Cell Phones Leak Location Information through Power Usage

New research on tracking the location of smart phone users by monitoring power consumption:

PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental conditions and cell tower distance is strong enough that momentary power drains like a phone conversation or the use of another power-hungry app can be filtered out, Michalevsky says.

One of the machine-learning tricks the researchers used to detect that "noise" is a focus on longer-term trends in the phone's power use rather than those than last just a few seconds or minutes. "A sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise," the researchers write. "We show that measuring the phone's aggregate power consumption over time completely reveals the phone's location and movement."

Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone's power use behaves as it travels along defined routes. This means you can't snoop on a place you or a cohort has never been, as you need to have actually walked or driven along the route your subject's phone takes in order to draw any location conclusions.

I'm not sure how practical this is, but it's certainly interesting.

The paper.

Posted on February 23, 2015 at 10:30 AM • 22 Comments

Comments

offlineFebruary 23, 2015 11:06 AM

> Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone's power use behaves as it travels along defined routes.

I guess this "pre-measurement" will be done by all the people who have GPS-aware applications enabled.

John MacdonaldFebruary 23, 2015 11:57 AM

There is less of a limitation than a complete pre-measurement map: focussed post-measurement would work too. In many cases there would be one or more known sightings of the target person to correlate with. Take the trace of fluctuations, match against a known time/position, and measure the power levels to find the locations that match the trace before and after the known point. Repeat as required until the entire route has been discovered.

There could be gaps of course. Going through dead zones (especially subway systems with long sets of branching tunnels that block connection fairly well). However, pre-measurement of subway entrances is a much smaller job than pre-measurement of an entire geography. And, in most cities, there is only a small number (if any) of subway lines that don't pop up to the surface often enough to resolve traces quite easily.

vas pupFebruary 23, 2015 12:18 PM

vas pup • February 23, 2015 10:19 AM
Power usage and phone privacy (fresh):http://www.bbc.com/news/technology-31587621:
"We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that.", but you can hold your phone in small Faraday Cage (when not in usage - blocking all remote inputs/outputs OR use it with charger plugged in to avoid such tracking - educated guess, but Clive could grind it).

SJ ParkinsonFebruary 23, 2015 12:24 PM

Google cars have cell links and they travel all over the world. Would not be hard to get that data if it was not already turned over voluntarily.

albertFebruary 23, 2015 12:24 PM

No need for apps; the code can be implanted in every phone, right at the factory!

Anyway, don't they already have code that determines the distance from a cell tower, and the relative signal strength on each antenna for vectoring?

Wouldn't it be easier just to implant everyone with a tracking chip? (Foreign visitors could wear ankle monitors that blow up if you try to remove them)

It's a small price to pay, for living in (or visiting) the Land Of The Free.

...

Clive RobinsonFebruary 23, 2015 12:41 PM

This sort of "power signiture" has been discussed on this blog befor by RobertT and myself. In atleast one specific case to do with "smart-meters" I pointed out that an external observer of your homes power signiture could tell many things such as what you are watching or listening to, what power level the microwave is on if you are using your hair dryer etc etc.

And... there is of course an obvious weak point in this mobile phone system, that the authors mention indirectly,

    A sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise

That is unless a user decides to take counter measures and write an app of their own.

They could for instance Write their app to turn on and off say the back light to make the power signiture constant at all times.

Or if they wanted to cover up some other activity, they could make their own measurments along their normal route and also on a different route and in effect subtract one from the other to make a power signiture difference signal.

They then write an app that when running uses the difference signal to cause the average power signal on the new route look like that of the old route...

It's why you have to use multi-dimensional signals that correctly correlate to known external refrences for things to be considered sufficiently reliable as evidence.

Pretty much any one dimensional measurment without external refrence is "easy meat" for forgery, I just wish the people that come up with these "No 5h1t Sherlock" ideas would go the extra mile and identify the weaknesses in their schemes.

As Bruce has pointed out with crypto, anybody clueless or otherwise can come up with a system they think is wonderfull or infallible. They only become of repute when they show they know how to break their systems, and what measures they can or have put in place to detect / prevent such attacks.

Now interestingly, I don't think that all the authors of such papers can not see the defects in their systems or ways to fix/detect... I suspect that they have other preasures such as "publish or die" and "commercialize first" to consider.

jonesFebruary 23, 2015 12:52 PM

as you need to have actually walked or driven along the route your subject's phone takes in order to draw any location conclusions.

Right.... the type of data Google might have gathered with their Street View vans:

http://www.bbc.com/news/technology-24047235

One more reason to pay attention to NSA involvement in matters of industrial espionage...

