
A group of researchers at Stanford have recently developed a method to infer a device’s location from just reading the battery charge information. Dubbed “PowerSpy,” the attack relies on the fact that mobile devices use more power as they get farther from connected cellular towers. By comparing the pattern of battery power to a known established pattern measuring a given area, the location can be determined without access to any other location information.
For those of you who didn’t know, this is actually similar to how Shazam operates. Thousands of audio “fingerprints” are created and stored in a database and new snippets recorded by users are fingerprinted and compared to the existing set. Researchers Yan Michaelevsky, Dan Boneh and Aaron Schulman of Stanford had the following to say regarding the matter:
We show that by simply reading the phone's aggregate power consumption over a period of a few minutes an application can learn information about the user's location. Aggregate phone power consumption data is extremely noisy due to the multitude of components and applications simultaneously consuming power. Nevertheless, we show that by using machine learning techniques, the phone's location can be inferred.
We address this problem by pre-recording the power profiles of all the road segments within the given area. Each possible route a mobile device may take is a concatenation of some subset of these road segments. Given a power profile of the tracked device, we will reconstruct the unknown route using the reference power profiles corresponding to the road segments.
To help mitigate the issue, researchers suggest that remedies like removing the radio stack from power consumption reporting or requiring superuser privileges to access the data. Alternatively, OS makers could treat the battery data as an indication of location, giving it a spot in the users’ privacy preferences. The team wrote the following regarding the matter:
The user will then be aware, when installing applications that access voltage and current data, of the application's potential capabilities, and the risk potentially posed to her privacy. This defense may actually be the most consistent with the current security policies of smartphone operating systems like Android and iOS, and their current permission schemes.
Source: Stanford via AppleInsider
Message