Forget about supercookies, apps, and malware; your smartphone battery status is enough to monitor your online activity, according to a new report.
In 2015, researchers from Stanford University demonstrated a way to track users' locations – with up to 90 percent accuracy – by measuring the battery usage of the phone over a certain time.
The latest threat is much worse.
Two security researchers, Steve Engelhard and Arvind Narayanan, from Princeton University, have published a paper describing how phone's battery status has already been used to track users across different websites.
The issue is due to the Battery Status API (application programming interface).
How Does Battery Status API Help Advertisers Track You?
The battery status API was first introduced in HTML5 and had already shipped in browsers including Firefox, Chrome, and Opera by August last year.
The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites.
However, researchers warned last year about the API's potential threat that could turn your battery level into a "fingerprintable" tracking identifier.
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
The researchers found that a combination of battery life loss in seconds and battery life as a percentage offers 14 Million different combinations, potentially providing a pseudo-unique identifier for each device that can be used to pinpoint specific devices between sites they visit.
Now, the last year's research has grown into a proper threat.
Advertisers Are Tracking You via your Battery Status
One of those researchers named Lukasz Olejnik has published a blog post this week, saying that companies are currently leveraging the potential of this battery status information.
"Some companies may be analyzing the possibility of monetising the access to battery levels," he writes. "When a battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."Olejnik underlined the latest research by Engelhard and Narayanan, who discovered two tracking scripts of shady code running on the Internet at large scale, which take advantage of battery status API and currently tracking users.
The duo explains that they observed the behavior of two actual scripts and suggested the companies and other entities are perhaps leveraging this technique for their own purposes.
"These features are combined with other identifying features used to fingerprint a device," the researchers write in their paper titled, "Online Tracking: A 1-million-site measurement and analysis."For in-depth information, you can head on to the research paper [PDF].
Here's come the worst part of this attack:
There's hardly any way to mitigate against this attack. Nothing works: Deleting browser cookies or using VPNs and AdBlockers will not solve your problem.
The only option is to plug your smartphone into the mains.
"Some companies may be analyzing the possibility of monetising the access to battery levels," Olejnik writes.Over two months ago, Uber's head of economic research Keith Chen said the company had been monitoring the battery life of its users, as it knows users are more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.