August 4, 2015 weblog
Privacy analysis shows battery status API as tracking tool
That same HTML5 battery status function that lets you see how you're doing and how much juice you have left could also leave you vulnerable: A Mashable senior editor, Stan Schroeder, reported Tuesday on a paper that shows just how your battery status API can be used to track your Internet activity.
How can this be? James Titcomb in The Telegraph said, "The flaw resides in the battery status API - a set of protocols - for HTML5, the current version of the web's language. The API provides a web browser, such as Google Chrome or Firefox, with information about a smartphone, tablet or laptop's battery life, which allows it to activate power-saving modes when juice is running low."
Schroeder said the Battery Status API can pull several pieces of information about your device's battery—level, charging time and discharging time. "Combined, this data is nearly unique for each device, meaning it allows potential attackers to create a digital fingerprint of your device and track your activities on the web."
The two publications were referring to the paper by four researchers from France and Belgium. The paper is "The leaking battery: A privacy analysis of the HTML5 Battery Status API" by Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz.
The authors wrote, "Our analysis indicate that seemingly innocuous information provided by the Battery Status API can serve as a tracking identifier when implemented incorrectly."
They stated that the HTML5 Battery Status API enables websites to access the battery state of a mobile device or a laptop and, what is more, all that information that is exposed by the Battery Status API is available without the user being aware that anything unusual is going on. This API lets websites check the battery status of users without having to gain their permission to do so.
The authors' findings showed that the API as implemented by the Firefox browser on the GNU/Linux operating system enabled fingerprinting and tracking of devices with batteries in short time intervals. The authors said that Chrome and Opera as well as Firefox were browsers which support the Battery Status API .
To the best of our knowledge, said the authors, "the only browser that has a strong defense against fingerprinting by the Battery Status API is Tor Browser. Tor Browser completely disables the API to thwart possible fingerprinting attempts."
Titcomb pointed out that people resorting to private browsing as a masking tool could still be followed using the battery data, according to the researchers. He said, "A script could use the battery status API to track an internet user who has cleared their browsing data, and then reinstate identifiers such as cookies, without the user's knowledge, a process known as respawning. This would allow it to keep tracking the user without their knowledge."
The researchers said they "hope to draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking." The authors said their bug report for Firefox was accepted and a fix was deployed.
In their paper, the authors also discussed possible defenses against battery-status API exploitation. One such approach would be that, to limit the tracking and fingerprinting potential of the Battery Status API, implementations avoid providing high-precision values.
"By simply rounding the level value of the battery, the threat would be minimized, without losing any functionality of the API," they wrote. "This comment especially applies to platforms where the OS provides high-precision read-outs about the battery."
© 2015 Tech Xplore