An application that checks the battery status of users' devices so Web sites can switch them to power-saving modes can also be used to provide identifiable "fingerprints" of users without their knowledge, according to European researchers. The research team focused on the application's use in Firefox, which has since deployed a fix for the bug.
The Battery Status application programming interface (API) in HTML5 provides information about the remaining power in laptops or mobile devices without users' permission, according to a study authored by researchers in France and Belgium. The data provided by the API, particularly for old and used batteries, could "potentially serve as a tracking identifier," according to the researchers.
After identifying the privacy flaw, the researchers developed a way to modify the API in Firefox on Linux to eliminate that concern. They submitted a bug report to Mozilla, which operates the Firefox browser, and Mozilla provided a fix for the problem.
Enabling Short-Term Fingerprinting, Tracking
The team undertook its research because co-author Lukasz Olejnik, a security and privacy research engineer formerly at France's INRIA, "noticed the high-precision battery level readouts provided by Firefox on Linux," Gunes Acar, one of the study's authors and a researcher at Katholieke Universiteit Leuven in Belgium, told us.
Acar said the researchers had serious concerns about the new HTML5 functionalities (APIs) added to the browser and their potential impacts on privacy and security.
Although the W3C specifications for the Battery Status API state that "the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants," the researchers discovered that was not the case. The accessible details about the status of the batteries could enable fingerprinting and tracking of devices in the short term.
Sensor-Related APIs a Concern
Acar said the team was surprised by finding the vulnerability in Firefox "since Mozilla is known to be more cautious than other browser manufacturers in terms of privacy." He added that other browsers such as Chrome and Opera didn't provide battery data in as much detail as Firefox, but even there, such "low-precision readouts can be exploited for tracking in short-term intervals."
Other research has identified additional APIs with fingerprinting potential. Last month, for instance, independent security researchers Per Thorsheim and Paul Moore revealed how keystroke tracking -- monitoring how users type in information on Web sites -- could be used to identify people even on the anonymous Tor network. And in 2013, researchers at Stanford found that smartphone accelerometers, sensors that detect a device's movement, can generate unique data that could be used to identify an individual owner.
"I believe it's more scary than the battery since it's more identifying," Acar said of the accelerometer vulnerability. He added that, in general, sensor-related APIs such as those for detecting ambient light, ambient humidity and atmospheric pressure, "concern me."
Read more on: Smartphone
, Location Tracking
, Tech News