A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.
Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.
Experiments have shown that attackers can – with various degrees of accuracy – deduce characters typed via the touchscreen, recover browsing history, and detect incoming calls and when a photo has been taken. Exfiltrating the data is also possible, one bit at a time, through the device’s web browser.
The level of accuracy for determining keystrokes was 36%, and researchers showed that attackers can even search for passwords. In the case of detecting which website the victim has visited from a list of Alexa Top 100 sites, the researchers achieved an accuracy of 65%. An attacker can – with 100% accuracy – detect when a phone call has been made. Experiments also showed a high accuracy related to the use of the camera. In addition to detecting when a photo has been taken, an attacker can obtain data on the use of the flash and lighting conditions, researchers said in their paper.
The method requires replacing the targeted device’s battery with a malicious one, either through a supply chain, evil maid or other type of attack. Due to this reason, combined with the fact that the exfiltration and data harvesting are slow and not always accurate, it’s unlikely that such attacks will be seen in the wild any time soon.
On the other hand, the attack is interesting, especially since it’s stealthy – it has a small hardware footprint and it does not require the installation of any software on the targeted device –, it has a low cost, and it leverages a component that is often replaced by users. In one attack scenario described by researchers, the attacker sells batteries online, offering low prices or extended warranty to attract potential victims.
As for data exfiltration, researchers used the Battery Status API. This API was removed by Mozilla and Apple from their web browsers after experts showed that it posed some potentially serious privacy risks, but it’s still present in Chrome.
This API exposes three parameters: time to full charge and discharge, battery level, and charging state. Experts showed that the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology.
When a phone is charged wirelessly, the battery charging state parameter changes when an active transmitter is detected by the device. By placing a circuit that mimics the wireless charger inside the battery, an attacker can control the charging state to send out bits of “0” or “1”. The attacker needs to convince the victim to access a specially crafted website that can read this data via the Battery Status API. Since this is a bidirectional communication channel, the malicious battery can be configured to detect when the attacker’s site is visited by the victim.
However, the time it takes to detect the transition between not charging and charging is 3.9 seconds and the transition back to not charging is 1.6 seconds, which results in an exfiltration rate of 0.1-0.5 bits per second.
“The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods,” commented Lukasz Olejnik, one of the researchers whose work led to Mozilla and Apple removing support for the Battery Status API a couple of years ago. “Nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes.”
Last year, Olejnik conducted an analysis of the security and privacy implications associated with the ambient light sensors present in phones, tablets and laptops.