VOOZH about

URL: https://link.springer.com/chapter/10.1007/978-3-319-29883-2_18?error=cookies_not_supported&code=502947a6-2e3c-4f89-ac73-ca100827fb17

⇱ The Leaking Battery | Springer Nature Link

Skip to main content

The Leaking Battery

A Privacy Analysis of the HTML5 Battery Status API

  • Conference paper

Abstract

We highlight privacy risks associated with the HTML5 Battery Status API. We put special focus on its implementation in the Firefox browser. Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.

Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier. The fingerprintable surface of the API could be drastically reduced without any loss in the API’s functionality by reducing the precision of the readings. We propose minor modifications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
eBook
USD 84.99
Price excludes VAT (USA)
Softcover Book
USD 109.99
Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Explore related subjects

Discover the latest articles, books and news in related subjects, suggested using machine learning.

Notes

  1. 1.

    Firefox does not implement navigator.getBattery( ) method, instead, it exposes a navigator.battery object.

  2. 2.

    For instance, 355 s dischargeTime may be too short for a full battery or, 40277 s dischargeTime may be too long for a battery with level 0.1.

  3. 3.

    See, for example, [8, 15] on the “floating-point determinism problem.”

  4. 4.

    Observe that, possible capacities in this calculations include the reduced battery capacities (e.g. not limited to battery capacities on the market). Still, we could find the candidate capacities on a off-the-shelf computer without a significant computation overhead. We believe, an adversary with moderate storage resources can easily build a lookup table to further reduce the computation time.

References

  1. Proposal for a smaller battery API (2012). https://groups.google.com/forum/#!searchin/mozilla.dev.webapi/Why20is20the20battery20API20exposed20to20unprivileged20content3F/mozilla.dev.webapi/6gLD78z6ASI/Sz1DH2gWN9wJ. Accessed 24 June 2014

  2. Why is the battery API exposed to unprivileged content? (2012). https://groups.google.com/forum/#!topic/mozilla.dev.webapi/V361K7c0olQ/discussion. Accessed 26 March 2014

  3. Battery Status API - Can I use... Support tables for HTML5, CSS3, etc (2014). http://caniuse.com/#search=battery. Accessed 24 June 2014

  4. Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: 21st ACM Conference on Computer and Communications Security (CCS), pp. 674–689. ACM (2014)

  5. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the Web for fingerprinters. In: 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140. ACM (2013)

  6. Ayenson, M., Wambach, D.J., Soltani, A., Good, N., Hoofnagle, C.J.: Flash cookies and privacy II: now with HTML5 and ETag respawning. In: World Wide Web Internet and Web Information Systems (2011)

  7. Chen, Y.-C., Liao, Y., Baldi, M., Lee, S.-J., Qiu, L.: OS fingerprinting and tethering detection in mobile networks, pp. 173–179 (2014)

  8. Dawson, B.: FloatingPoint Determinism – Random ASCII (2013). https://randomascii.wordpress.com/2013/07/16/floating-point-determinism/. Accessed 31 August 2015

  9. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)

  10. Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015)

  11. Hughes, R.: UPower Reference Manual (2010). http://upower.freedesktop.org/docs/. Accessed 22 June 2014

  12. Kamkar, S.: Evercookie (2010). http://samy.pl/evercookie. Accessed 24 June 2014

  13. Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)

  14. Kostiainen, A., Lamouri, M.: Battery Status API (2012). https://bugzilla.mozilla.org/show_bug.cgi?id=1124127

  15. Monniaux, D.: The pitfalls of verifying floating-point computations. ACM Trans. Program. Lang. Syst. (TOPLAS) 30(3), 12 (2008)

  16. Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Web 2.0 Workshop on Security and Privacy (W2SP), vol. 2. IEEE (2011)

  17. Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Web 2.0 Workshop on Security and Privacy (W2SP). IEEE (2012)

  18. Nakibly, G., Shelef, G., Yudilevich, S.: Hardware fingerprinting using HTML5 (2015). CoRR, arxiv.1503.01408

  19. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G., Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: IEEE Symposium on Security and Privacy (SP), pp. 541–555. IEEE (2013)

  20. Olejnik, L.: Bug 1124127 - Round Off Navigator Battery Level on Linux (2015). https://bugzilla.mozilla.org/show_bug.cgi?id=1124127. Accessed 30 February 2015

  21. Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy. In: Intelligent Information Privacy Management, AAAI Spring Symposium (2010)

  22. Tor Bugs: TorBrowser Bundle. #5293 Hook charging+discharching rates in Battery API (2012). https://trac.torproject.org/projects/tor/ticket/5293. Accessed 24 June 2014

Download references

Author information

Authors and Affiliations

  1. INRIA Privatics, Grenoble, France

    Łukasz Olejnik & Claude Castelluccia

  2. KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium

    Gunes Acar & Claudia Diaz

Authors
  1. Łukasz Olejnik
  2. Gunes Acar
  3. Claude Castelluccia
  4. Claudia Diaz

Corresponding author

Correspondence to Łukasz Olejnik.

Editor information

Editors and Affiliations

  1. Telecom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. Universitat Autònoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. University of Urbino, Urbino, Italy

    Alessandro Aldini

  4. National Research Council - C.N.R., Pisa, Italy

    Fabio Martinelli

  5. Department of Computer Science, TU Darmstadt, Darmstadt, Germany

    Neeraj Suri

About this paper

Cite this paper

Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C. (2016). The Leaking Battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management, and Security Assurance. DPM QASA 2015 2015. Lecture Notes in Computer Science(), vol 9481. Springer, Cham. https://doi.org/10.1007/978-3-319-29883-2_18

Download citation

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Publish with us

Policies and ethics