There are a lot of ways to track a device. You can track its physical address in the internet, but that can be obscured. You can track the profiles and logins used to access different services online, but those can be logged out and avoided. You can even install active hardware and software trackers, but those can be tricked or removed.
In the aggregate, however, the ability to track devices, service profiles, and targeted malware results in a near-perfect ability to track a target. The biggest issue is bridging small periods in which tracking went down — this IP address drops out at this time, then thatdevice logs in through the Tor Network at that time. How do you correlate the two, so they made a single, contiguous story? You use specialized identification techniques like the one unveiled this week by French and Belgian researchers.
The technique works by making use of a now-standard piece of low level software called the Battery Status API, an HTML5 feature supported by Chrome, Firefox, and Opera. This API can be used to precisely track the battery level on a smartphone, tablet, or laptop computer, and its charge and discharge times. Over short intervals (between chargings) this data can act as a sort of fingerprint to help identify the device and correlate the activity of one device with the activity of another, showing them to in fact be the same device using different connection methods.
Older batteries make better identifiers, since they have more unique charging levels — batteries fresh out of the factory tend to be much more similar, thus more difficult to distinguish based on their charge characteristics.
The World Wide Web Consortium (W3C) classifies battery data as not crucial to security, and has specifically opened it up to software developers without the need to ask user permission. That makes battery level data an attractive target for data miners, who don’t have to alert browsers to their interest. If it could be used to identify browsers to a specific site, it would make a powerful tool for cyber-sleuths.
The researchers did say that the API could be made much more secure simply by making it worse; lower the precision with which it tracks the battery’s various levels and the “fingerprint” will become blurred to the point of uselessness. Meanwhile, most of us don’t need Firefox to predict our battery’s trends down to the second, so there’s little functional loss to the user. They submitted a bug report to Firefox, and “a fix has been deployed.”
These sorts of privacy attacks are important because, while crude, they also supersede any attempt at hiding an online signature. Turning on the Tor Network doesn’t change your battery capacity, nor does using a VPN make you suddenly type and scroll differently. With biometric sensors becoming more and more common in consumer electronics, the ability to identify a person, as opposed to an electronic profile, has never been more profound.
As security measures available become more elaborate (and in the post-Snowden world, better at evading a known threat), attacks will have to get not just better, but more subtle. Burrowing a zero-day exploit into the foundational software of all modern computing is certainly a good start, but usage statistics have the capacity to ignore all addressing information and perhaps even help track users as they move between devices.