Smartphone and laptop batteries compromise web browser privacy, suggest

Battery Status API pulls you phone’s battery information like its level, charging and discharging time, which when combined is unique to nearly every phone, allows hackers to create a digital fingerprint of your phone and track your movements online.

The idea behind sending battery stats to websites you visit to help you preserve battery on your mobile device is a great idea.

A new study published by a group of French and Belgian security researchers reveal that the peeping Toms of the Internet can easily exploit the battery status API used in HTML5, the language used by modern websites so people can view their contents.

‘The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.’. “The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning”.

The scientists, from INRIA Privatics in Grenoble and KU Leuven, write: “Our study shows that websites can discover the capacity of users” batteries by exploiting the high precision readouts provided by Firefox on Linux.’.

A little-known feature of the HTML5 specification means that websites can find out how much battery power a visitor has left on their laptop or smartphone – and now, security researchers have warned that that information can be used to track browsers online. Originally, the feature was introduced in order to help save the battery life of the user’s device.

By combining all of this information, it even becomes possible for websites to determine if a specific user is surfing in privacy mode. The API also does not require browsers to notify users when the battery information is accessed. The data provided by the API, particularly for old and used batteries, could “potentially serve as a tracking identifier”, according to the researchers.

A secret tool hidden in HTML5 lets a site identify your device by tracking your battery life.

“In theory it might be feasible to use it just basing on the standard Battery API – although admittedly with limited performance”, Lukasz Olejnik, one of the researchers, told the Telegraph. That info can then be used as a approach of figuring out the telephones themselves, with out their customers ever figuring out.

“Although the potential privacy problems of the Battery Status API were discussed by Mozilla and Tor Browser developers as early as in 2012, neither the API, nor the Firefox implementation, has undergone a major revision, ,” they wrote.