Researchers at Technion Center for Security Science and Technology (CSST), Hebrew University and University of Texas at Austin have published a paper (Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices) explaining how “poisoned” batteries in smartphones can be leveraged to “infer characters typed on a touchscreen; to accurately recover browsing history in an open-world setup; and to reliably detect incoming calls, and the photo shots including their lighting conditions.” Going further, the researchers also describe how the Battery Status API can be used to remotely capture the sensitive information.
The “attack” starts by replacing the battery in the target smartphone with a compromised battery. Perhaps by poisoning the supply chain, gaining secretive access to the device, or selling the batteries through aftermarket resellers. The specific method is left as a thought exercise, but for the risk analysis, we assume that the battery has been replaced and is thus exploitable.
Smartphone users will tell you that the battery is the most frustrating component of their devices. To improve this experience, smartphone batteries include technology to report on current charge rates, discharge rates, charging method, etc. With this information, the device can provide feedback to the user and change operating behavior to maximize battery life.
This requires a communications channel between the battery and the smartphone, and this is the channel the researchers leveraged to exfiltrate data. The information is not restricted to only the operating system but, also exposed to the Battery Status API as defined by the W3C organization meaning it can be captured by a malicious website if accessed through a vulnerable browser (Chrome.) So the attack starts with a compromised battery, leverages the Battery Status API to expose the captured data and sends it to a malicious website through a vulnerable browser. Lots of moving pieces to line up, but plausible. So what information can be exposed this way?
The researchers showed an ability to identify the characters typed on the screen, identify incoming phone calls, determine when a picture is taken and identify metadata for that photo. The characters being typed aren’t read directly, but the poisoned battery infers what is typed by measuring the effect on battery parameters.
This has an effect on the accuracy of the information being captured. Determining when a picture is taken or when a call is received is accurate 100% of the time. But identifying what characters are typed is only accurate 36% of the time. If the eavesdropper is able to narrow the potential characters being typed, for example, if it is known the person is typing a website URL or booking tickets on a travel website, accuracy increases to 65%.
When considering all of the potential cyber threats that exist, this definitely counts as a low risk. Replacing a cell phone battery is difficult to do without the owner being aware, and even if you manage to change the battery, the information it gathers is prone to error and capturing the information remotely is a complex endeavor. But the risk is tangible, and if not mitigated, it could grow to become significant. Mozilla and Apple have already removed support for the Battery Status API from their browsers, and the W3C organization has updated the Battery Status API specification.
Currently, Chrome is the only “vulnerable” means of exfiltrating the data through this specific attack. However as we have seen repeatedly, once a novel approach is identified, others will expand and evolve the attack. This will be an interesting one to watch.