Security researchers have found a way to track a user's smartphone Web usage through battery life.

Eric Zeman, Contributor

August 4, 2015

3 Min Read
<p align="left">(Image: AndrewScherbackov/iStockphoto)</p>

HTML5: 10 Tips That Will Change Your Life

HTML5: 10 Tips That Will Change Your Life


HTML5: 10 Tips That Will Change Your Life (Click image for larger view and slideshow.)

Your smartphone's battery is probably the last thing you'd guess is threatening your privacy, but a new research paper says that's exactly the case. Websites can make use of battery-life data given up by HTML5 to identify mobile devices.

The World Wide Web Consortium debuted the battery status API back in 2012 with the goal of helping websites maximize the battery life of mobile devices that visit them. The basic function allows websites to see how much battery life remains on any given device so the site can switch to a low-power mode if needed. For example, websites viewed in Chrome, Firefox, and Opera can suspend select power-sapping features if the site detects a device has limited power left.

There are a few problems with the battery status API, according to a new paper from Belgian and French security researchers. First, the W3C specification does not mandate user permission to query the device's battery life. The spec reads, in part, "[T]he information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants."

The researchers disagree.

Websites are able to snag incredibly specific information about the devices that visit them. Recorded data includes the estimated time it will take the battery to discharge (specific to the second) and the remaining battery life as a percentage.

Combined, these numbers can form a potential identifier for devices.

This data is updated once every 30 seconds. The specificity of the data, and the frequency with which it is collected lead to a significant chance of identified users.

"In short time intervals, [the] battery status API can be used [to track] identifiers of users," explained the researchers. "Users who try to revisit a web site with a new identity may use browsers' private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the web site can link users' new and old identities by exploiting battery level and charge/discharge times. The web site can then reinstantiate users' cookies and other client side identifiers, a method known as respawning."

[Read about how WiFi can power different devices.]

Think your corporate VPN will protect you? It won't, the researchers warn.

"In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a [firewall]," according to the paper.

Devices that visit websites often give them enough data to attach a semi-permanent identifier to the smartphone. That's disconcerting to ponder.

The battery status API's privacy issues have been documented since 2012, but the API has yet to be revised. The researchers suggest it can be fixed by making the battery readings less precise. Rounding the values downward won't affect functionality and will protect users from being identified.

About the Author(s)

Eric Zeman

Contributor

Eric is a freelance writer for InformationWeek specializing in mobile technologies.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights