Header Ads

According Security Researchers, Advertisers Are Tracking You via Phone's Battery Status

Two security researchers, Steve Engelhard and Arvind Narayanan, from Princeton University, have published a paper describing how phone's battery status has already been used to track users across different websites.

The issue is due to the Battery Status API (application programming interface).

The battery status API was first introduced in HTML5 and had already shipped in browsers including Firefox, Chrome, and Opera by August last year.

The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites.

However, researchers warned last year about the API’s potential threat that could turn your battery level into a "fingerprintable" tracking identifier. Potentially providing a pseudo-unique identifier for each device that can be used to pinpoint specific devices between sites they visit.

 One of those researchers named Lukasz Olejnik has published a blog post this week, saying that companies are currently leveraging the potential of this battery status information.

"Some companies may be analyzing the possibility of monetising the access to battery levels," he writes. "When a battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."

Set for example  Uber's head of economic research Keith Chen said the company had been monitoring the battery life of its users, as it knows users are more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.

Olejnik underlined the latest research by Engelhard and Narayanan, who discovered two tracking scripts of shady code running on the Internet at large scale, which take advantage of battery status API and currently tracking users.

Battery readouts provide the following information:
  • the current level of battery (format: 0.00-1.0, for empty and full, respectively)
  • time to a full discharge of battery (in seconds)
  • time to a full charge of battery, if connected to a charger (in seconds)

Those values are updated whenever a new value is supplied by the operating system

The duo explains that they observed the behavior of two actual scripts and suggested the companies and other entities are perhaps leveraging this technique for their own purposes.

    "These features are combined with other identifying features used to fingerprint a device," the researchers write in their paper titled, "Online Tracking: A 1-million-site measurement and analysis."

    "Some companies may be analyzing the possibility of monetising the access to battery levels," Olejnik writes.

There's hardly any way to mitigate against this attack. Unlike Google or Facebook or any Social Media that tracks only your browsing history. Nothing works: Deleting browser cookies or using VPNs and AdBlockers will not solve your problem.

No comments

blogmytuts. Powered by Blogger.