Access to magnetometer and potential security & privacy issues

[MTuner]

I would like to share potential privacy issues regarding magnetometer sensors, as an addition to the listed in the current Working Draft.

• Magnetometer measurements can be used to identify running apps or webpages, as the sensor is disturbed by the device's CPU activity [Matyunin et al.]. I am a co-author of this paper.
• Magnetometer measurements can be used to fingerprint the device [J.Zhang et al., B.Perez et al.].

As we discuss in the paper, the Secure context and Limited sampling frequency do limit the attack vectors, but do not prevent the side channel completely. Therefore, we think it is better to ask a user for a permission (to not grant it by default) and/or further decrease the sampling frequency.

Do you know if there are any plans to release the Magnetometer interface in Chrome or other browsers (without the #enable-generic-sensor-extra-classes flag)?

[reillyeon]

A couple questions about this work:

• Have you published the code necessary to reproduce this work?
• Have you published a proof of concept web page which implements this attack?
• Have you examined whether the AbsoluteOrientationSensor (which utilizes magnetometer data) can also be used for this attack?

[MTuner]

I have created a proof of concept page at https://mtuner.github.io/sc-magnetic-poc. It intentionally produces a very distinct CPU activity pattern while measuring magnetometer using the Sensor API, and shows the recorded values. We have not published the code from the paper yet, it is planned but may take some time.

Regarding the AbsoluteOrientationSensor, we have not investigated it in detail, a quick test similar to the PoC page does not show visually noticeable influence. I would assume that disturbance caused by the CPU is not strong enough to significantly affect a sensor fusion.