French researchers have found out a new way to invade any Internet user’s privacy, and the source is their battery.
In a research paper published this week, researchers Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz successfully demonstrated how the new HTML 5 specification being run on web browsers can potentially track any Internet user and hack their data.
The research paper mentioned specifically: “The capacity of the battery, as well as its level, expose a finger printable surface that can be used to track web users in short time intervals. Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier.”
The Foundation of This Vulnerability
World Wide Web Consortium or W3C, is the organization which oversees the development of the web’s standards. In 2012, W3C approved a specification called Battery Status API, which can help web developers to find out how much battery life is remaining on their devices (smartphones and laptops).
This API is supported by Chrome, Firefox and Opera browsers, and was recommended and approved by W3C because using this, the websites or applications can improve user’s experience. In case the battery life is low, then the website or app can automatically remove those features which consume battery, and thus elongate the device’s life.
W3C in their document explicitly mentions that no user permission is required by web developers to run this API on browsers, as “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants”
However, W3C didn’t realize how specific this information can be.
The Modus Operandi
French researchers discovered that the data provided by this API approved by W3C contains a wealth of information such as estimated time required before the battery will shut down and the current battery capacity expressed in percentage points. The researchers used these two numbers, and made them as a unique ID out of 14 million possible combinations. This unique ID can be the fingerprint of the laptop/smartphone user to explore more about his browsing habits, device information and more.
Or in short, privacy breached.
However, this information about battery life updates itself every 30 seconds; which means that the Battery Status API opens a door for every half minute in case any hacker wants to spy on the Internet users.
Additionally, the users also found out that the API can be configured to find out the maximum battery capacity of the gadget, which in turn can be used as ‘semi-permanent’ metrics to perform further privacy hacks.
Even if the user clears all cookies, uses incognito mode or employs VPN, this Battery Status API can still find out the battery data. Worse, users cannot remove this API from browsers, and as W3C has recommended its usage, almost all the browsers have this API running right now.
The good news is that researchers conducted all their experiments on Firefox browser running on Linux OS, which gave them fairly precise data. However, Windows, Android or iOS operating systems may not give so much detailed inputs to this API, which makes it less risky as of now.
But, the danger from your battery isn’t over yet. Unless W3C removes this API from their specifications or make it mandatory for user’s permission, the threat is still on.