Researchers reveal how battery status data provided to a web browser can be used to identify internet users
Your battery life could give snoopers a backdoor into tracking your internet activity.
That’s according to French and Belgian researchers, who claim to have discovered a security flaw that allows web browsers to follow an internet user, even if they are trying to mask their identity.
The flaw resides in the battery status API – a set of protocols – for HTML5, the current version of the web’s language. The API provides a web browser, such as Google Chrome or Firefox, with information about a smartphone, tablet or laptop’s battery life, which allows it to activate power-saving modes when juice is running low.
Users cannot opt out of the battery status API and the World Wide Web Consortium (W3C), which sets internet standards, had not flagged it as a security risk when introducing HTML5. “The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants,” W3C said in 2012.
This is not the case according to the researchers, who claim that the data can in theory be accurate enough to identify a user.
How battery life could give you away
The battery status API works by providing browser software with an indicator from 0 to 1 called “level”, as well as the expected number of seconds it would take to fully charge and fully discharge the battery.
Researchers, who tested the Firefox browser on the Linux operating system, found that there could be at least 14.2 million different combinations of this data, which was easily enough for internet users to be identified by their battery status. The status changes only every 30 seconds, meaning that for a short time the ID can act as a “static identifier”.
Most internet users leave much more obvious digital fingerprints when browsing the web, such as their IP address and cookies, but people who opt out of these by using masking tools such as private browsing could still be followed using their battery data, the researchers said.
A script could use the battery status API to track an internet user who has cleared their browsing data, and then reinstate identifiers such as cookies, without the user’s knowledge, a process known as respawning. This would allow it to keep tracking the user without their knowledge.
Am I vulnerable?
The chance of being affected by this bug are relatively low. The researcher’s test was conducted over Firefox on a Linux machine, which allowed particularly accurate battery status data – down to 16 decimal points.
The data that other operating systems such as Windows, OSX and Android and browsers gather is rounded to a lower degree, so there are not as many possible combinations of data and it is more difficult to zone in on a user.
“In theory it might be feasible to use it just basing on the standard Battery API – although admittedly with limited performance,” Lukasz Olejnik, one of the researchers, told the Telegraph.
The researchers also put the matter to Firefox, which fixed it in June 2015 – three years after the battery status API was first identified as a potential issue.
Similarly, very few internet users are likely to take steps to protect their identity in a way that tracking battery data becomes a serious option for snoopers.
However, the researchers have recommended improving standards so there is no chance of users being unwillingly tracked. This includes limiting the precision of such battery readouts – a browser realistically does not need battery life statistics more accurate than the nearest per cent – or making browsers ask permission to access the battery status API.
Mr Olejnik said that W3C may be considering changing the HTML5 standards to reflect these concerns.