Can your phone batteries keep you secret on the internet?
The security issue centres around afeature of the HTML5 specification that allows websites to find out how much battery power a visitor has left on their laptop or
smartphone. The security researchers, Lukasz Olejnik and Claude Castelluccia from INRIA Privatics with Gunes Acar and Claudia Diaz of KU Leuven, ESAT/COSIC and iMinds warn n their paper entitled ‘The leaking battery: A privacy analysis of the HTML5 Battery Status API’ that the information can be used to track browsers online.
The battery status API is currently supported in the Firefox, Opera and Chrome browsers, and was introduced by the World Wide Web Consortium (W3C) in 2012 to help websites conserve users’ energy.
The energy saving feature enables a website or web-app to check when the phone user has little battery power left to allow the phone to switch to a low-power mode by
disabling extraneous features to eke out the battery’s energy. The same information can be used to identify phones as they move around the internet, allowing people
to be tracked.
Websites and the scripts that run on them do not have to ask users’ permission to see how much charge is left. Phones set up to respond to the request to say how much charge they have and how long it will take them to power back up. The information can then be used as a way of identifying the phones themselves, without their users’ knowledge.
A website could put those two numbers together and watch for a phone with an identical or similar profile appearing on other pages, for instance. Malicious people
could then put those two events together and work out that the same phone had accessed both websites, which can usually be hidden.
Technology such as VPNs (which routes internet traffic through another place, to anonymise it) and private browsing (which stops websites from reading tracking cookies that have previously been saved) are designed to keep people from following a user around the internet. However, the security features identified by the research team show that a phone’s software could be used to sidestep the precautions.
The researchers point out that the information a website receives is specific and contains the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage. These two numbers, used together, can be captured in any one of around 14 million
combinations, which makes them potential ID number. The values only update around every 30 seconds and means that for a half a minute, the battery status API can be used to identify users across websites.
The researchers point out: “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.”
The researchers discovered that on some platforms it is also possible to determine the maximum battery capacity of the device with enough queries, creating a
semi-permanent metric to compare devices.
The researchers reported that "Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier".
The API is implemented in Firefox, Chrome, and Opera at the moment, and not Internet Explorer and Safari. The researchers reported the privacy issue to Firefox-maker Mozilla in January 2015, and a fix was released in June for the web browser.
Related articles and links: