back to article A volt out of the blue: Phone batteries reveal what you typed and read

A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption. Both snitching and exfiltration were described in this paper (PDF), accepted for July's Privacy Enhancing Technologies Symposium. Nobody …

  1. heyrick Silver badge

    At long last...

    Finally a benefit of welded in batteries submerged under mountains of glue.

  2. Anonymous Coward
    Black Helicopters

    If someone is able to open my phone

    And insert hardware of their choice, I think this battery attack is WAY down the list of what I'd need to worry about. Luckily the odds that someone will care about what I do enough to go to the expense of any attack that requires getting hold of my phone and modifying the hardware inside are extremely low!

    Whenever I read stories like this I feel good, because the researchers are really grasping at straws to come up with something. KRACK or MELTDOWN, this is not!

    1. Anonymous Coward
      Anonymous Coward

      Re: If someone is able to open my phone

      "Grasping at straws" not so much, this is legit research. The "we predict in 50 years AI will take over the planet" more so problematic.

    2. Anonymous Coward
      Anonymous Coward

      Re: If someone is able to open my phone

      I guess you're probably not in the intended target demographics. ;)

      I would assume this would be employed through the practice of having modified hardware ready to go. Customs official/law enforcement clown/etc, for example, asks to see your phone for a few seconds, clones your data, switches the sim, and hands it back.

    3. Wade Burchette

      Re: If someone is able to open my phone

      You may not be the target.

      Imagine that the CIA, Kremlin, MI6 or any other clandestine organization was wanting to spy on an individual. They could have a "friend" deliver them a mobile phone with this battery spying tech on it. Wait for them to be on a cellular network and not WiFi and then upload the data through untraceable routes. There are other delivery vectors to. Study a person enough to know where they go and where they would buy and service phones. Then arrange for an "accident" so that the phone is damaged and while it is being repaired, plant the spying battery. Or, keep a special stock of modified phones and when the target has to replace his after the "accident" ensure that he buys the modified phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: If someone is able to open my phone

        If they're specially modifying phones to skilfully force on their target at the right moment then I'd suggest there are a hell of a lot more effective things they could do to turn the phone into a spying device than put in a dodgy battery and rely on this pretty feeble exploit.

      2. Stuart Castle Silver badge

        Re: If someone is able to open my phone

        As said earlier, they'd likely have a duplicate of the phone, with the battery hack already applied. Then, they send an operative in with the hacked phone, swap it and get out before they are noticed.

        I've made it sound easier than it probably is, but as someone pointed out in the documentary I saw about Stuxnet (Zero days - an excellent documentary), the various intelligence services have people that are very experienced in swapping out hardware, even in the most secure of places.

        1. Anonymous Coward
          Anonymous Coward

          Re: If someone is able to open my phone

          Dunno about Android, but what you describe isn't possible with an iPhone. You can't copy the Touch ID or Face ID info from one phone to another since that's saved by the Secure Element which is part of the SoC. If someone silently swapped my phone I'd know because it would no longer recognize my face. If the failed to copy the MAC address I'd also notice, though that should be simple to clone.

          Yeah yeah I'm sure someone will say "the CIA could find a way" and possibly they could, but again I'm not personally concerned that the CIA cares about me to the degree they'd go to such a large expense. They'd be better off kidnapping me and threatening me with XKCD's $5 hammer. I'll tell them whatever they want to know!

        2. eldakka

          Re: If someone is able to open my phone

          As said earlier, they'd likely have a duplicate of the phone, with the battery hack already applied.

          If they have a duplicate ready to go, then sure they could use the battery hack, or have a custom firmware implanted on the phone that phones home everything you do, or have hardware taps on all the data interfaces directly, no need to use interpreters or statistical analysis of battery usage to figure it out.

          If they have long-term physical access, or can replace the entire phone, there are much better ways to do this if it is a targeted attack.

          If the attacker has transient, short-term opportunistic access to a phone - the airport examination scenario for example - then it might be easier to replace the battery - depending on the phone model - than insert other hardware or install software/firmware compromises.

