Your smartphone battery could be spying on you
An element of the language most websites are written in, HTML5, allows websites to track how much power a visiting device has left.
The battery status API is now supported in the Firefox, Opera and Chrome browsers, and was introduced by the World Wide Web Consortium (W3C, the organisation that oversees the development of the web’s standards) in 2012, with the aim of helping websites conserve users’ energy. That double precision value was then exposed to website scripts through the Battery Status API – providing a granular measure which they argued could be used to identify an individual mobile device, such as a smartphone or laptop.
The tracking would occur without the knowledge of the device user as Battery Status API doesn’t need user permission to function.
The researchers discovered that the battery information is updated in 30 second intervals with surprising accuracy and within this time frame it is possible to detect if users are returning to a website.
But batteries? Batteries have always been our friends.
This happens because the Battery Status API can pull several pieces of information about your device’s battery – level, charging time and discharging time.
On Linux, Firefox reads battery level info using a Linux tool called UPower – which was ultimately the source of this more comprehensive power-management data.
The researchers explain, “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. Moreover, in case the user leaves these sites but then, shortly afterwards, visits another site with the same third-party script, the readings would likely be utilised to help in linking the current visit with the preceding ones”. The risk is, however, higher for old or used batteries with reduced capacities. Again they note this method only worked for UPower and Firefox on Linux.
What is interesting, is the same technique can be used to identify devices that are being used behind corporate infrastructures such as NAT’s and VPN’s.
Security researchers have identified ways that browser activity could be tracked by an HMTL5 feature that analyses the battery life of a device without user permission, leading to a number of privacy concerns. To do this, the researchers used data from the Battery Status API as a unique identifier.