Researchers Give Smartphones a "Song" to Sing to Detect Malicious Modifications
Secure devices tampered en-route to their user could soon be detected remotely, using a new database of device "fingerprints."
Researchers from the University of Colorado Boulder and the National Institute of Standards and Technology (NIST) have developed a method of "fingerprinting" smartphones — something they say could help to ensure that a device hasn't been modified since leaving the factory, reducing the risk of espionage.
"This work demonstrates a foundational approach to obtaining a high-definition, reliable, and stable fingerprint of a commercially available smartphone device to verify that it has not been tampered with or compromised prior to deployment," claims co-author Améya Ramadurgakar of the team's work. "I see this being utilized to validate mobile hardware before it is issued to high-security users, such as the military chain of command or senior government leadership."
The idea that a device could be captured en-route to an end user and modified for nefarious purposes isn't theoretical, and it can leave both users and providers open to attack. Physical countermeasures like tamper-evident seals on packaging can only go so far, which is why Ramadurgakar and colleagues developed something a little more high-tech: specialized SIM cards and a customizable cellular base station to transmit a specific set of signals in order to build a database of the minuscule differences between handsets.
"Think of it like giving every phone the exact same song to sing," Ramadurgakar explains. "Even though they are singing the same notes, every phone model has tiny, microscopic differences in its internal hardware. Our system is sensitive enough to hear those subtle 'vocal' differences."
In testing with current-generation smartphones from all major manufacturers selling into the US the team was able to identify handsets with 95 percent accuracy — and can extend beyond current 4G and 5G networks to 6G and beyond, the team claims. The next step: expanding the database's coverage, developing standardized test conditions, and automating the process in order to deliver a formal testing framework.
The team's work has been published today in the journal AIP Advances under open-access terms.