          It could also be useful in a "mass compromise" situation, that is, every phone that goes through a particular repairer would get one of these batteries implanted. Or all batteries from a particular manufacturer are compromised so all phones that use that battery become compromised.

          But as a general-purpose snooping vector, I think it is not really an 'escalation' in snoop vectors when compared to other, already existing possibilities. So it doesn't really significantly expand the attack surfaces considering it still requires physical access to the phone to do.

    4. JLV

      Re: If someone is able to open my phone

      I am not all that clear on why you are so relaxed, considering that removable batteries seem very high on the wish list of many commentards here.

      A user might very well buy a “poisoned” aftermarket battery, taking into account the typical gouge level that manufacturers apply to their branded batteries. Yes, you can expect exploding batteries, but keyboard sniffing should not be on the menu.

      IMHO, until systems are much hardened against timing attacks, really high frequency/resolution sampling of “stuff” from the browser/JS should be disabled by default, whenever possible. Anything over say 60-240hz to cover display considerations. I believe that Firefox is doing just that to avoid Spectre timing attacks.

  3. Waseem Alkurdi

    I swear I knew from the headline ...

    ... it was the same people that brought us the speaker and HDD activity light hacking.

    Although I have to admit this is kind of impressive, but purpose is defeated anyhow because you have physical access - and anything with physical access is pwned beyond fixing.

    1. Anonymous Coward
      Anonymous Coward

      Re: I swear I knew from the headline ...

      Probably for the spooks or those who really want to protect data. Not charging a phone at the same time as using it. As a bugged charger is a much easier attack vector. That and possibility of bugged hardware from the factory (see the API claim, if the software is inherently weak, you only need malware, no physical access).

    2. Robert Helpmann??
      Childcatcher

      Re: I swear I knew from the headline ...

      The first thing I thought of that this could be used for is a supply chain attack on burner phones. This sort of thing isn't easily implemented and there are other easier routes for most purposes. So if it or similar is going to be used, it requires a long setup. Hardware attacks get around most software defenses. Perhaps coupled with a watering hole attack, this might be useful in some cases where malware can't be expected to get the job done.

  4. Anonymous Coward
    Anonymous Coward

    Easily fixed, just remove the battery.

    1. mark l 2 Silver badge

      [Easily fixed, just remove the battery.]

      Except that the phone manufacturers have decided consumers want a phone a couple of millimetres thinner and not one where the battery can be easily replaced, so for a large percentage of new phones on sale the battery is sealed inside the phone.

      1. Anonymous Coward
        Anonymous Coward

        Thwarted though you make a good point about how utterly useless this is, how do you attach the microcontroller to the battery?

        Maybe a better way would be to secretly install a camera in someones glasses or replace someones gloves with ones that record finger movement. Sometimes with these types of hack I don't think they have thought it through.

        1. katrinab Silver badge

          If you had taken the phone to bits to install a spy chip, then surely you would have better options than the battery, like maybe the screen?

          1. Anonymous Coward
            Anonymous Coward

            Like attaching a webcam on a selfie stick? I like your thinking.

          2. Christoph

            "surely you would have better options than the battery, like maybe the screen?"

            If it's a replaceable battery it only takes a few seconds to switch. It's trivial compared to replacing the screen. Always carry a burner phone when visiting the USA, and maybe put identifying marks on the battery so you can tell if it's been swapped..

            1. Pascal Monett Silver badge
              Trollface

              Re: "Always carry a burner phone when visiting the USA"

              Visiting the USA ?

              In the Trump era ?

              Why on God's Green Earth would you want to do that ?

              1. tommy_qwerty

                Re: "Always carry a burner phone when visiting the USA"

                >Why on God's Green Earth would you want to do that ?

                Because New York City is safer than London in the Trump era, that's why.

      2. David Gosnell

        At least as much to do with them realising that the buying public has woken up to the scam of contracts, and (given batteries' limited lifetime with current technology; saw some interesting reporting at the weekend in this regard) so happily implementing an engineering solution to the end of the previously complacently presumed two-year upgrade cycle. Mine's the S5 Mini with (claimed) IP67 and a user-replaceable battery – that being the other myth the manufacturers like to perpetuate to justify baking in the batteries.

