Open
Bug 1276177
Opened 8 years ago
Updated 2 years ago
Security Disclosure: Malicious use of the phone's Gyroscope
Categories
(Core :: DOM: Device Interfaces, defect, P4)
Core
DOM: Device Interfaces
Tracking
()
NEW
People
(Reporter: bugzilla, Unassigned)
References
(Depends on 1 open bug, )
Details
(Keywords: csectype-disclosure, privacy, sec-low)
Attachments
(1 file)
|
2.22 MB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Steps to reproduce: Dear Security@Mozilla, We would like to let you know about an attack we discovered which takes advantage of a mobile device's gyroscope (either directly or through the Javascript DeviceOrientation API) to exfiltrate data. The attack requires that the adversary place a simple hardware device (basically a high-frequency speaker) next to the device under attack. We reproduced this attack both on Windows and on Android versions of Firefox. In contrast to the "Gyrophone" attack from 2014 [1], reducing the sampling rate of the gyroscope does not prevent our attack. To mitigate this attack, we think it's a good idea to limit access to the orientation API. One way to achieve this is to ask the user's permission before enabling this API. Another way is to limit access to web pages delivered from insecure origins, as Chrome does for the Location API [2]. Together with my co-authors, I look forward to hearing your thoughts on this security issue. A draft of our technical report is attached. Sincerely, Yossi Oren. [1] Yan Michalevsky, Dan Boneh and Gabi Nakibly Gyrophone: Recognizing Speech from Gyroscope Signals https://crypto.stanford.edu/gyrophone/ [2] Chromium Security Team, "Deprecating Powerful Features on Insecure Origins", https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
|
||
Updated•8 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
|
||
Comment 1•8 years ago
|
||
Limiting this API to secure origins doesn't ameliorate the security problem all that much if that's all we do.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 49 Branch → unspecified
|
|
||
Updated•8 years ago
|
Keywords: privacy,
sec-moderate
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Summary: Security Disclosure: Malicious use of the phone's Gyroscope → Security Disclosure: Malicious use of the phone's Gyroscope
|
||
Comment 2•8 years ago
|
||
It seems to me that if you had a mode which only reported gross orientation (useful enough to determine landscape versus portrait) that you would still have useful functionality that you wouldn't be able to recover speech from. How much would you need to degrade the output so that speech can't be recovered but the orientation API might still be useful to play games?
|
|
||
Updated•8 years ago
|
Summary: Security Disclosure: Malicious use of the phone's Gyroscope → Security Disclosure: Malicious use of the phone's Gyroscope
|
||
Updated•6 years ago
|
Priority: -- → P4
|
||
Comment 3•3 years ago
|
||
Dan, should this be unhidden and/or lower the rating on this?
Flags: needinfo?(dveditz)
|
|
||
Comment 4•3 years ago
|
||
I can certainly be unhidden given the paper has been presented already and is public: https://www.usenix.org/system/files/conference/woot16/woot16-paper-farshteindiker.pdf
It's still a valid security issue so I don't want to remove the keyword, though it better fits our sec-low rating
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•