Spy Gadgets And You: Even Battery From Your Smartphone Tracks You
23 February 2015
By Markaz Kvakaz
Smartphone users might balk at letting a random app like Candy Crush or
Shazam track their every move via GPS. But researchers have found that
Android phones reveal information about your location to every app on your
device through a different, unlikely data leak: the phone's power
Researchers at Stanford University and Israel's defense research group Rafael
have created a technique they call PowerSpy, which they say can gather
information about an Android phone's geolocation merely by tracking its power
use over time. That data, unlike GPS or Wi-Fi location tracking, is freely
available to any installed app without a requirement to ask the user's
permission. That means it could represent a new method of stealthily
determining a user's movements with as much as 90 percent accuracy—though for
now the method only really works when trying to differentiate between a
certain number of pre-measured routes.
Spies might trick a surveillance target into downloading a specific app that
uses the PowerSpy technique, or less malicious app makers could use its
location tracking for advertising purposes, says Yan Michalevski, one of the
Stanford researchers. ''You could install an application like Angry Birds
that communicates over the network but doesn't ask for any location
permissions,'' says Michalevski. ''It gathers information and sends it back
to me to track you in real time, to understand what routes you've taken when
you drove your car or to know exactly where you are on the route. And it does
it all just by reading power consumption.''
PowerSpy takes advantage of the fact that a phone's cellular transmissions
use more power to reach a given cell tower the farther it travels from that
tower, or when obstacles like buildings or mountains block its signal. That
correlation between battery use and variables like environmental conditions
and cell tower distance is strong enough that momentary power drains like a
phone conversation or the use of another power-hungry app can be filtered
out, Michalevsky says.
One of the machine-learning tricks the researchers used to detect that
''noise'' is a focus on longer-term trends in the phone's power use rather
than those than last just a few seconds or minutes. ''A sufficiently long
power measurement (several minutes) enables the learning algorithm to 'see'
through the noise,'' the researchers write. ''We show that measuring the
phone's aggregate power consumption over time completely reveals the phone's
location and movement.''
Even so, PowerSpy has a major limitation: It requires that the snooper
pre-measure how a phone's power use behaves as it travels along defined
routes. This means you can't snoop on a place you or a cohort has never been,
as you need to have actually walked or driven along the route your subject's
phone takes in order to draw any location conclusions. The Stanford and
Israeli researchers collected power data from phones as they drove around
California's Bay Area and the Israeli city of Haifa. Then they compared their
dataset with the power consumption of an LG Nexus 4 handset as it repeatedly
traveled through one of those routes, using a different, unknown choice of
route with each test. They found that among seven possible routes, they could
identify the correct one with 90 percent accuracy.
''If you take the same ride a couple of times, you'll see a very clear signal
profile and power profile,'' says Michalevsky. ''We show that those
similarities are enough to recognize among several possible routes that
you're taking this route or that one, that you drove from Uptown to Downtown,
for instance, and not from Uptown to Queens.''
Michalevsky says the group hopes to improve its analysis to apply that same
level of accuracy to tracking phones through many more possible paths and
with a variety of phones—they already believe that a Nexus 5 would work just
as well, for instance. The researchers also are working on detecting more
precisely where in a known route a phone is at any given time. Currently the
precision of that measurement varies from a few meters to hundreds of meters
depending upon how long the phone has been traveling.
The researchers have attempted to detect phones' locations even as they
travel routes the snooper has never fully seen before. That extra feat is
accomplished by piecing together their measurements of small portions of the
routes whose power profiles have already been pre-measured. For a phone with
just a few apps like Gmail, a corporate email inbox, and Google Calendar, the
researchers were able determine a device's exact path about two out of three
times. For phones with half a dozen additional apps that suck power
unpredictably and add noise to the measurements, they could determine a
portion of the path about 60 percent of the time, and the exact path just 20
percent of the time.
Even with its relative imprecision and the need for earlier measurements of
power use along possible routes, Michalevsky argues that PowerSpy represents
a privacy problem that Google hasn't fully considered. Android makes power
consumption data available to all apps for the purpose of debugging. But that
means the data easily could have been restricted to developers, nixing any
chance for it to become a backdoor method of pinpointing a user's position.
Google didn't respond to WIRED's request for comment.
This isn't the first time that Michalevsky and his colleagues have used
unexpected phone components to determine a user's sensitive information. Last
year the same researchers' group, led by renowned cryptographer Dan Boneh,
found that they could exploit the gyroscopes in a phone as crude microphones.
That ''gyrophone'' trick was able to to pick up digits spoken aloud into the
phone, or even to determine the speaker's gender. ''Whenever you grant anyone
access to sensors on a device, you're going to have unintended
consequences,'' Stanford professor Boneh told WIRED in August when that
research was unveiled.
Stanford's Michalevsky says that PowerSpy is another reminder of the danger
of giving untrusted apps access to a sensor that picks up more information
than it's meant to. ''We can abuse attack surfaces in unexpected ways,'' he
says, ''to leak information in ways that it's not supposed to leak.