Something that always amazes me about the so-called “big data revolution” is how businesses have managed to find hidden value in mundane, seemingly unimportant data. Not surprisingly, this same concept can also be applied to security.
In security, it isn’t necessarily the volume of data that matters (as it does in big data analytics) but rather creative ways that data is put to work -- both by security professionals and by attackers. Perhaps nowhere is this trend more apparent than in the study of accelerometer data.
What Does an Accelerometer Do?
Accelerometers are solid-state devices that are built into smartphones and other electronic devices. At their most basic, accelerometers detect motion, but they can in fact do a lot more than that. Accelerometers can determine a device’s orientation, measure G forces, and detect changes in the direction of movement. On the surface, accelerometer data would seem to be of interest only to engineers. However, accelerometer data is being put to work in creative ways.
Creative Uses of Accelerometer Data
I recently heard someone talk how an unnamed social media application company has used accelerometer data to get around device-level security policies (I wish I could remember where I heard this so that I could give proper credit).
Here is how it works. Mobile device vendors build controls into their devices that can prevent applications from accessing various pieces of hardware. For example, a user might prevent a particular application from accessing a device’s camera or its GPS position. So, with that in mind, imagine that a rather unscrupulous social media application company wanted to spy on every detail of their subscribers’ lives. But let’s also imagine that a privacy-conscious user has taken steps to prevent the company’s app from accessing the hardware devices that it would normally use to track the user’s whereabouts. The way that such a company might get around those restrictions is to use accelerometer data.
To date, device manufacturers have viewed accelerometer data as being not all that interesting. As such, they never bothered to build much in terms of security policies to stop an application from accessing a device’s accelerometers.
With that said, imagine that our privacy-conscious user decides to get on a bus and go somewhere. Because the user has prevented the social media company from accessing GPS data, the company doesn’t know the user’s current whereabouts. However, this company has lots and lots of subscribers, and so there just happens to be another subscriber on the bus who hasn’t put any restrictions on what the social media application can do. Because both subscribers are riding the same bus, their accelerometer data will be largely the same. There might be some minor differences in device orientation and body movement, but the signals are similar enough that the social media company can figure out that both users are on the same vehicle. Since one of the two subscribers has GPS enabled for the social media application, the application knows that user’s location. And since both subscribers have the same accelerometer data, the social media company can infer the privacy-conscious user’s location.
It isn’t just social media companies that are interested in accelerometer data. Security companies have also started to show an interest.
Consider this: Many years ago, Las Vegas casinos realized that the best way to catch card cheats was to make dealers deal card games in an extremely uniform manner. That way, anything that is out of the ordinary stands out. Over time, IT security adopted a somewhat similar philosophy in the form of behavior-based analytics.
The idea behind behavior-based analytics is that a user’s permissions are no longer the only thing that matters when a system is trying to decide if it should give a user access to a resource. Context also matters. Suppose that a user opens the same application every morning at 9:00 AM. Such activity might constitute a well-documented and predictable pattern of behavior. But now suppose that the same user opens the same application at 3:00 AM from another country. The action falls squarely outside of the user’s normal behavior patterns and signals that the user’s credentials may have been stolen. In this situation, it is clearly in an organization’s best interest to block the user account from accessing the application.
As you can see, behavior-based analytics can be used to paint a picture of a user’s habits. It can recognize patterns that might signal that a user really is who they claim to be.
The Future of Accelerometer Data
So far, behavior-based analytics have found simple applications: It’s used to examine geographic location, time of day, and other basic information. However, I recently read about a security startup that aims to develop much more detailed user profiles that would include information like how a user tends to hold their devices (based on device accelerometer data). The company is even looking at how a user might hold their device when performing different types of activities, at different times of the day, or even in different weather conditions (e.g., tilting a device differently on a rainy day or to reduce glare).
All of this is to say that accelerometer data can reveal a lot more about a user than most people realize. Furthermore, accelerometer data can potentially be used to improve security, or it can be used for nefarious purposes. Only time will tell how else accelerometer data might eventually be incorporated into behavior modeling.