Let’s face it: despite the fact that we all trust our phones with a great deal of sensitive personal information, mobile devices are one of the least secure communications technologies out there. While it’s well-documented that certain intelligence agencies or hackers can monitor your cell phone’s mobile data use and GPS services, a new report out of Princeton University has privacy watchdogs worried. According to this recently published research, mobile phone users’ battery indicator systems are now being used to spy on them.
This newest privacy exploit stems from the 2015 release of an HTML5 application programming interface (API) that gave web developers the ability to monitor the battery status of visitors to web sites and users of web-based apps. While this API was intended to give web developers the option to create a ‘low-battery’ version of their pages to aid users with dying phones, researchers have since discovered how this code could be used to gather personal information from mobile device users.
The API works by gathering data each phone collects which measure battery life indicators. Every mobile phone can measure three separate metrics about its remaining battery life: percentage of full battery remaining, seconds remaining on the battery, and seconds until a full charge if connected to a charger. The combination of these figures results in over 14 million unique combinations, meaning any phone’s battery status can be used as a near-unique identifier.
The researchers behind the Princeton study visited various web sites while using a special web browser that allowed them to detect and monitor any sites or apps that were tracking their data. They found two specific scripts “in the wild” that were using the battery life indicator to monitor their personal mobile data and assign their device a unique “fingerprint:”
One script, https://go.lynxbroker.de/eat_heartbeat.js, retrieves the current charge level of the host device and combines it with several other identifying features. These features include the canvas fingerprint and the user’s local IP address [...] The second script, http://js.ad-score.com/score.min.js, queries all properties of the BatteryManager interface, retrieving the current charging status, the charge level, and the time remaining to discharge or recharge. As with the previous script, these features are combined with other identifying features used to fingerprint a device.
Once a device’s “fingerprint” has been taken, its traffic can be monitored across a number of different platforms. According to information security consultant Lukasz Olejnik, the battery indicator might even be a source of profit for web sites in the future:
Additionally, some companies may be analyzing the possibility of monetizing the access to battery levels. When battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service.
If intrusions and exploits like the battery life indicator trackers continue to become more commonplace, measures like Edward Snowden’s anti-surveillance phone case might be adopted by more phone users. While most people assure themselves that they have nothing to hide, history has shown time and again that all it takes is one shift in the political landscape for otherwise normal people to suddenly find themselves labelled criminals. Good thing we don’t have anything like that going on in the West at the moment...