Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious use of the phone's Gyroscope #30

Closed
Yossioren opened this issue May 28, 2016 · 4 comments
Closed

Malicious use of the phone's Gyroscope #30

Yossioren opened this issue May 28, 2016 · 4 comments
Milestone
VNext

Comments

@Yossioren
Copy link

Dear Sirs/Madams,

Our team at Ben Gurion University has discovered an attack which takes advantage of a mobile device's gyroscope (either directly or through the Javascript DeviceOrientation API) to exfiltrate data. The attack requires that the adversary place a simple hardware device (basically a high-frequency speaker) next to the device under attack.
In contrast to the "Gyrophone" attack from 2014 [1], reducing the sampling rate of the gyroscope does not prevent our attack.
To mitigate this attack, we think it's a good idea to limit access to the orientation API. One way to achieve this is to ask the user's permission before enabling this API. Another way is to limit access to web pages delivered from insecure origins, as Chrome does for the Location API [2].

I'd be glad to attach a draft of our technical report to this issue, if there's some way to (temporarily) restrict access to it. Of course I'll be glad to mail the report to anybody on the standards team.

Sincerely,
Yossi Oren.

[1] Yan Michalevsky, Dan Boneh and Gabi Nakibly
Gyrophone: Recognizing Speech from Gyroscope Signals
https://crypto.stanford.edu/gyrophone/
[2] Chromium Security Team, "Deprecating Powerful Features on Insecure Origins",
https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

Cross-references:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1276177
Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=615348
Safari: 641640531
IE: 33653
@Yossioren Yossioren mentioned this issue May 28, 2016
Closed
@lknik
Copy link

lknik commented May 31, 2016
edited

Hello and thank you very much for reaching out. I would be happy to learn about this work. If you feel you are prepared to share it, please send it to lukasz.w3c@gmail.com

DeviceOrientation spec already suggests that "implementations may consider permissions or visual indicators to signify the use of sensors by the page". I'm wondering if there is a need to tweak it a bit?
For example the entry with "limit the frequency of events (typically 60Hz seems to be sufficient)"

@Yossioren
Copy link
Author

@lknik OK, Sent to you privately.

@gmandyam gmandyam added this to the VNext milestone Jun 21, 2016
@gmandyam
Copy link

Will keep this issue open, but cannot fix in current version of spec beyond what is currently in specification. Added label of VNext.

@gmandyam gmandyam mentioned this issue Apr 19, 2017
Closed
@anssiko anssiko mentioned this issue Jun 17, 2019
Closed
@anssiko
Copy link
Member

anssiko commented Feb 25, 2024

Closing per https://www.w3.org/2024/02/12-dap-minutes.html#t03

@anssiko anssiko closed this as completed Feb 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
VNext
Development

No branches or pull requests
4 participants
@anssiko @gmandyam @Yossioren @lknik