    2. Anonymous Coward
      Anonymous Coward

      just remove the battery.

      First thing you do when your not-IP69K phone is submerged. Oh, you can't. Well, grab a screwdriver, and quick-- it's an emergency!

  5. 89724102172714582892524I7751670349743096734346773478647892349863592355648544996312855148583659264921

    Could battery power usage be inferred remotely via EM emmissions? (Aaarrgghh)

  6. Alan Sharkey

    Now they are just getting silly

    I am sure, once someone has physical access to the phone, there are easier ways to intercept what is going on. This sounds like a solution waiting for a problem.

    1. Anonymous Coward
      Anonymous Coward

      Re: Now they are just getting silly

      Proof of concept. Most of these devices do have internal sensors. Hardware hacking would find the exploit quicker than a code dive. Code dive can come later now you know what is at risk.

  7. Craigie

    chars

    Why on earth would different characters have different power draws when typed?

    1. Pascal Monett Silver badge

      Re: chars

      Probably because of physical reality, such as position on screen and trivial difference in amount of current needed to draw one character instead of another.

      For example, it is quite logical that drawing a T will light up more pixels than an I, and a W will require even more pixels, thus more power. A trifling more, granted, but measurable nontheless.

      1. drgeoff

        Re: chars

        There are several capacitors between the instantaneously changing power draw circuity and the battery. Those smooth out the rapid variations in power draw. Furthermore the OS is not sitting doing nothing - lots of things are happening in the background making their own changes to the current consumption. Those are merged with any changes from the character drawing circuitry and the resultant total variation smoothed by the capacitors.

        I very much doubt that any measuring device in the battery could tell what characters are being typed.

  8. Aodhhan

    This is what we called in the 80s and 90s... BSware.

    Just a bunch of crap put together, which is not only difficult to collaborate, but so effing boring that nobody will.

    This happens when a good idea, turns out to be not such a good idea, and then into a pile of BS.

    Even though they knew hours ago, they should have abandoned the project... they didn't. So they go ahead with it and publish rubbish like this.

    Just a means of individuals 'publishing' something for the sake of publishing and to say they have.

    Texas-Austin academics should have stopped this from being published. In not doing so, you've more-less put this university on the back burner for integrity. Although, U of Texas never was on the map for computer engineering, let alone computer security.

    C'mon guys, there are more important things to study and research. Don't be afraid to let go of a project if it isn't going anywhere... it's better than being laughed at.

    Matt Halpern, Manuel Philiose and Mohit Tiwari... better luck next time, if you're given the opportunity.

    1. Semtex451
      Headmaster

      "difficult to corroborate"?

  9. Giovani Tapini

    I'm not so worried about modifying the battery as it sees a tad unlikley given the resin

    However, you would think some of these calls would be rate limited simply to protect the battery given all the "optimisations" on battery life that tend to go south with badly (possibly maliciously) built apps.

  10. This post has been deleted by its author

  11. JohnFen

    Yet another reason

    Yet another reason to avoid the cloud. I swear, every week my decision to avoid the cloud when at all possible looks more and more justified.

  12. jms222

    No news

    So if I can insert arbitrary hardware with a battery into somebody's phone I can sense what the user does with it. Making use of various sensors in said hardware. Please explain why this is interesting again.

    Come to think of it I could replace THE WHOLE PHONE and man-in-the-middle all interaction with it.

  13. Anonymous Coward
    Anonymous Coward

    Memory Effect

    Just avoid phones with ni-cad batteries

  14. anonymous boring coward Silver badge

    I bet a clear power draw signature like that depends on stuff like spell checking and auto completion being on.

  15. Anonymous Coward
    Anonymous Coward

    Even if this attack vector works, how are you supposed to extract the data from a microcontroller embedded inside the battery of the target's phone?

  16. Anonymous Coward
    FAIL

    April fools Day already?

    This is clearly utter horseshit. Was there any technical scrutiny before it was posted???

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon