STE WILLIAMS

W3C’s bright idea turned your battery into a SNITCH for websites

Website owners keen on tracking netizens, but thwarted by AdBlock or similar, could instead look at their battery charge information to identify them.

How so? A feature the W3C added to HTML5 that lets a website interrogate the state of a visitor’s battery.

According to security boffins writing for the International Association for Cryptologic Research, “all the information exposed by the Battery Status API is available without users’ permission or awareness.”

The W3C’s bright idea was that if a server could access a user’s battery state, it could dish up a lighter version of a page for someone with low battery remaining, thus only burdening users with full batteries the endless pile of useless cruft that constitutes modern user-tracking and “enhanced web experience.”

“Although the potential privacy problems … were discussed by Mozilla and Tor Browser developers as early as 2012 [when the API was introduced], neither the API nor the Firefox implementation has undergone a major revision,” the paper [PDF] states.

In a cruel twist, the API is only implemented in Firefox, Chrome, and Opera at the moment: Internet Explorer and Safari users can bask in a moment of smugness.

Battery properties available to websites include the level, chargingTime, and dischargingTime by calling the navigator.getBattery() method in JavaScript.

The researchers say they’ve identified about 14 million possible combinations of the battery API properties: nearly 40,000 possible discharge time states and 90 possible battery states.

Since they only update every 30 seconds, they’re persistent enough to identify people across different sites, even if the user has gone full tinfoil-hat.

“When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning,” the paper continues.

“Note that, although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lengths to clear their evercookies.”

It sounds like the W3C could do with a long consultation with the IETF, which last year decided that “pervasive monitoring is an attack.” ®

Sponsored:
Hyper-scale data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/08/04/w3cs_turned_your_battery_into_a_snitch/

  • 04/08/2015
  • adm
Comments are closed.