W3C's bright idea turned your battery into a SNITCH for websites
Website owners keen on tracking netizens, but thwarted by AdBlock or similar, could instead look at the battery charge in people's devices to identify them.
How so? A feature the W3C added to HTML5 that lets a website interrogate the state of a visitor's battery.
According to security boffins writing for the International Association for Cryptologic Research, "all the information exposed by the Battery Status API is available without users' permission or awareness." In a paper, the team add:
Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier.
The W3C's bright idea for the battery API was that if a server could detect a user's battery state, it could dish out a lighter, CPU-friendly version of a page for someone with a low charge remaining. Thus, only users with full batteries would be burdened with the endless pile of useless cruft that constitutes the Web 2.0.
"Although the potential privacy problems ... were discussed by Mozilla and Tor Browser developers as early as 2012 [when the API was introduced], neither the API nor the Firefox implementation has undergone a major revision," the paper [PDF] states.
The API is implemented in Firefox, Chrome, and Opera at the moment, and not Internet Explorer and Safari. The researchers reported the privacy issue to Firefox-maker Mozilla in January, and a fix was released in June for the web browser.
The researchers say they've identified about 14 million possible combinations of the battery API properties: nearly 40,000 possible discharge time states and 90 possible battery states.
Since they only update every 30 seconds, they're persistent enough to identify people across different sites, even if the user has gone full tinfoil-hat.
"When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users' cookies and other client side identifiers, a method known as respawning," the paper continues.
"Note that, although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lengths to clear their evercookies."
It sounds like the W3C could do with a long consultation with the IETF, which last year decided that "pervasive monitoring is an attack." ®