Researchers at the University at Buffalo have discovered a way to identify smartphones by analyzing just a single photo taken by the device. The researchers centered on a flaw in digital imaging called photo-response non-uniformity (PRNU) to do so.

PRNU happens when the imperfections in the manufacturing process of each camera’s sensors create tiny variations. Those variations can cause the millions of pixels in the camera’s sensor to project colors that are slightly brighter or darker than normal, which creates a systemic distortion in the photo called pattern noise. This is invisible to the naked eye, and is extracted by special filters — where each pattern is unique for each camera. This process to analyze images usually requires 50 photos taken by a camera, but the study found that only one photo is needed for smartphones, as the image sensor inside phones are tens of times smaller.

“Like snowflakes, no two smartphones are the same. Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take,” said Kui Ren, the study’s lead author, in a statement. “It’s kind of like matching bullets to a gun, only we’re matching photos to a smartphone camera.” The research was conducted using 16,000 images and 30 different iPhone 6s smartphones and 10 Samsung Galaxy Note 5 devices. The ID tests resulted in 99.5 percent accuracy.

The QR code verification concept

Credit: Douglas Levere

The researchers say the identification process may one day be used for authentication when withdrawing cash, or buying something. The study found that the photo analysis could stop potential attacks in this way: A customer could supply a business with a photo taken from their smartphone that’s used as a reference — a PRNU fingerprint. Whenever that customer buys something, the retailer can ask the customer to photograph two QR codes that are presented on an ATM or screen. Through an app, the customer can then send the photo back to the retailer who can then check the picture and the PRNU, which will verify the device making the purchase. The researchers do note that cybercriminals could potentially remove the PRNU, but said the QR codes include an embedded probe signal that would be weakened if removed. “Our user study suggests that the PRNU-based authentication is a promising approach for security,” the researchers wrote in the paper.

The new technology will be presented in February at the 2018 Network and Distributed Systems Security Conference in California, and the researchers will study dual-camera smartphones next.