P. whereas the US intelligence services do not merely investigate general economic facts but also intercept detailed communications between firms, particularly where contracts are being awarded, and they justify this on the grounds of combating attempted bribery; whereas detailed interception poses the risk that information may be used for the purpose of competitive intelligence-gathering rather than combating corruption, even though the US and the United Kingdom state that they do not do so; whereas, however, the role of the Advocacy Center of the US Department of Commerce is still not totally clear and talks arranged with the Center with a view to clarifying the matter were cancelled,


http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A5-2001-0264+0+DOC+XML+V0//EN

Nick PFebruary 23, 2015 1:08 PM

The more interesting thing for side channel research to look into is how wireless communication might leak secrets in phones using encryption. My old investigations into secure phones kept me worrying about this. Here's the issue: active emanation attacks bounce electromagnetic waves off chips to force their secrets out; cellphones have a transmitter going off right next to the chip storing secrets; waves bouncing off that chip will travel quite a distance.

So, does the very nature of a wireless phone make it broadcast its secrets? Can the effects be utilized practically by emanation processing equipment? If the risk is real, how to design a wireless phone without these leaks that's still compact like modern phones?

@ Clive Robinson

I'd especially like to hear your opinion on this.

LeeFebruary 23, 2015 1:17 PM

High level apps on cell phones, keyed to a nefarious purpose, are a known nuisance. But - all the chatter about them might obscure the rest of the iceberg. L4 (and its derivatives) are on how many cell phones? Two billion? Given that code easily trumps everything else, do we have sufficient fiduciary faith that its current owner will do the right thing (General Dynamics)? G-e-n-e-r-a-l D-y-n-a-m-i-c-s ?

Bob S.February 23, 2015 1:21 PM

There seems to be 10 new ways to spy on people for every new way to counteract it.

I guess the future of our personal freedom and security depends on the predators over playing their hand to the point of a revulsion by the peasantry. That seems unlikely right now.

ViruzonFebruary 23, 2015 1:37 PM

A few years ago I started by switching my phone's wifi off to avoid AP spoofing and MITMs.

A few months later I set it to airplane mode whenever I went out, to avoid stingrays.

A bit later I switched it completely off and removed the battery to avoid active RFID and malware that bypasses airplane mode.

Nowadays I leave it at home 90% of the time. I've realized that I just don't need it. It feels great not spending the day with my face glued to a 4" screen. Try it.

OtterFebruary 23, 2015 1:48 PM

There is enough handwaving here, absent a celebrity defense lawyer, to impress a jury of Jeb Bush's peers.

Foolish victims of entrapment, and freespeech terrorists, would rarely vary their paths very much.

Surely, by now, every serious saboteur knows better than to carry anything more technical than a kleenex.

In any case, a real hunter does not know at every moment where his target is. When the trail is lost, simple heuristics find it again. Doubtless most of the same heuristics were learned by the machine to detect and filter out "noise".

In modern cities where this technology would be useful, hundreds or thousands of the same devices travel the same streets, providing abundant path fragments, for clever software to bury uncertainty. There are webcams, too.

Jeremy LFebruary 23, 2015 2:34 PM

@Nick

The phone could be modular, each module rf shielded, and only communicate with other modeules optically via POF.

Granted, LEDs and lasers can receive data even when intended for transmit only, but that effect is much weaker than a couple watts of RF. And a Faraday rotator / optical diode could assist with the optics.

Clive RobinsonFebruary 23, 2015 2:58 PM

@ Nick P,

So, does the very nature of a wireless phone make it broadcast it's secrets? Can the effects be utilized practically by emanation processing equipment?

That takes me back to the 80's when I experimented in using EM fields to get data out of encased computers and smart cards. If you hunt back on this blog you will find that RobertT and I had a few chats about it. The answer to both questions by the way is yes.

Put simply any EM field is going to be distorted by any conductor within it (have a look at skin effect, waveguides and reradiation) it's why yagi and other antennas with gain work. Also the distortion in the EM field will vary with any current flowing in the conductor or change in it's effective impedance, due to the interaction of the H fields at the surface. This can be observed when a second receiver is near one of those electronicaly driven "direction finding" antennas --I pointed @Figureitout to a little while back-- from the likes of DATong, it 'hears' the distortion from the electronic rotation and can be actually heard as an 800Hz whine on the second receiver.

The only real question is to what extent the resulting RF field is distorted, and if it is sufficient to distinquish at a distance. There is a whole bunch of classified EmSec on this but you can carry out fairly simple experiments. Ross J. Andersons second edition of Security Engineering gives details on "illuminating" keyboard cables to get the serial data from the keyboard.

Obviously the nearer the conductor length is to a quaterwave or other resonant length the more efficiently it will be at coupling the two fields. Thus PCB traces of optimal length from sensitive chip pins will be a consideration in the design. But watch out for small loops and gamma matches to other PCB traces or conductors, or even gaps (see slot radiators and gamma matching antennas).

