Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices

Open access


Mobile devices are equipped with increasingly smart batteries designed to provide responsiveness and extended lifetime. However, such smart batteries may present a threat to users’ privacy. We demonstrate that the phone’s power trace sampled from the battery at 1KHz holds enough information to recover a variety of sensitive information.

We show techniques to infer characters typed on a touchscreen; to accurately recover browsing history in an open-world setup; and to reliably detect incoming calls, and the photo shots including their lighting conditions. Combined with a novel exfiltration technique that establishes a covert channel from the battery to a remote server via a web browser, these attacks turn the malicious battery into a stealthy surveillance device.

We deconstruct the attack by analyzing its robustness to sampling rate and execution conditions. To find mitigations we identify the sources of the information leakage exploited by the attack. We discover that the GPU or DRAM power traces alone are sufficient to distinguish between different websites. However, the CPU and power-hungry peripherals such as a touchscreen are the primary sources of fine-grain information leakage. We consider and evaluate possible mitigation mechanisms, highlighting the challenges to defend against the attacks.

In summary, our work shows the feasibility of the malicious battery and motivates further research into system and application-level defenses to fully mitigate this emerging threat.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Anirudh Badam Ranveer Chandra Jon Dutra Anthony Ferrese Steve Hodges Pan Hu Julia Meinershagen Thomas Moscibroda Bodhi Priyantha and Evangelia Skiani. 2015. Software Defined Batteries. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP ’15). ACM New York NY USA 215–229. https://doi.org/10.1145/2815400.2815429

  • [2] Donald J Berndt and James Clifford. 1994. Using dynamic time warping to find patterns in time series. In KDD workshop Vol. 10. Seattle WA 359–370.

  • [3] Bert den Boer Kerstin Lemke and Guntram Wicke. 2003. A DPA Attack Against the Modular Reduction Within a CRT Implementation of RSA. In Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES ’02). Springer-Verlag London UK 228–243. http://dl.acm.org/citation.cfm?id=648255.752718

  • [4] Aaron Carroll and Gernot Heiser. 2010. An Analysis of Power Consumption in a Smartphone. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference (USENIXATC’10) Vol. 14. USENIX Association Berkeley CA USA 21–21. http://dl.acm.org/citation.cfm? id=1855840.1855861

  • [5] Yimin Chen Xiaocong Jin Jingchao Sun Rui Zhang and Yanchao Zhang. 2017. POWERFUL: Mobile app fingerprinting via power analysis. In Conference on Computer Communications (INFOCOM). IEEE 1–9.

  • [6] Shane S. Clark Hossen Mustafa Benjamin Ransford Jacob Sorber Kevin Fu and Wenyuan Xu. 2013. Current Events: Identifying Webpages by Tapping the Electrical Outlet. In Computer Security – ESORICS 2013 Jason Crampton Sushil Jajodia and Keith Mayes (Eds.). Lecture Notes in Computer Science Vol. 8134. Springer Berlin Heidelberg 700–717. https://doi.org/10.1007/978-3-642-40203-6_39

  • [7] Wenrui Diao Xiangyu Liu Zhou Li and Kehuan Zhang. 2016. No pardon for the interruption: New inference attacks on android through interrupt timing analysis. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE 414–432.

  • [8] Hui Ding Goce Trajcevski Peter Scheuermann Xiaoyue Wang and Eamonn Keogh. 2008. Querying and mining of time series data: experimental comparison of representations and distance measures. Proceedings of the VLDB Endowment 1 2 (2008) 1542–1552.

  • [9] Li Du. 2016. An Overview of Mobile Capacitive Touch Technologies Trends. arXiv preprint arXiv:1612.08227 (2016).

  • [10] Denis Foo Kune and Yongdae Kim. 2010. Timing attacks on pin input devices. In Proceedings of the 17th ACM conference on Computer and Communications Security. ACM 678–680.

  • [11] Shuo Gao Jackson Lai and Arokia Nathan. 2016. Fast Readout and Low Power Consumption in Capacitive Touch Screen Panel by Downsampling. Journal of Display Technology 12 11 (2016) 1417–1422.

  • [12] Daniel Genkin Lev Pachmanov Itamar Pipman Eran Tromer and Yuval Yarom. 2016. ECDSA key extraction from mobile devices via nonintrusive physical side channels. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM 1626–1638.

  • [13] Matthew Halpern Yuhao Zhu and Vijay Janapa Reddi. 2016. Mobile CPU’s rise to power: Quantifying the impact of generational mobile CPU design trends on performance energy and user satisfaction. In 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA). 64–76.

  • [14] Jun Han Emmanuel Owusu Le T Nguyen Adrian Perrig and Joy Zhang. 2012. Accomplice: Location inference using accelerometers on smartphones. In Fourth International Conference on Communication Systems and Networks (COMSNETS). IEEE 1–9.

  • [15] Judith Horchert Jacob Appelbaum and Christian Stöcker. 2013. Der Spiegel. Shopping for Spy Gear: Catalog Advertises NSA Toolbox. https://nsa.gov1.info/dni/nsaant-catalog/http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html. (2013).

  • [16] Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks. In Advances in Neural Information Processing Systems 25 F. Pereira C. J. C. Burges L. Bottou and K. Q. Weinberger (Eds.). Curran Associates Inc. 1097–1105. http://papers.nips.cc/paper/4824-imagenetclassification-with-deep-convolutional-neural-networks.pdf

  • [17] Alexander Maxham. 2013. Android Headlines: Samsung Reaching 80 Million Galaxy S4 Sales. http://www.androidheadlines.com/2013/05/samsung-reaching-80-million-galaxy-s4-sales-in-2013.html. (2013).

