- From: Yossi Oren via GitHub <sysbot+gh@w3.org>
- Date: Sat, 28 May 2016 21:47:01 +0000
- To: public-device-apis@w3.org
Yossioren has just created a new issue for https://github.com/w3c/sensors: == Malicious use of the phone's Gyroscope == (I originally opened this as https://github.com/w3c/deviceorientation/issues/30 , but it looks like all the cool kids are hanging out here now...) Dear Sirs/Madams, Our team at Ben Gurion University has discovered an attack which takes advantage of a mobile device's gyroscope (either directly or through the Javascript DeviceOrientation API) to exfiltrate data. The attack requires that the adversary place a simple hardware device (basically a high-frequency speaker) next to the device under attack. In contrast to the "Gyrophone" attack from 2014 [1], reducing the sampling rate of the gyroscope does not prevent our attack. To mitigate this attack, we think it's a good idea to limit access to the orientation API. One way to achieve this is to ask the user's permission before enabling this API. Another way is to limit access to web pages delivered from insecure origins, as Chrome does for the Location API [2]. I'd be glad to attach a draft of our technical report to this issue, if there's some way to (temporarily) restrict access to it. Of course I'll be glad to mail the report to anybody on the standards team. Sincerely, Yossi Oren. [1] Yan Michalevsky, Dan Boneh and Gabi Nakibly Gyrophone: Recognizing Speech from Gyroscope Signals https://crypto.stanford.edu/gyrophone/ [2] Chromium Security Team, "Deprecating Powerful Features on Insecure Origins", https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins Cross-references: Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1276177 Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=615348 Safari: 641640531 IE: 33653 Please view or discuss this issue at https://github.com/w3c/sensors/issues/112 using your GitHub account
Received on Saturday, 28 May 2016 21:47:03 UTC