Opened 3 years ago

Closed 3 years ago

#21609 closed defect (fixed)

Investigate device sensor code for possible information leaks

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-fingerprinting, TorBrowserTeam201705R, tbb-7.0-must
Cc: mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

Device orientation relative events got changed. We should make sure this does not introduce new fingerprinting vectors:

https://bugzilla.mozilla.org/show_bug.cgi?id=1205649

Child Tickets

Change History (13)

comment:1 Changed 3 years ago by mcs

Keywords: ff52-esr added; ff52-sr removed

comment:2 Changed 3 years ago by gk

Summary: Investigate updated device orientation codeI for possible information leaksInvestigate updated device orientation code for possible information leaks

comment:3 Changed 3 years ago by gk

Keywords: tbb-7.0-must added

Adding tickets to our 7.0 ticket list

comment:4 Changed 3 years ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting more tickets on our alpha radar.

comment:5 Changed 3 years ago by gk

Priority: MediumHigh

Moving the investigation tickets to higher priority.

comment:6 Changed 3 years ago by arthuredelstein

Keywords: tbb-fingerprinting added

comment:7 Changed 3 years ago by gk

Keywords: TorBrowserTeam201705 added

Moving more tickets on our May 2015 radar.

comment:8 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Summary: Investigate updated device orientation code for possible information leaksInvestigate device sensor code for possible information leaks

We do have fingerprinting protection for "screen orientation" and related events, but in fact we never introduced specific protection for "device orientation" events. We did, however, disable device sensor readings in general in #15758 by setting "device.sensors.enabled" to false. These sensors may include:

    TYPE_ORIENTATION = 0U,
    TYPE_ACCELERATION = 1U,
    TYPE_PROXIMITY = 2U,
    TYPE_LINEAR_ACCELERATION = 3U,
    TYPE_GYROSCOPE = 4U,
    TYPE_LIGHT = 5U,
    TYPE_ROTATION_VECTOR = 6U,
    TYPE_GAME_ROTATION_VECTOR = 7U

In TBB 7.0a3's JS console, I see four relevant APIs:

  • DeviceLightEvent
  • DeviceMotionEvent
  • DeviceOrientationEvent
  • DeviceProximityEvent

Despite the presence of these interfaces, the Mozilla code appears to suggest that disabling "device.sensors.enabled" should result in no such events being generated from sensor hardware, because sensor observers are never registered. Unfortunately I don't currently have a laptop with such sensors (do these exist?) so I can't do a manual test. Maybe we can find a hook for simulating sensor data.

Also, this should be a particularly useful thing to examine on Orfox. Ideally these sensors would be behind a permission that is requested if a content script calls, for example, addEventListener("deviceorientation", ...).

I have changed the title to cover all device sensor code.

comment:9 Changed 3 years ago by gk

#21786 is related.

comment:10 Changed 3 years ago by mcs

I did some experimentation using the following JS snippets within the developer console:

window.addEventListener("deviceorientation", aEvent => console.log(aEvent));
window.addEventListener('devicelight', aEvent => console.log(aEvent)); 

On a MacBook Pro, devicelight events are generated but only after I changed device.sensors.enabled to true and restarted the browser. deviceorientation events are not generated; I think those require an accelerometer.

There is a Boolean pref device.sensors.test.events that you can set to true to cause a fake sensor event to be generated (that happens the first time a sensor-related event listener is registered). This also has no effect if device.sensors.enabled = false.

On a Lenovo convertible laptop running Windows 10 (which supports rotation to all four screen orientations) I could not generate either event, even when in tablet mode. In Chrome I see one deviceorientation event but it does not contain useful data.

I am confident that all of these events are disabled by device.sensors.enabled = false. Search for mEnabled within dom/system/nsDeviceSensors.cpp.

comment:11 Changed 3 years ago by gk

Keywords: tbb-7.0-must added; tbb-7.0-must-alpha removed

We are beyond the alpha testing. Moving tickets for tbb-7.0-must.

comment:12 Changed 3 years ago by arthuredelstein

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201705 removed
Status: newneeds_review

I looked at the code in dom/system/nsDeviceSensors.cpp agree with mcs that these events are disabled by device.sensors.enabled = false. So I think we can close this ticket without any additional patch.

comment:13 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed
Note: See TracTickets for help on using tickets.