There are a myriad of ways you can be tracked online – from supercookies, to canvas fingerprinting and malware. Now you can add your device’s battery status to the list, according to research by Steve Engelhard and Arvind Narayanan – two academics from Stanford University.
The attack takes advantage of the HTML5 Battery Status API, which allows servers to determine when they need to send an energy-efficient version of a website. It lets them see how much charge a laptop, tablet, or smartphone has in terms of time remaining until discharge, and as an overall percentage.
The researchers have determined that these two figures can be combined to provide a semi-unique identifier which can be used to track devices between websites they visit. According to the researchers, there are 14 million different combinations of battery life as a percentage and remaining time.
From The Guardian:
“Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with just a one in 14m chance of being mistaken.”
The worst part of this attack is that it’s hard to mitigate against it. You can’t deal with it as easily as you would wipe your browser cookies. VPNs and AdBlockers won’t help either. The only option is to plug the device into the mains.
Although it’s unclear whether this sort of thing is being routinely used against users, for some time, many in the security community have held concerns about the Battery Status API. This May, Uber announced it had been monitoring the battery life of its users, and had observed that users were far more willing to pay for surge pricing when their phones were close to dying.
While there isn’t an easy way to disable the Battery Status feature right now (unless you use FireFox), there are rumors that browser vendors are looking to introduce features that will allow them to disable this, as they have with HTML5’s notifications and location features.
We’ve reached out to the researchers of this paper. We’ll update it if we hear back from them.