If you want to experiment make or get a UHF transmitter and a seperate receiver (or borrow Ham 70cms gear) make a half wave antenna with anti parallel diodes connecting the two quater waves. Using a couple of resistors from either side of the diodes drive it with the output of a small audio transformer with a sinewave audio tone spark up the transmitter on low power unmodulated and tune the receiver to it's output frequency, provided you don't overload things you should hear the audio tone as an AM signal ( or SSB secondary tone). Change the audio tone for say a low speed FSK output or Manchester or similar coded data and you should be able to recover it at the receiver. There are pages up on the Internet where people have built "reflector" or "radar" bugs to show that the TAO catalogue stuff worked well.

JoergFebruary 23, 2015 3:04 PM

This power consumption fingerprinting is a big hoax. won't fly in real life since the power consumption of a phone is related to distance from BTS in a way like
($distance * $environment * U * V * W * X * Y) + C = powerconsumption
Any claims that the unknown factors U through Y could get "filtered out" are missleading.
A phone call isn't "noise", a phone call is as good as it gets for actually relating power consumption to distance from BTS. Filtering it out, you're left with nothing at all, unless your phone would do data at a very constant bandwidth (let's call it "U") and pattern (call it "V"). You can't hope for such constant data pattern either, since you can't control the inbound data at all.

jOERG

albertFebruary 23, 2015 5:12 PM

@Clive
Smart meters might be useful for determining if you leave your Grow-Lux lights on all night; otherwise, no, it's just power consumption. Placing a webcam on your conventional meter would accomplish the same thing, although at great expense (and expenses are the combo-silver-bullet-cross-wooden-stake to the power companies). Smart meters won't kill you with radiation, either:)

That said, there are a few interesting things that a smart meter _could_ do.
It could record instantaneous power usage at very small intervals (instead of a moving average), store it, then phone home at the standard reporting rate to upload it.
It could record the power factor, which could be used to determine how much reactive load (motors and transformers) is on at any given time.
It could function as a noise analyzer. Almost all power supplies today use switching technology, which generate noise in building wiring. Brush-type motors (your vacuum cleaner, or plug-in drill motor) are very noisy, electrically. Even induction motors (like Hi-Eff furnace blowers) are often driven by noisy inverters (VFDs).
All kinds of RF signals crowd our house wiring; radio, television, and wi-fi. (Years ago, we used to place a pocket radio near our computers, tuned to an unused frequency. You could hear the noise generated by the memory chip activity.)
Except for possibly wi-fi, I don't see any security concerns here. Seems like the NSA already has _that_ covered :)
.
It would be interesting to delve more deeply into this.
...

WaelFebruary 23, 2015 10:21 PM

Purely academic. Power consumption depends on a lot of external factors as well! Network congestion, weather conditions, moving traffic, characteristics of the vehicle driven, reflections and interference... That in addition to the unpredictable applications that are running, updated SMS, Instant Messages, emails, volume controls, or watching a movie! I don't see how one can "read through the noise" of unpredictable events that cause power fluctuations! Machine learning?

name.withheld.for.obvious.reasonsFebruary 23, 2015 10:28 PM

@ Clive Robinson

Obviously the nearer the conductor length is to a quaterwave or other resonant length the more efficiently it will be at coupling the two fields. Thus PCB traces of optimal length from sensitive chip pins will be a consideration in the design. But watch out for small loops and gamma matches to other PCB traces or conductors, or even gaps (see slot radiators and gamma matching antennas).

Don't forget polar-phase and receiver/transmitter geometries along with exacting wavelength matching...unless you can orient the receiver's antenna (without reflections) or can produce a pure (or computed) orthogonal orientation, side-band effects will be problematic even with time-based filtering (FIR type).

@ Moderator

Inadvertent post--corrected in this post.

RobinFebruary 24, 2015 6:04 AM

this is super shocking and very interesting to read. i dont think there will be a fix anytime soon. sad state of security for normal users.

Robin.

Clive RobinsonFebruary 25, 2015 10:13 AM

@ Vas Pup,

Yes Airhopper has been discussed in Fri'd Squid pages before, the idea is far from new but then few attack vectors are realy new.

Oh the Israeli Prof, is sponsored by a major German Telco that is in bed with the German IC and thus rather closer to Washington and London than Berlin in allegiance...

Ralph D.February 25, 2015 6:22 PM

Really interesting, I'm technician and never thought about such a sofisticated way to locate the device. Science is developing so fastnow, and we can't control bad things that are resulting from this.. sad observation is that we use our knowledge to limit freedom, instead of, for example - healing people.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.