At long last...
Finally a benefit of welded in batteries submerged under mountains of glue.
A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption. Both snitching and exfiltration were described in this paper (PDF), accepted for July's Privacy Enhancing Technologies Symposium. Nobody …
And insert hardware of their choice, I think this battery attack is WAY down the list of what I'd need to worry about. Luckily the odds that someone will care about what I do enough to go to the expense of any attack that requires getting hold of my phone and modifying the hardware inside are extremely low!
Whenever I read stories like this I feel good, because the researchers are really grasping at straws to come up with something. KRACK or MELTDOWN, this is not!
I guess you're probably not in the intended target demographics. ;)
I would assume this would be employed through the practice of having modified hardware ready to go. Customs official/law enforcement clown/etc, for example, asks to see your phone for a few seconds, clones your data, switches the sim, and hands it back.
You may not be the target.
Imagine that the CIA, Kremlin, MI6 or any other clandestine organization was wanting to spy on an individual. They could have a "friend" deliver them a mobile phone with this battery spying tech on it. Wait for them to be on a cellular network and not WiFi and then upload the data through untraceable routes. There are other delivery vectors to. Study a person enough to know where they go and where they would buy and service phones. Then arrange for an "accident" so that the phone is damaged and while it is being repaired, plant the spying battery. Or, keep a special stock of modified phones and when the target has to replace his after the "accident" ensure that he buys the modified phone.
If they're specially modifying phones to skilfully force on their target at the right moment then I'd suggest there are a hell of a lot more effective things they could do to turn the phone into a spying device than put in a dodgy battery and rely on this pretty feeble exploit.
As said earlier, they'd likely have a duplicate of the phone, with the battery hack already applied. Then, they send an operative in with the hacked phone, swap it and get out before they are noticed.
I've made it sound easier than it probably is, but as someone pointed out in the documentary I saw about Stuxnet (Zero days - an excellent documentary), the various intelligence services have people that are very experienced in swapping out hardware, even in the most secure of places.
Dunno about Android, but what you describe isn't possible with an iPhone. You can't copy the Touch ID or Face ID info from one phone to another since that's saved by the Secure Element which is part of the SoC. If someone silently swapped my phone I'd know because it would no longer recognize my face. If the failed to copy the MAC address I'd also notice, though that should be simple to clone.
Yeah yeah I'm sure someone will say "the CIA could find a way" and possibly they could, but again I'm not personally concerned that the CIA cares about me to the degree they'd go to such a large expense. They'd be better off kidnapping me and threatening me with XKCD's $5 hammer. I'll tell them whatever they want to know!
As said earlier, they'd likely have a duplicate of the phone, with the battery hack already applied.
If they have a duplicate ready to go, then sure they could use the battery hack, or have a custom firmware implanted on the phone that phones home everything you do, or have hardware taps on all the data interfaces directly, no need to use interpreters or statistical analysis of battery usage to figure it out.
If they have long-term physical access, or can replace the entire phone, there are much better ways to do this if it is a targeted attack.
If the attacker has transient, short-term opportunistic access to a phone - the airport examination scenario for example - then it might be easier to replace the battery - depending on the phone model - than insert other hardware or install software/firmware compromises.
It could also be useful in a "mass compromise" situation, that is, every phone that goes through a particular repairer would get one of these batteries implanted. Or all batteries from a particular manufacturer are compromised so all phones that use that battery become compromised.
But as a general-purpose snooping vector, I think it is not really an 'escalation' in snoop vectors when compared to other, already existing possibilities. So it doesn't really significantly expand the attack surfaces considering it still requires physical access to the phone to do.
I am not all that clear on why you are so relaxed, considering that removable batteries seem very high on the wish list of many commentards here.
A user might very well buy a “poisoned” aftermarket battery, taking into account the typical gouge level that manufacturers apply to their branded batteries. Yes, you can expect exploding batteries, but keyboard sniffing should not be on the menu.
