On paper, smartphone specifications have been getting closer and closer, year by year, but under the hood is a different story. Every device is unique, leading to new technology that can identify the individual smartphone just by a single picture it has taken.
The new form of technology has been created by University at Buffalo researchers who liken identification process as something similar to the forensic process of ‘barrel matching’ to determine which gun fired which bullet.
“Like snowflakes, no two smartphones are the same. Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take,” says the study’s lead author, Kui Ren. “It’s kind of like matching bullets to a gun, only we’re matching photos to a smartphone camera.”
The new technique has not yet been made available to the public and is expected to debut at 2018’s Network and Distributed Systems Security Conference in California, but could be utilised as an authentication system to replace that of PIN numbers and passwords. It can similarly be used to prevent identity theft.
The process has been revealed to recognise flaws in the manufacturing process of each camera that create tiny variations in the individual sensor. This includes differences in the brightness of its millions of pixels that cause a systematic distortion in the photo which has been dubbed pattern noise. This is then extracted by special filters to identify what camera has produced what image.
This method is called PRNU and is fairly common in the digital camera world to settle copyright disputes, however this is the first time that the method has been utilised in cybersecurity as previously, this method required over 50 photos to attain a degree of accuracy instead of its current 1 lone image.
It’s already incredibly accurate, boasting a 99.5 percent accuracy rate over 16,000 images and 40 different smartphones across two models from both Android and iOS.
Ren explained the proposed method as supplying official bodies such as banks or retailers with a reference image through a registry process. Once this is complete, applications and webpages could prompt the user to take photos of two QR codes displayed on the screen of an ATM, cash register or even the user’s personal monitor for online transactions. This will then measure the smartphone’s PRNU to match it with the original image.
The new method even has a protocol to stop cybercriminals removing the PRNU from their device, as QR codes will include an embedded probe that will weaken if the removal process has taken place.
KitGuru Says: This sounds like a great method, however it will pose a bit of a difficulty when people decide to upgrade or perhaps worse, buy second hand. Still, it’ll likely be much more secure than any method we currently have in place. What do you think about the PRNU process?