Malicious batteries and a poor API may spell a side-channel attack, researchers warn

Poisoned smartphone batteries could be leveraged to reveal a users’ actions on a device, potentially contributing to an attack.

Researchers have discovered that a malicious battery placed into a device can spy on the owner’s usage and uncover their data, possibly leading to a side-channel attack.

The attack is carried out via a smart battery, which can monitor and prolong a device’s power.

Sensitive data such as website visits, typed characters, camera logs, and information on incoming calls can all be stolen by the battery and exfiltrated to attackers.

This could therefore contribute to a targeted attack on a user.

The team, from UT Austin, the Hebrew University, created the battery by inserting a microcontroller that was able to sample the power flow going in and out of the device.

They then studied this power flow, which correlate with actions such as visiting websites and taking pictures, to gain an idea of what the user was doing on their smartphone.

Finally, they extracted the data by leveraging the battery status API, which monitors how much battery is left. The API is exploited when a victim visits an insecure, or sink, website that will read and leak the user’s data.

Lukasz Olejnik, a security and privacy researcher who wrote a blog post about the research, said: “All the victim user has to do is to visit a sink website that is reading the data.

“Malicious batteries can detect when the browser enters this special website, and enable the exfiltration mode.”

Threat

The attack is largely theoretical and while aspects have been proven by the team, it is not thought to be currently used in the wild.

It also contains one major flaw – the attacker has to have physical access to the device to carry it out.

A battery has to be inserted into the device either when left unattended or in the factory, rendering the attack more complicated to carry out.

But no matter how difficult the assault would be to execute, the theory remains an impressive piece of work that should not be ignored.

If it were carried out, the results could be relatively harmful.

And, researchers noted, it could be executed without being detected by the device’s operating system, meaning the user would be oblivious that their data was being stolen.

Olejnik explained: “The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods.

“Nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes.”