New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious use of the phone's Gyroscope #30
Comments
Hello and thank you very much for reaching out. I would be happy to learn about this work. If you feel you are prepared to share it, please send it to lukasz.w3c@gmail.com DeviceOrientation spec already suggests that "implementations may consider permissions or visual indicators to signify the use of sensors by the page". I'm wondering if there is a need to tweak it a bit? |
@lknik OK, Sent to you privately. |
Will keep this issue open, but cannot fix in current version of spec beyond what is currently in specification. Added label of VNext. |
Dear Sirs/Madams,
Our team at Ben Gurion University has discovered an attack which takes advantage of a mobile device's gyroscope (either directly or through the Javascript DeviceOrientation API) to exfiltrate data. The attack requires that the adversary place a simple hardware device (basically a high-frequency speaker) next to the device under attack.
In contrast to the "Gyrophone" attack from 2014 [1], reducing the sampling rate of the gyroscope does not prevent our attack.
To mitigate this attack, we think it's a good idea to limit access to the orientation API. One way to achieve this is to ask the user's permission before enabling this API. Another way is to limit access to web pages delivered from insecure origins, as Chrome does for the Location API [2].
I'd be glad to attach a draft of our technical report to this issue, if there's some way to (temporarily) restrict access to it. Of course I'll be glad to mail the report to anybody on the standards team.
Sincerely,
Yossi Oren.
[1] Yan Michalevsky, Dan Boneh and Gabi Nakibly
Gyrophone: Recognizing Speech from Gyroscope Signals
https://crypto.stanford.edu/gyrophone/
[2] Chromium Security Team, "Deprecating Powerful Features on Insecure Origins",
https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
Cross-references:
Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1276177
Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=615348
Safari: 641640531
IE: 33653
The text was updated successfully, but these errors were encountered: