Battery Attributes Can Be Used To Track Web Users

A team of European security researchers has published a paper analyzing how the battery life of mobile devices could be used to track web browsing habits of Firefox users on Linux, using the HTML5 Battery Status API (via The Guardian).

The specific method they expose in their paper has been fixed by Firefox as of June this year, after they filed a bug report pointing out inconsistencies in its implementation of battery level reporting across different platforms.

The paper, entitled The Leaking Battery: A Privacy Analysis of The HTML5 Battery Status API, also notes privacy concerns about an API that lets websites check the battery status of users without having to gain their permission to do so.

The researchers write:

The API does not require user permission to read the battery information, any website or third-party scripts included on them, can use the API. The API also does not require browsers to notify users when the battery information is accessed. That allows website and third-party scripts to access the battery information transparently – without users’ awareness.

The ostensible aim of the battery API is to allow websites to automatically switch from high power to energy-saving versions if they detect a user needs to conserve battery. However the researchers discovered that the way the API had been implemented by Firefox on GNU/Linux was problematic, allowing for “seemingly innocuous information” provided by the API to serve as a tracking identifier (aka a “new device fingerprinting vector”) — potentially allowing websites to track browsing activity across different sessions, such as private browsing modes or after clearing cookies.

The specific issue with Firefox focused on the precision with which it tracked battery life percentage on Linux — reading the value in “64 bit double precision floating point format and multipl[ying] it by 0.01 to obtain the battery level.” That double precision value was then exposed to website scripts through the Battery Status API — providing a granular measure which they argued could be used to identify an individual mobile device, such as a smartphone or laptop.

The problem was limited to Firefox browser on GNU/Linux, with the battery level being exposed by Firefox on Windows, Mac OS X and Android being far less precise, according to the researchers.

They note:

In our exploratory survey of the Battery Status API implementations, we observed that the battery level reported by the Firefox browser on GNU/Linux was presented to Web scripts with double precision. An example battery level value observed in our study was 0.9301929625425652. We found that on Windows, Mac OS X and Android, the battery level reported by Firefox has just two significant digits (e.g. 0.32).

On Linux, Firefox reads battery level info using a Linux tool called UPower — which was ultimately the source of this more comprehensive power-management data.

Sketching how a tracking script could make use of the battery info, they write:

A third-party script that is present across multiple websites can link users’ visits in a short time interval by exploiting the battery information provided to Web scripts. In order to do that, scripts can use the values of battery level, dischargingTime and chargingTime. The readings will be consistent on each of the sites, because of the fact that the update intervals (and their times) are identical. This could enable the third-party script to link these concurrent visits. Moreover, in case the user leaves these sites but then, shortly afterwards, visits another site with the same third-party script, the readings would likely be utilized to help in linking the current visit with the preceding ones.

In addition to fingerprinting devices based on battery level, the researchers suggest battery capacity could also be used as a tracking vector — noting that the Battery Status API can be used to “infer the current battery capacity (EnergyFull) of a device if it allows high precision level readouts.” Again they note this method only worked for UPower and Firefox on Linux.

Discussing ways to defend against these battery API-related tracking attacks, the researchers say the implementation of the API should avoid providing high-precision values — rounding the battery level value being one way to minimize exposing such identifying marks.

They conclude:

The analysis of Web standards, APIs and their implementations can reveal unexpected Web privacy problems by studying the information exposed to Web pages. The complex and sizable nature of the new Web APIs and their deeper integration with devices make it hard to defend against such threats. Privacy researchers and engineers can help addressing the risks imposed by these APIs by analysing the standards and their implementations for their effect on Web privacy and tracking. This may not only provide an actionable feedback to API designers and browser manufactureres, but can also improve the transparency around these new technologies.

In the paper, the researchers also point to related research on additional browser fingerprinting techniques — such as the Panopticlick study which demonstrated how browser properties (such as screen size, font lists and plugins) can be used to fingerprinter users; or researchers who have demonstrated tracking methods using other properties such as clock skew, font metrics, network protocol characteristics, JavaScript engine performance or WebGL and canvas rendering.

At the end of last month, security researchers also demoed how a technique that collects users keystrokes — and analyzes their typing style — could be used to profile and expose users of the anonymous Tor browser.