IMHO, until systems are much hardened against timing attacks, really high frequency/resolution sampling of “stuff” from the browser/JS should be disabled by default, whenever possible. Anything over say 60-240hz to cover display considerations. I believe that Firefox is doing just that to avoid Spectre timing attacks.
... it was the same people that brought us the speaker and HDD activity light hacking.
Although I have to admit this is kind of impressive, but purpose is defeated anyhow because you have physical access - and anything with physical access is pwned beyond fixing.
Probably for the spooks or those who really want to protect data. Not charging a phone at the same time as using it. As a bugged charger is a much easier attack vector. That and possibility of bugged hardware from the factory (see the API claim, if the software is inherently weak, you only need malware, no physical access).
The first thing I thought of that this could be used for is a supply chain attack on burner phones. This sort of thing isn't easily implemented and there are other easier routes for most purposes. So if it or similar is going to be used, it requires a long setup. Hardware attacks get around most software defenses. Perhaps coupled with a watering hole attack, this might be useful in some cases where malware can't be expected to get the job done.
Thwarted though you make a good point about how utterly useless this is, how do you attach the microcontroller to the battery?
Maybe a better way would be to secretly install a camera in someones glasses or replace someones gloves with ones that record finger movement. Sometimes with these types of hack I don't think they have thought it through.
"surely you would have better options than the battery, like maybe the screen?"
If it's a replaceable battery it only takes a few seconds to switch. It's trivial compared to replacing the screen. Always carry a burner phone when visiting the USA, and maybe put identifying marks on the battery so you can tell if it's been swapped..
At least as much to do with them realising that the buying public has woken up to the scam of contracts, and (given batteries' limited lifetime with current technology; saw some interesting reporting at the weekend in this regard) so happily implementing an engineering solution to the end of the previously complacently presumed two-year upgrade cycle. Mine's the S5 Mini with (claimed) IP67 and a user-replaceable battery – that being the other myth the manufacturers like to perpetuate to justify baking in the batteries.
Probably because of physical reality, such as position on screen and trivial difference in amount of current needed to draw one character instead of another.
For example, it is quite logical that drawing a T will light up more pixels than an I, and a W will require even more pixels, thus more power. A trifling more, granted, but measurable nontheless.
There are several capacitors between the instantaneously changing power draw circuity and the battery. Those smooth out the rapid variations in power draw. Furthermore the OS is not sitting doing nothing - lots of things are happening in the background making their own changes to the current consumption. Those are merged with any changes from the character drawing circuitry and the resultant total variation smoothed by the capacitors.
I very much doubt that any measuring device in the battery could tell what characters are being typed.
This is what we called in the 80s and 90s... BSware.
Just a bunch of crap put together, which is not only difficult to collaborate, but so effing boring that nobody will.
This happens when a good idea, turns out to be not such a good idea, and then into a pile of BS.
Even though they knew hours ago, they should have abandoned the project... they didn't. So they go ahead with it and publish rubbish like this.
Just a means of individuals 'publishing' something for the sake of publishing and to say they have.
Texas-Austin academics should have stopped this from being published. In not doing so, you've more-less put this university on the back burner for integrity. Although, U of Texas never was on the map for computer engineering, let alone computer security.
C'mon guys, there are more important things to study and research. Don't be afraid to let go of a project if it isn't going anywhere... it's better than being laughed at.
Matt Halpern, Manuel Philiose and Mohit Tiwari... better luck next time, if you're given the opportunity.
However, you would think some of these calls would be rate limited simply to protect the battery given all the "optimisations" on battery life that tend to go south with badly (possibly maliciously) built apps.
This post has been deleted by its author
So if I can insert arbitrary hardware with a battery into somebody's phone I can sense what the user does with it. Making use of various sensors in said hardware. Please explain why this is interesting again.
Come to think of it I could replace THE WHOLE PHONE and man-in-the-middle all interaction with it.
Biting the hand that feeds IT © 1998–2020