Even a battery is subject to attack.
That is because specially crafted batteries installed in a smartphone can allow attackers to harvest and steal sensitive information, researchers said.
An attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces, said researchers from Technion, UT Austin and Hebrew University.
“We study a new attack vector to launch power side chan- nel attacks on mobile devices – a smart battery that includes storage and processing elements to stealthily monitor and report user activity, in addition to their be- nign power management functions,” the researchers said in a paper.
Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, researchers said.
Attackers can — with various degrees of accuracy — deduce characters typed via the touchscreen, recover browsing history, and detect incoming calls and when a photo has been taken, researchers said.
Stealing data is also possible, one bit at a time, through the device’s web browser.
The level of accuracy for determining keystrokes was 36 percent, and researchers showed attackers can even search for passwords.
In deducing which website a user visited from a list of Alexa Top 100 sites, the researchers achieved an accuracy of 65 percent. An attacker can — with 100 percent accuracy — detect when a phone call has been made. Experiments also showed a high accuracy related to the use of the camera. In addition to detecting when a photo has been taken, an attacker can obtain data on the use of the flash and lighting conditions, researchers said in a paper on the subject.
The method requires replacing the targeted device’s battery with a malicious one, either through a supply chain, a person slipping into a hotel room, or other type of attack.
Due to this reason, combined with the fact the exfiltration and data harvesting are slow and not always accurate, it’s unlikely that such attacks will be seen in the wild any time soon.
However, the attack is stealthy and it has a small hardware footprint and does not require the installation of any software on the targeted device.
In addition, it has a low cost, and it leverages a component that is often replaced by users.
In one attack scenario described by researchers, the attacker sells batteries online, offering low prices or extended warranty to attract potential victims.
As for data exfiltration, researchers used the Battery Status API. This API ended up removed by Mozilla and Apple from their web browsers after experts showed it posed some potentially serious privacy risks, but it’s still present in Chrome.
This API exposes three parameters: Time to full charge and discharge, battery level, and charging state. Experts showed the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology.
When a phone is charged wirelessly, the battery charging state parameter changes when an active transmitter is detected by the device. By placing a circuit that mimics the wireless charger inside the battery, an attacker can control the charging state to send out bits of “0” or “1”. The attacker needs to convince the victim to access a specially crafted website that can read this data via the Battery Status API. Since this is a bidirectional communication channel, the malicious battery can be configured to detect when the attacker’s site is visited by the victim.
However, the time it takes to detect the transition between not charging and charging is 3.9 seconds and the transition back to not charging is 1.6 seconds, which results in an exfiltration rate of 0.1-0.5 bits per second.
“Our work shows the feasibility of the ma- licious battery and motivates further research into sys- tem and application-level defenses to fully mitigate this emerging threat,” the researchers said in their paper.