint.
    Accellerating and breaking for no reason, trains that skip stations or terminate at random ones; this baby's got it all. Good luck decoding the position from that.

    1. Re:Good Luck by Dragonslicer · · Score: 2

      Accellerating and breaking for no reason

      They're breaking for no reason?

      Clearly you've never been to Boston.

  8. Pay phones! by swb · · Score: 3, Interesting

    In the late 1970s in junior high we would ride the bus and get off at random stops and write down pay phone numbers. Then when we got home we would call the numbers and do all sorts of gags.

    The one that inexplicably worked well was telling people that had won money from a radio station. Why they believed that an 8th grader sounded like a disk jockey is still beyond me.

    It's almost kind of sad that kids of today can't get that experience. There's very few pay phones left and I bet none of them accept incoming calls. It was also pretty safe from a get in trouble perspective. Call logging and tracing would have been a huge endeavor and we never called any one pay phone more than a few times or suggested anything violent or even all that ribald.