Though already patched on iPhones and iPads, University of Cambridge researchers say they've developed a hacking technique that can "fingerprint" a person by way of motion sensors.
The method uses JavaScript to collect accelerometer, gyroscope, and magnetometer data from smartphones when they visit an infected website, the researchers explain. This works in under 1 second, without requiring any consent, and creates a "globally unique fingerprint" for any impacted iOS device -- even after a factory reset.
If successful the attack makes it possible to track someone across both apps and the Web, so long as they use the compromised device. There are no known instances of it being used in the real world, but at least 2,653 websites are collecting motion data, and it's believed the Cambridge technique can be applied retroactively.
Apple was notified about the problem in August and fixed it in March's iOS 12.2, using a suggestion to add random noise to ADC outputs. Credited researchers include Cambridge's Jiexin Zhang and Alastair Beresford, as well as Polymath Insight Limited's Ian Sheret.
Google's Pixel 2 and 3 phones are said to remain vulnerable. No other tested Android phones have the problem, but some other factory-calibrated Android products could theoretically be exposed.