Advertisement

The Leaking Battery

A Privacy Analysis of the HTML5 Battery Status API
  • Łukasz OlejnikEmail author
  • Gunes Acar
  • Claude Castelluccia
  • Claudia Diaz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9481)

Abstract

We highlight privacy risks associated with the HTML5 Battery Status API. We put special focus on its implementation in the Firefox browser. Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.

Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier. The fingerprintable surface of the API could be drastically reduced without any loss in the API’s functionality by reducing the precision of the readings. We propose minor modifications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.

Keywords

Double Precision Battery Capacity Privacy Risk Network Address Translation Battery Status 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
  2. 2.
    Why is the battery API exposed to unprivileged content? (2012). https://groups.google.com/forum/#!topic/mozilla.dev.webapi/V361K7c0olQ/discussion. Accessed 26 March 2014
  3. 3.
    Battery Status API - Can I use... Support tables for HTML5, CSS3, etc (2014). http://caniuse.com/#search=battery. Accessed 24 June 2014
  4. 4.
    Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: 21st ACM Conference on Computer and Communications Security (CCS), pp. 674–689. ACM (2014)Google Scholar
  5. 5.
    Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the Web for fingerprinters. In: 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140. ACM (2013)Google Scholar
  6. 6.
    Ayenson, M., Wambach, D.J., Soltani, A., Good, N., Hoofnagle, C.J.: Flash cookies and privacy II: now with HTML5 and ETag respawning. In: World Wide Web Internet and Web Information Systems (2011)Google Scholar
  7. 7.
    Chen, Y.-C., Liao, Y., Baldi, M., Lee, S.-J., Qiu, L.: OS fingerprinting and tethering detection in mobile networks, pp. 173–179 (2014)Google Scholar
  8. 8.
    Dawson, B.: FloatingPoint Determinism – Random ASCII (2013). https://randomascii.wordpress.com/2013/07/16/floating-point-determinism/. Accessed 31 August 2015
  9. 9.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  11. 11.
    Hughes, R.: UPower Reference Manual (2010). http://upower.freedesktop.org/docs/. Accessed 22 June 2014
  12. 12.
    Kamkar, S.: Evercookie (2010). http://samy.pl/evercookie. Accessed 24 June 2014
  13. 13.
    Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)CrossRefGoogle Scholar
  14. 14.
    Kostiainen, A., Lamouri, M.: Battery Status API (2012). https://bugzilla.mozilla.org/show_bug.cgi?id=1124127
  15. 15.
    Monniaux, D.: The pitfalls of verifying floating-point computations. ACM Trans. Program. Lang. Syst. (TOPLAS) 30(3), 12 (2008)CrossRefGoogle Scholar
  16. 16.
    Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Web 2.0 Workshop on Security and Privacy (W2SP), vol. 2. IEEE (2011)Google Scholar
  17. 17.
    Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Web 2.0 Workshop on Security and Privacy (W2SP). IEEE (2012)Google Scholar
  18. 18.
    Nakibly, G., Shelef, G., Yudilevich, S.: Hardware fingerprinting using HTML5 (2015). CoRR, arxiv.1503.01408
  19. 19.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G., Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: IEEE Symposium on Security and Privacy (SP), pp. 541–555. IEEE (2013)Google Scholar
  20. 20.
    Olejnik, L.: Bug 1124127 - Round Off Navigator Battery Level on Linux (2015). https://bugzilla.mozilla.org/show_bug.cgi?id=1124127. Accessed 30 February 2015
  21. 21.
    Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy. In: Intelligent Information Privacy Management, AAAI Spring Symposium (2010)Google Scholar
  22. 22.
    Tor Bugs: TorBrowser Bundle. #5293 Hook charging+discharching rates in Battery API (2012). https://trac.torproject.org/projects/tor/ticket/5293. Accessed 24 June 2014

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Łukasz Olejnik
    • 1
    Email author
  • Gunes Acar
    • 2
  • Claude Castelluccia
    • 1
  • Claudia Diaz
    • 2
  1. 1.INRIA PrivaticsGrenobleFrance
  2. 2.KU Leuven, ESAT/COSIC and iMindsLeuvenBelgium

Personalised recommendations