Taking a cue from tiny variations in the smartphone camera’s sensors, a team of researchers has discovered how to identify smartphones by examining just one photo taken by the device. The advancement opens the possibility of using smartphones — instead of body parts — as a form of identification to deter cybercrime, said the researchers from the University at Buffalo.
“Like snowflakes, no two smartphones are the same. Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take,” said Kui Ren, the study’s lead author. “It’s kind of like matching bullets to a gun, only we’re matching photos to a smartphone camera,” Ren added.
The new technology could become part of the authentication process — like PIN numbers and passwords — that customers complete at cash registers, ATMs and during online transactions.
“For people who’ve had their personal identification stolen, it could also help prevent cybercriminals from using that information to make purchases in their name,” said Ren.
The study focuses on an obscure flaw in digital imaging called photo-response non-uniformity (PRNU). Manufacturing imperfections create tiny variations in each camera’s sensors. These variations can cause some of sensors’ millions of pixels to project colors that are slightly brighter or darker than they should be.
Not visible to the naked eye, this lack of uniformity forms a systemic distortion in the photo called pattern noise. Extracted by special filters, the pattern is unique for each camera. Compared to a conventional digital camera, the image sensor of a smartphone is much smaller.
“The reduction amplifies the pixels’ dimensional non-uniformity and generates a much stronger PRNU. As a result, it’s possible to match a photo to a smartphone camera using one photo instead of the 50 normally required for digital forensics. “I think most people assumed you would need 50 images to identify a smartphone camera. But our research shows that’s not the case,” Ren added.
To prevent forgeries, Ren designed a protocol — it is part of the authentication process described below — which detects and stops two types of attacks. More savvy cybercriminals could potentially remove the PRNU from their device. But Ren’s protocol can spot this because the QR codes include an embedded probe signal that will be weakened by the removal process.
The new technology is scheduled to be presented in February at the 2018 Network and Distributed Systems Security Conference in California.