Mobile Battery Tracks You Online

Uploaded on 2016-08-09 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

A little-known web standard that lets site owners tell how much battery life a mobile device has left has been found to enable tracking online, a year after privacy researchers warned that it had the potential to do just that.

The battery status API was introduced in HTML5, the fifth version of the code used to lay out the majority of the web, and had already shipped in Firefox, Opera and Chrome by August 2015. It allows site owners to see the percentage of battery life left in a device, as well as the time it will take to discharge or the time it will take to charge, if connected to a power source.

Intended to allow site owners to serve low-power versions of sites and web apps to users with little battery capacity left, soon after it was introduced, privacy researchers pointed out that it could also be used to spy on users. The combination of battery life as a percentage and battery life in seconds provides offers 14m combinations, providing a pseudo-unique identifier for each device.

Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with the certainty increasing the longer they stayed connected.

Now, two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.

The research was highlighted by Lukasz Olejnik, one of the four researchers who first called attention to the potential issues with the battery status API in 2015. Although Olejnik achieved some success following his warning, with the body in charge of the web’s standards thanking his group for the privacy analysis, the API still has the potential for misuse. And while it is only tracking scripts using it now, Olejnik warns that unscrupulous actors could do more.

“Some companies may be analysing the possibility of monetising the access to battery levels,” he writes. “When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service.”

Guardian

« Brexit Leading To Rising Tide Of Cyber Scams
Insider Trading: Ukrainian Hackers Accomplice Pleads Guilty »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Dutch Accreditation Council (RvA)

Dutch Accreditation Council (RvA)

RvA is the national accreditation body for the Netherlands. The directory of members provides details of organisations offering certification services for ISO 27001.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

Q6 Cyber

Q6 Cyber

Q6 Cyber is an innovative threat intelligence company collecting targeted and actionable threat intelligence related to cyber attacks, fraud activity, and existing data breaches.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

PrivacySavvy

PrivacySavvy

PrivacySavvy's mission is to provide you with all the information that you need to ensure that your internet privacy is intact, your devices are secure, and that any time you step online, you’re safe.

Otorio

Otorio

OTORIO delivers industrial cybersecurity and digital risk-management solutions and services. We help our customers to keep their revenue-generating operations resilient, efficient, and safe.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Involta

Involta

Involta orchestrates IT transformation journeys using well-defined and rigorous processes to deliver hybrid cloud solutions, consulting and data center services tailored to our clients’ needs.

Gravitee

Gravitee

Gravitee helps organizations manage and secure their entire API lifecycle with solutions for API design, management, security, productization, real-time observability, and more.

VicOne

VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry.

Gleam Cloud Security Solutions (GCSS)

Gleam Cloud Security Solutions (GCSS)

GCSS Security is an information security firm providing cyber security protection with a highly skilled and experienced team focused on technology that creates best-in-class customer experiences.

Quotient

Quotient

Quotient builds digital experiences that empower and inspire the American people by understanding their needs, simplifying complex technical solutions and adapting to how they work, live and learn.