Mobile Battery Tracks You Online

Uploaded on 2016-08-09 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

A little-known web standard that lets site owners tell how much battery life a mobile device has left has been found to enable tracking online, a year after privacy researchers warned that it had the potential to do just that.

The battery status API was introduced in HTML5, the fifth version of the code used to lay out the majority of the web, and had already shipped in Firefox, Opera and Chrome by August 2015. It allows site owners to see the percentage of battery life left in a device, as well as the time it will take to discharge or the time it will take to charge, if connected to a power source.

Intended to allow site owners to serve low-power versions of sites and web apps to users with little battery capacity left, soon after it was introduced, privacy researchers pointed out that it could also be used to spy on users. The combination of battery life as a percentage and battery life in seconds provides offers 14m combinations, providing a pseudo-unique identifier for each device.

Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with the certainty increasing the longer they stayed connected.

Now, two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.

The research was highlighted by Lukasz Olejnik, one of the four researchers who first called attention to the potential issues with the battery status API in 2015. Although Olejnik achieved some success following his warning, with the body in charge of the web’s standards thanking his group for the privacy analysis, the API still has the potential for misuse. And while it is only tracking scripts using it now, Olejnik warns that unscrupulous actors could do more.

“Some companies may be analysing the possibility of monetising the access to battery levels,” he writes. “When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service.”

Guardian

« Brexit Leading To Rising Tide Of Cyber Scams
Insider Trading: Ukrainian Hackers Accomplice Pleads Guilty »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Serena

Serena

Serena Software helps increase speed of the software development lifecycle while enhancing security, compliance, and performance.

CERT-FR

CERT-FR

CERT-FR is the French national government computer security incident response team.

FAMOC

FAMOC

FAMOC is an enterprise mobile management solution that delivers comprehensive security and management for applications, documents, email, and mobile devices.

Finnish Information Security Cluster (FISC)

Finnish Information Security Cluster (FISC)

FISC is an organization established by major Finnish information security companies to promote their activities nationally and internationally.

Positive Technologies

Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection.

Ritz

Ritz

Ritz is the largest holistic pure-play cyber security solutions provider in Myanmar.

Uppsala Security

Uppsala Security

Uppsala Security built the first crowdsourced Threat Intelligence platform known as the Sentinel Protocol, which is powered by blockchain technology.

Beyond Identity

Beyond Identity

Beyond Identity employs an elegantly simple concept, the personal certificate authority and self signed certificates, to replace passwords.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

blueAllianceIT

blueAllianceIT

blueAlliance IT is an investment and growth platform that unites local MSP and IT companies around the nation, helping them to grow and operate competitively.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.

Privacy Compliance Hub

Privacy Compliance Hub

Privacy Compliance Hub provide an easy to use platform with a comprehensive data protection compliance programme including training, information, templates and reporting.

Anchor Technologies Inc (ATI)

Anchor Technologies Inc (ATI)

Anchor provides a full spectrum of cybersecurity services assisting our clients with all aspects of cybersecurity risk planning, identification, management, and monitoring.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.

Cyber Security Unity (CSU)

Cyber Security Unity (CSU)

Cyber Security Unity (formerly the UK Cyber Security Association) is a new global community which has been set up to help unite the industry and combat the growing cyber threat.

Arms Cyber

Arms Cyber

Arms Cyber is redefining ransomware defense with advanced solutions that stop attacks before they start.