Your camera phone's unique fingerprint can be obfuscated

In response to "Your camera phone has a unique fingerprint" by /u/Lucid_Enemy, which brings up a very good point, have I written a small proof-of-concept pixel randomizer, intended to obfuscate the fingerprint in question.

The problem is real, but as mentioned in the thread not something the average Joe will have problems about. However, vendors should probably at least consider the possibility of this being problematic.

From the other thread were there two solutions outlined:

  1. Get a dedicated camera for the purpose of images, and ditch all tools after job's done.
  2. Manipulate the images some.

Either works, but I can't stand having to buy extra equipment when the problem can be solved with code. So, here's a POC pixel randomizer:

Code

#!/usr/bin/env python

from argparse import ArgumentParser
from io import BytesIO
from PIL import Image
from random import randint

# set up argument parsing
parser = ArgumentParser(description="Obscures camera sensor fingerprint of an image by randomizing each pixel with a small variation.")
parser.add_argument("image", metavar="IMAGE", type=str, nargs=1, help="Path to image.")
parser.add_argument("-v", "--variation", metavar="N", type=int, nargs=1, default=2, help="Maximum number of variation for each color channel per pixel. (default = 2)")
args = parser.parse_args()

# open image and get size
im = Image.open(args.image[0])
(width, height) = im.size

# function for randomizing colors
def randomize(value):
    variation = args.variation[0]
    value = value + randint(variation*-1, variation)
    if value < 0:
        value = 0
    if value > 255:
        value = 255
    return value

# iterate rows and cols
for y in xrange(0, height):
    for x in xrange(0, width):
        # get rgb
        (r, g, b) = im.getpixel((x,y))

        # randomize each color channel
        r = randomize(r)
        g = randomize(g)
        b = randomize(b)

        # update pixel
        im.putpixel((x,y), (r,g,b))

# print image data
io = BytesIO()
im.save(io, format="jpeg")
print io.getvalue()

It's written in Python, and it depends on Pillow (PIL).

Usage

Since all vendors should be using Tails anyway am I going to assume Python to be installed and a terminal to be available.

  1. You'll have to start Tails with an admin password set
  2. Save the code above in a file named randomize-pixels.py somewhere
  3. Open a terminal
  4. Install PIP (Python package manager)
    1. wget https://bootstrap.pypa.io/get-pip.py
    2. sudo python get-pip.py (enter password)
  5. Install Pillow
    1. sudo pip install Pillow (enter password)
  6. Navigate to the directory with the script
    • cd /home/Amnesia/Dekstop if you saved it to dekstop
    • cd /home/Amnesia/Persistent if you saved it to the persistent folder
  7. Run script
    1. python randomize-pixels.py /path/to/image.jpg > /path/to/new/image.jpg

Options

Result

See here: https://imgur.com/a/HWbgw

Caveats

Todo


Comments


[7 Points] None:

I see multiple possible ways of attacking this.

  1. The random number generator is not seeded with a CSPRNG, therefore the enemy could check the file's modification date and roughly estimate the seed, thus reducing the brute force space greatly. Greatly enough for somebody like a three letter agency.
  2. The pixels are "randomized", but the data used comes from a sequence of numbers outputted by the same generator. There are known attacks against random number generators, although they require a relatively big sample size... But any image big enough has more than enough data for that (200px x 200px is already 40000 sequence items, which is FAR more than enough to find out the seed)
  3. The pixel values themselves don't matter, what matters is how random they are. And as described above, these are NOT random enough. If you're searching for a pattern like "1 2 2 2 1 2 1", but find a pattern like "3 9 9 9 3 9 3", wouldn't that be exactly the same FINGERPRINT, just with different numbers?

TL;DR don't use this for security. It does nothing.

A different approach I propose: (please try to break it!)

  1. Represent the x/y data on a frequency domain
  2. Mask out some values. Perhaps define the range with a --switch like the variation thing.
  3. Transform back to x/y coordinates
  4. Review the process from start to end and make sure you used a CSPRNG if you needed a random number generator, and you didn't 1) leak entropy nor you 2) used predictable variables.


[3 Points] Rjfizzle21:

Couldn't you just upload your image, then just screenshot it to remove the data?


[3 Points] Lucid_Enemy:

Wow this is kinda cool if you make this into a GitHub you could post a response to the thread where I originally found this app and explanation of the issue

https://www.reddit.com/r/androidapps/comments/5eh24d/dev_your_phone_camera_has_a_unique_pattern/


[3 Points] StonedMozart:

Thank you for this thread OP, good contribution to the community.


[2 Points] young_k:

You can also check out this wiki tutorial I wrote up - it includes an application that obfuscates your EXIF data...

Alternatively, PNG conversion is always fine - as it doesn't support EXIF.


[1 Points] DooshNozzzle:

I wonder if you could print the picture and then scan it


[1 Points] beetzbygray:

Alright this had always been my idea on how to post anon pics, please poke any holes if any are presented.

So all you would have to do would be get a disposable camera, one that doesint use film (im pretty sure most disposable cameras don't use film any more) then buy a cable online that hooks that camera to your computer.

Take pics download to computer, dispose of camera, wash and repeat.

Now obviously this would be for like a whole sale bar vendor or somthing, not for the average Joe, but still i think it's a cool way to stay anonymous!


[1 Points] ILIKEDRUGSTUFF:

Your butt hole's unique fingerprint can be obfuscated.


[1 Points] None:

So take the picture with a disposable camera, print that picture out, take a picture of that picture, screen shot that picture and print it out, then photo copy it and post it??


[0 Points] AutoModerator:

Because you are using a brand new account, your submission has been automatically hidden from public view and is awaiting moderator approval. If this message disappears, you will know your post has been approved. If it doesn't disappear and you are not given a reason for your submission's removal within 6 hours, you can try reposting your thread. Accounts must be at least 6 hours old to post unrestricted on /r/DarkNetMarkets. Please see this modpost for more information and make sure to read the rules of our subreddit. If you are new to this community, please check out /r/DarkNetMarketsNoobs to get started on your journey.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.