A new research conducted by a group of researchers demonstrates how your smartphone and laptop battery can be used to invade your privacy. Actually, your device’s remaining battery power is enough to compromise your privacy.
The privacy vulnerability lies within a lesser-known feature of HTML5 known as the Battery Status API, which allows websites to check the battery status of your device with so much accuracy that it can be used to identify your online presence, even if you are using an anonymizing software like Tor.
[must url=”https://www.hackread.com/windows-10-is-spying-on-you/”]Your Smartphone and Laptop Battery Invading Your Privacy[/must]
Why Web Browsers Are Using Battery Status API?
The Battery Status API, which is usually referred as the Battery API, provides every information about your device or system’s battery to the web browsers. The provided information includes battery level, charging time and discharging time.
Battery API feature is currently supported by Firefox, Chrome and Opera web browsers, and it was introduced back in 2012 by the World Wide Web Consortium also known as W3C, it is an organisation that watches over the progress of the website standards.
This API allows websites to receive notification about the events that are automatically sent whenever there is a change in your battery’s status i.e. charging or discharging.
According to the developer of the web browsers, this information is used by websites to better optimize the content and resource usage to enhance the overall performance of both, website and your device. As a result, conserving your device’s battery power.
For instance, if your device battery status is low then the Battery API will tell the website to adjust the resource usage to reduce battery drain, or in case your device battery is about to run out then it tells the website to save changes in order to prevent any possible data loss.
How Battery Status API Can Be Used To Invade Your Privacy?
Until now, everything Battery Status API does seems to be good and beneficial for the user i.e. you, but the problem arises when all the stored data could later be used to create a digital fingerprint of your device and to further track your online activities.
And your online presence can be tracked because the battery on each device provides unique data.
According to the section 4: Security and privacy considerations of the Battery API specifications documents released by the W3C, they have clearly freed websites from asking for a permission to determine the battery information while proving a statement that
“The information disclosed has minimal impact on privacy or fingerprinting, and, therefore, is exposed without permission grants.”
But now the recent research papers released by Belgium and French-based security researchers questions the W3C’s privacy statement about Battery API.
These researchers pointed out that the information websites receives via Battery API is very specific and contains information about the estimated remaining battery capacity in both, in seconds as well as the percentage.
These two figures, combined together, can be in one of the fourteen million combinations, which means it can become a unique ID for each user. Furthermore, these figures about battery status updates after almost every half a minute, so these statistics can be used to identify the user on the website within the time frame of 30 seconds.
Researchers claim that website can possibly reconstruct your battery’s identity, within that given 30-second timeframe, even if you visit a website using a proxy and then revisit the same website without proxy.
Research document states:
Users who try to re-visit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.
Note that, although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lenghts to clear their evercookies.
[q]This data can create a digital fingerprint of your device[/q]
Escaping this sort of user tracking would be next to impossible for any user because every laptop or smartphone uses a battery. While the risk is higher for those users who are using old batteries with diminished capacities.
But don’t worry, we at HackRead.com respect your privacy and will help you out in disabling the Battery Status API feature of your web browser.
How to Disable the Battery Status API on Firefox
Mozilla Firefox web browser users can disable the Battery API by following these 4 simple steps:
Step # 1: Access Firefox’s advanced settings page by typing ‘about:config’ into the address bar and then press Enter.
NOTE: You will see a warning page – Please take this warning seriously as changing something unknowingly could cause a serious problem.
Once you are past the warning page, head over to step # 2.
Step # 2: You will see a Search field at the top, so search for a term ‘dom.battery.enabled’.
Step # 3: Now you will see a setting named ‘dom.battery.enabled’, and its value would be set to ‘true’.
Step # 4: To change the value to ‘false’, right click on the ‘dom.battery.enabled’ and then click on ‘Toggle’.
Congratulations, the Battery Status API has been successfully disabled on your web browser.
If you are on Chrome or Opera web browser then stay tuned, we will update this article with steps to disable Battery Status API on Chrome and Opera.
In case you are interested in checking if battery API is enabled on your browser click here to check.
Report typos and corrections to email@example.com
[src src=”source” url=”http://eprint.iacr.org/2015/616.pdf”]EPrint[/src]