Websites can look at phone’s batteries to try and give them special versions of the sites, but that same feature is being used to used to spy on users, tracking them around the internet and ripping them off.
Websites are prying into users’ phone batteries and using them to track them around the web.
Phones send up how much of their battery is left, and how long it will take to charge, to websites that ask for it. It was intended as a way for those sites to decide not to tax their visitors’ batteries if it seemed to be running low, by presenting low energy versions of themselves.
But that same feature can be used by malicious people to track phones as they move around the web, researchers have found. It is being used to spy on people as they go to different websites, allowing their browsing to be tracked, and potentially to steal from them, blackmail them or rip them off.
The problem comes because the information that phones’ innocently hand over can be used to accurately identify any particular phone. There are 18 million different combinations of phone battery and time left that a phone could possibly send over – so watching for that same information appearing on various sites can let people be tracked.
Theoretically, if someone visits one website, clears their phone’s memory and uses a VPN to disguise their location, and then heads to another, it shouldn’t be possible to connect those two activities. But whatever a person does they can’t hide their battery, so snooping on how much charge each visitor has can be a useful way of finding out what people are up to.
It has long been worried that the standard that sends out battery information could be used to track people. But researchers have now confirmed that it is being used in the wild.
The spying is a threat because it can be used to build up a picture of people’s browsing, even if they try and keep it secret. That can easily be used to track down people’s real identity or location, or find out things and then use them for blackmail.
Tracking people’s batteries can also let companies more easily rip people off.
“Additionally, some companies may be analyzing the possibility of monetizing the access to battery levels,” wrote Lukasz Olejnik, a security researcher. “When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service.”
That has already been seen theoretically with Uber, which has found that people are more likely to pay extra for a journey if their battery is about to die.