A team of researchers have uncovered the unsettling truth that your phone battery can be used to track your internet activity and provide additional information that would’ve otherwise thought as private. The data could be used to tell where you’ve been on the internet and identify unique codes of the phones themselves.
The collective team of Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz, have said that they managed to identify 14 million combinations of the battery API, with nearly 40,000 discharge time states and 90 possible battery states. The information can be leaked by simply using any browser on your phone.
The general knowledge was that mobile browsers, such as Chrome, Opera and Firefox had access to the state of your phone’s battery in order to ascertain how much of it would use. It could switch from high power to power-saving that would help the gadget to conserve the battery, all for the user’s sake.
However, the French and Belgian team of researchers have uncovered that websites using the HTML5 code are peeking a little deeper than first thought. While repeatedly visiting the same website, the data from the Battery Status API could be used to identify details of your phone or version of the device.
Even if a new “identity” is achieved through the use of virtual private network (VPN) or the browser’s private mode, the websites will still be able to recognize your information and link you to previous visits. It will reinstate cookies and other identifiers, along with tracking the user’s web history.
Old batteries with higher capacities are even at bigger risk and the researchers have sent all this information to Firefox in order to provide the proper modifications. So far, nothing has been done nor word has come back.
It’s a worrying fact considering that a device can be identified by a website and given a number. Through monitoring the users visiting it, anyone with an admin permission can see when that particular number has visited and then track down the device.
Measures against the privacy invasions caused by battery’s API are currently in discussion. Researchers have suggested that the API should provide lower-precision values, a rounded number instead of an exact one that may link the code to a specific device. It would minimize the risk of attacks and exposure to identifying marks.
Image source: samsung.com