Leaky battery attack reveals the paths you walk in life More than 100 mobile apps leak users' location regardless of whether they opt to keep the information private, according to researchers. Power consumption data is the source of the leaks, which make it possible to determine users' whereabouts with 90 percent accuracy. A quartet from Stanford University and Israeli defence …
1. This is POC - to prove the point and show correlation.
2. WiFi power budget and cell power budget can give you for a specific scenario location (and/or) movememnt of the target in an environment where GPS is useless such as a mall. In that case, you need the GPS for the coarse coordinates before you start looking at the indoor locators
3. This is of specific interest for "specific" applications such as passive monitoring of a target mark because in one innocuous looking call you get:
3.1. Is the phone in use or not. High power budget means screen is on and user is doing something
3.2. Is the user moving indoors (and outdoors for that matter) without querrying GPS
3.3. If you have an external correlator you can get location too.
4. There is a lot of prior art here too. One of the techniques to attack crypto on embedded devices for a long time has been to monitor their power draw.
The researchers' app has GPS access to compile route profiles in advance of an attack. They haven't bothered to actually make a dedicated app to deploy on target phones - they don't need to do so. Such a malicious app on the target's phone would only require access to battery data and the network. From the PDF:
Suppose an attacker measures in advance the power profile consumed by a phone as it moves along a set of known routes or in a predetermined area such as a city. We show that this enables the attacker to infer the target phone’s location over those routes or areas by simply analyzing the target phone’s power consumption over a period of time.
. . .
We emphasize that our approach is based on measuring the phone’s aggregate power consumption and nothing else. We do not read the phone’s signal strength since that data is protected on Android and iOS devices and reading it requires user per-mission. In contrast, reading the phone’s power consumption requires no special permissions and we therefore focus all our efforts on what can be learned from this data.
We assume a malicious application has been installed on the victim’s device and runs in the background while the victim is tracked. The malicious application has neither permission to access the GPS, nor other location providers (e.g. cellular or WiFi network). The application has no permission to access the identity of the currently attached or visible cellular base stations or SSID of the WiFi networks.
This is the proof of concept & calibration application.
They've left the GPS code in there so that they can get the battery levels against location to act as a way of baselining the system.
Presumably they could then turn GPS location off, and pass the power usage back through the baseline data, and reconstruct the location.
>I'm guessing this only works if (a) the phone has a SIM card in it and (b) the phone is turned on?
Yes, that is correct.
The idea is this:
- Location data (GPS and course location from cell tower ID and trig) require permissions in Android and iOS.
- Power Consumption data and Network access are commonly granted permissions in Android and iOS.
The researchers are using 'innocent' power consumption data as a proxy for signal strength data.
That isn't true re: iOS.
Power consumption data isn't available to apps on iOS. It's only available while tethered to the development host.
Further, in iOS true battery level information is protected from apps by approximating to the nearest 5%.
Do the developer notes mention why this was done? I assume it was this done for security - i.e. limit sharing of information that apps don't need to avoid giving away information they shouldn't have. Can't see any other reason why access to battery level would be quantized like that.
Interesting that Apple shows such advanced security thinking here, but has lagged in other areas like not supporting two factor authentication in iCloud until it caused a PR problem.
In some businesses, people may have to install an app that's been developed in house, for instance. And since an app using this technique doesn't throw up any alerts about permissions, some companies might well think they could do this.
Remember that in some situations, knowing that someone isn't where they are supposed to be could be just as useful as knowing where they are. A company with people who work in the field might well find this sort of technique handy for knowing whether or not their reps are where they're supposed to be, or if they're spending rather too long at lunch, instead.
Bung a library that does this into an app that provides a corporate manual, brochure or something like that, and you have a tracking system on employees' phones, without them being any the wiser.
This can also be applied to electrons, or more specifically any particle in the universe.
As no two particles can share the same energy state, we only need to know their power use, and we know their location in the universe (to the planck scale).
[Physicist shouts at me and asks for their hat back...]
This post has been deleted by its author
I don't believe it. Firstly it would mean that the attacker has compiled a detailed power profile of every location inside an area covering everywhere the target is likely to go, secondly that the power profiles will remain static rather than changing with e.g. cell congestion or physical objects such as vehicles and thirdly that there are no two routes that would generate very similar power profiles.
"Firstly it would mean that the attacker has compiled a detailed power profile of every location inside an area covering everywhere the target is likely"
Easy for the Israelis in the West Bank or Gaza
especially after most sources of interference have been removed by bombing the power stations and grid out of existence
Don't forget whose technology this is...
From the article: "Power consumption data is the source of the leaks, which make it possible to determine users' whereabouts with 90 percent accuracy."
Come on El Reg - this needs clarifying. Does it mean it's exactly accurate 90% of the time, or locates you within the correct 10% of the earth's surface all the time, or something in between that '90 percent accuracy' totally fails to convey?
Looking forward to enlightenment,
AC
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
