Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Privacy alert: your laptop or phone battery could track you online

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification.

Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online.

As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting. The API can be used to determine the capacity of a website visitor's battery, as well as its current charge level, and the length of time it will take to fully discharge. When combined, these pieces of information create a unique identifier which can be used like a supercookie.

Supported by Firefox, Opera, and Chrome (but not Internet Explorer or Microsoft Edge), Battery Status API has raised the security hackles of the researchers who say:

We hope to draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking.

At particular risk are older phones. The age of the battery reduces the battery life, making it easier to generate unique identifiers. What is especially concerning is the fact that users do not need to be warned when the Battery Status API is being used. This is because when drawing up the HTML5 standard, the W3C said:

The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.

To overcome the security and privacy issues, the authors of the report suggest that the readings gathered by the API be rounded. They say this would not interfere with the functionality of the API, but would eliminate the problem of tracking. At the moment, nothing more than a simple script is needed to monitor someone's movement from one website to another. The creation of a unique identifier also opens up the possibility of a phenomenon known as respawning. Even if a user goes to the trouble of deleting local-stored cookies, they could instead be remotely stored and reinstate when a user is identified through Battery Status API data.

The researchers also suggest that permission to access the API should be sought from users rather than just allowing its use by default.

Source

Link to comment
Share on other sites
  • Replies 10
  • Views 1.5k
  • Created
  • Last Reply
CODYQX4

CODYQX4

Posted
Posted

Nothing is Safe.

Meanwhile, someone right now, is probably writing code to return a random variable from 1-100, attempting to screw with the fingerprinting.

Endless arms race. Too bad we have so many companies who profit SOLELY on spying on us. There is the real cancer that needs purged.

Link to comment
Share on other sites
StealthyBoi

StealthyBoi

Posted
Posted

My two cents for a possible solution for laptops is removing the battery that way the API can't get the compacity and current charge .

CODY is right though, many things we use without our knowledge could be use for fingerprinting. :s

Link to comment
Share on other sites
kn_andre

kn_andre

Posted
Posted

Do Consumers who use their Hard Earned Money to Buy these Gadgets have any right to Their Privacy??? Is this World so Messed Up that we Lost our Humanity to Making Money off Unsuspecting People at All Cost??? :s :s I Rest my Case for now ..... Cheers...

Link to comment
Share on other sites
StealthyBoi

StealthyBoi

Posted
Posted

A judicious use of the firewall is the key to sound sleep. ^_^

That the problem: finding what to block with the firewall without comprising the usability. Otherwise, it's better to cease connecting to the interwebs.

Link to comment
Share on other sites
dcs18

dcs18

Posted
Posted

A judicious use of the firewall is the key to sound sleep. happy.png

That the problem: finding what to block with the firewall without comprising the usability. Otherwise, it's better to cease connecting to the interwebs.

One can always mingle with folks at The Playground to gain a deeper insight into some firewalls tricks. ;)

Link to comment
Share on other sites
StealthyBoi

StealthyBoi

Posted
Posted

A judicious use of the firewall is the key to sound sleep. happy.png

That the problem: finding what to block with the firewall without comprising the usability. Otherwise, it's better to cease connecting to the interwebs.

One can always mingle with folks at The Playground to gain a deeper insight into some firewalls tricks. ;)

It doesn't discuss how to disable leaks from the Battery Status API using firewall :P

Link to comment
Share on other sites
dcs18

dcs18

Posted
Posted

A judicious use of the firewall is the key to sound sleep. happy.png

That the problem: finding what to block with the firewall without comprising the usability. Otherwise, it's better to cease connecting to the interwebs.
One can always mingle with folks at The Playground to gain a deeper insight into some firewalls tricks. wink.png
It doesn't discuss how to disable leaks from the Battery Status API using firewall tongue.png

It doesn't stop you from discussing that, either — we believe in the principle "if you don't ask, you won't receive."

Link to comment
Share on other sites
StealthyBoi

StealthyBoi

Posted
Posted

It doesn't stop you from discussing that, either — we believe in the principle "if you don't ask, you won't receive."

Uh okay, I'll try asking *awkwardly heads to the playground and trips

Link to comment
Share on other sites
StealthyBoi

StealthyBoi

Posted
Posted

The API can be used to determine the capacity of a website visitor's battery, as well as its current charge level, and the length of time it will take to fully discharge. When combined, these pieces of information create a unique identifier which can be used like a supercookie.

Supported by Firefox, Opera, and Chrome (but not Internet Explorer or Microsoft Edge), Battery Status API has raised the security hackles of the researchers who say:

At particular risk are older phones. The age of the battery reduces the battery life, making it easier to generate unique identifiers. What is especially concerning is the fact that users do not need to be warned when the Battery Status API is being used. This is because when drawing up the HTML5 standard, the W3C said:

The researchers also suggest that permission to access the API should be sought from users rather than just allowing its use by default.

For firefox users, you can disable the permission to access the battery status API by default and when required enable it by following:

Users of Firefox can set the following preference to disable the Battery Status API:—

("dom.battery.enabled", false)

Do this on your phone and laptop now ;)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...