The post on theguardian starts with “A group of researchers have demonstrated how to track users with nothing more than their remaining battery power, which could compromise privacy“. This sentence alone is already giving me the creeps, but it gets really scary when you understand what kind of information is passed unknowingly.
This vulnerability has been identified as HTML5 allows websites to identify a smartphone which is low on battery, once it has identified the device, it would be able to switch between a high power consuming theme or a low power consuming theme.
Ideally, a website or web-app can notice when the visitor has little battery power left, and switch to a low-power mode by disabling extraneous features to eke out the most usage.
But the researchers were watching to a very different aspect. The researchers were able to identify that this option allows the operator to retrieve specific time information about the battery life status:
The researchers point out that the information a website receives is surprisingly specific, containing the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage.
The researchers explain that this vulnerability can be used in attacks to identify users and devices which are using VPN’s or other type of encrypted communication.
For instance, if a user visits a website in Chrome’s private browsing mode using a VPN, the website should not be able to link them to a subsequent visit with private browsing and the VPN off. But the researchers warn that that may no longer work: “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.
Worse still, on some platforms, the researchers found that it is possible to determine the maximum battery capacity of the device with enough queries, creating a semi-permanent metric to compare devices.
So always remember, even when you think that you are secure, someone is watching you. Stay safe and take care.