  • [18] Yan Michalevsky Aaron Schulman Gunaa Arumugam Veerapandian Dan Boneh and Gabi Nakibly. 2015. PowerSpy: Location Tracking Using Mobile Device Power Analysis. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association Washington D.C. 785–800. https://www.usenix.org/conference/usenixsecurity15/technicalsessions/presentation/michalevsky

  • [19] Emiliano Miluzzo Alexander Varshavsky Suhrid Balakrishnan and Romit Roy Choudhury. 2012. Tapprints: Your Finger Taps Have Fingerprints. In Proceedings of the 10th International Conference on Mobile Systems Applications and Services (MobiSys ’12). ACM New York NY USA 323–336. https://doi.org/10.1145/2307636.2307666

  • [20] Roman Novak. 2002. SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation. In Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography (PKC ’02). Springer-Verlag London UK 252–262. http://dl.acm.org/citation.cfm?id=648119.761233

  • [21] Lukasz Olejnik Gunes Acar Claude Castelluccia and Claudia Diaz. 2016. The Leaking Battery. In Revised Selected Papers of the 10th International Workshop on Data Privacy Management and Security Assurance - Volume 9481. Springer-Verlag New York Inc. New York NY USA 254–263.

  • [22] Lukasz Olejnik Steven Englehardt and Arvind Narayanan. 2017. Battery Status Not Included: Assessing Privacy in Web Standards. In 3rd International Workshop on Privacy Engineering (IWPE’17).

  • [23] Emmanuel Owusu Jun Han Sauvik Das Adrian Perrig and Joy Zhang. 2012. ACCessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications. ACM 9–16.

  • [24] Power Flash 2016. Power Flash 1Cell SBS-compliant gauge IC for rechargeable smart battery pack applications. http://www.powerflash.com.tw/Product-1Cell.html. (2016).

  • [25] Morten Reintz. 2005. Atmel’s ATmega406 AVR Microcontroller Provides Full Smart Battery and Battery Protection Functionality for 2 - 4 Li-ion Cells in a Single Chip. http://www.atmel.com/images/doc4083_mega406.pdf. (2005).

  • [26] Michael Schwarz Moritz Lipp Daniel Gruss Samuel Weiser Clémentine Maurice Raphael Spreitzer and Stefan Mangard. 2017. KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks. arXiv preprint arXiv:1706.06381 (2017).

  • [27] Omer Shwartz Amir Cohen Asaf Shabtai and Yossi Oren. 2017. Shattered Trust: When Replacement Smartphone Components Attack. In 11th USENIX Workshop on Offensive Technologies WOOT ’17 Vancouver BC Canada August 14-15 2017. USENIX Association. https://www.usenix.org/conference/woot17/workshopprogram/presentation/shwartz

  • [28] Laurent Simon Wenduan Xu and Ross Anderson. 2016. Don’t Interrupt Me While I Type: Inferring Text Entered Through Gesture Typing on Android Keyboards. Proceedings on Privacy Enhancing Technologies 2016 3 (2016) 136–154.

  • [29] Dawn Xiaodong Song David Wagner and Xuqing Tian. 2001. Timing Analysis of Keystrokes and Timing Attacks on SSH.. In USENIX Security Symposium Vol. 2001.

  • [30] Riccardo Spolaor Laila Abudahi Veelasha Moonsamy Mauro Conti and Radha Poovendran. 2017. No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices. In International Conference on Applied Cryptography and Network Security. Springer 83–102.

  • [31] Raphael Spreitzer Veelasha Moonsamy Thomas Korak and Stefan Mangard. 2017. Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices. IEEE Communications Surveys & Tutorials (2017).

  • [32] Andrew Tanenbaum. 2002. Computer Networks (4th ed.). Prentice Hall Professional Technical Reference.

  • [33] Texas Instruments OMAP5432 Processor-based EVM 2013. OMAP5432 EVM System Reference Guide. http://www.ti.com/tool/OMAP5432-EVM. (2013).

  • [34] Kris Tiri and Ingrid Verbauwhede. 2005. Design Method for Constant Power Consumption of Differential Logic Circuits. In Proceedings of the Conference on Design Automation and Test in Europe - Volume 1 (DATE ’05). IEEE Computer Society Washington DC USA 628–633. https://doi.org/10.1109/DATE.2005.113

  • [35] Qinglong Wang Amir Yahyavi Bettina Kemme and Wenbo He. 2015. I know what you did on your smartphone: Inferring app usage over encrypted data traffic. In Communications and Network Security (CNS) 2015 IEEE Conference on. IEEE 433–441.

  • [36] Zhi Xu Kun Bai and Sencun Zhu. 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM 113–124.

  • [37] Qing Yang Paolo Gasti Gang Zhou Aydin Farajidavar and Kiran S Balagani. 2017. On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel. IEEE Transactions on Information Forensics and Security 12 5 (2017) 1056–1066.

  • [38] Kehuan Zhang and XiaoFeng Wang. 2009. Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems. (2009) 17–32.

  • [39] Li Zhuang Feng Zhou and J Doug Tygar. 2009. Keyboard acoustic emanations revisited. ACM Transactions on Information and System Security (TISSEC) 13 1 (2009) 1–26.

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 307 259 2
PDF Downloads 210 167 8