The Security Ledger

Single Photo uniquely identifies Smartphone that took it

Technology developed by researchers at the State University of New York can create a smartphone “fingerprint” from a single photo captured by the device. The technology may clear the way for a new identity verification system that can secure online transactions or protect smartphone owners from identity theft.

The technology, developed by researchers at State University of New York (SUNY) University at Buffalo, can uniquely identify a phone by examining just one photo taken by the device. It exploits a known but obscure flaw in the smartphone’s digital imaging features, which acts as a “fingerprint”for each device, he told Security Ledger.

The unique smartphone identifier, when used like a PIN number, could help protect people from identity theft according to Professor Kui Ren, who led a team that developed the new method.

Technology developed by researchers at SUNY Buffalo can uniquely identify a smartphone by analyzing just a single photo captured by the device.

Ren told the Security Ledger that manufacturing imperfections in digital cameras create tiny variations in each camera’s sensors. Those imperfections cause some of the sensors’ millions of pixels to project colors that are slightly brighter or darker than they should be. Unnoticeable to viewers, these flaws are detectable on the captured digital images produced by the camera and form a systemic distortion in the photo, dubbed “photo-response non-uniformity” (PRNU), that is unique to each camera.

A smartphone’s image sensor is often tens of times smaller than the image sensor of a conventional digital camera, Ren told Security Ledger. This increases the likelihood that the unique pattern of a smartphone camera in a captured image is more pronounced.

“We suspected that … small pixels will exhibit stronger non-uniformity, and hence introduce a stronger fingerprint in a captured image,” said Ren, a SUNY Empire Innovation Professor in the Department of Computer Science and Engineering in the university’s School of Engineering and Applied Sciences. “We then tested this guess experimentally and observed that one image alone can uniquely identify a smartphone.”

Smartphone ‘fingerprint’ from a single photo

Though a naked eye can’t see the unique pattern on images created by the imperfections, researchers can use special filters to extract them. Digital forensic experts already do this; however, the cybersecurity field has yet to catch on to the usefulness of PRNU for a couple of reasons, researchers said.

Prior to the SUNY Buffalo research, experts needed about 50 photos taken a camera to identify the unique pattern and its corresponding device – a practical impediment to implementation. Another is that more sophisticated cybercriminals can fake the pattern by analyzing images taken with a smartphone that victims post on unsecured websites.

Based on their findings, Ren and his team proposed “a real-time smartphone authentication protocol that can provide reliable authentication and defeat various attacks,” according to a study that researchers published about the technology.

The protocol could recognize a specific smartphone based on evidence from only one photo with a total error rate of less than 0.47 percent, they said. And the authentication method would be easy for anyone with a smartphone to use because it leverages something they use every day.

Still, the net impact of smartphones may be more damaging to our online security. Research has proven that the use of smartphones has actually increased a person’s chances of having their identity stolen rather than protecting against it. People are often careless with the data stored on their phones, and the passwords and other security used to protect it, making mobile devices an easy target for hackers.

Security applications – but a privacy risk

Ren— also an Institute of Electrical and Electronics Engineers fellow and distinguished scientist at the Association for Computing Machinery—acknowledged that the proposed technology does include privacy risks.

“Since every image captured by a smartphone will inevitably carry the fingerprint of that device, this technique may cause privacy concerns,” he said. However, if users are concerned, the camera fingerprint is removable, Ren said. “We can develop a smartphone application to help users remove their camera fingerprints,” he told us.

Researchers also took into account the problem of forging images carrying the fingerprint of a legitimate device, an identity-theft method that could be used by criminals. “To address this issue, we proposed a forgery-detection mechanism that can reliably detect fingerprint forgery attacks in real-time,” Ren said.

[Check out our latest Podcast Episode 86: Unraveling the Cuban Embassy’s Acoustic Mystery.]

The technique also can be expanded to include other Internet of Things (IoT) devices that are equipped with built-in cameras, such as drones and wireless security cameras, he added.

While the technology isn’t yet ready for prime time, Ren and the team plan to continue to develop it and are currently seeking commercialization partners.

Other firms are looking at ways to harness the bounty of data and measurements that are passively collected by smartphones to provide a reliable and transparent form of strong identity. At the 2017 RSA Conference, the top honors in the Conference’s “Sandbox” competition for start up firms went to UnifyID, a venture-funded start-up that offers what it calls “implicit identity” services that combine biometrics like gait and fingerprint scanning with other unique identifiers, such as patterns of movement and unique device identifiers.