In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page.

The researchers reported their attack to Apple in advance of their disclosure and Apple has patched the vulnerability.

The researchers were subsequently able to run this attack successfully against Google's flagship Pixel 2 and Pixel 3 phones (Google is "investigating the issue").

The researchers advise that manufacturers could prevent this class of attacks by rounding off sensor measurements, or by injecting random noise into their reported values.

Sensors are an essential component of many computer systems today. Mobile devices are a good example, containing a vast array of sensors from accelerometers and GPS units, to cameras and microphones. Data from these sensors are accessible to application programmers who can use this data to build context-aware applications. Good sensor accuracy is often crucial, and therefore manufacturers often use per-device factory calibration to compensate for systematic errors introduced during manufacture. In this paper we explore anew type of fingerprinting attack on sensor data: calibration fingerprinting. A calibration fingerprinting attack infers the per-device factory calibration data from a device by careful analysisof the sensor output alone. Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers.