PowerSpy

Location Tracking using Mobile Device Power Analysis

Yan Michalevsky(1), Gabi Nakibly(2), Dan Boneh(1) and Aaron Schulman(1)

(1) Stanford University, (2) National Research and Simulation Center, Rafael Ltd.

Smartphone location $\approx$ Owner location


An attacker would like you to install a seemingly innocent application...

That doesn't require any permissions

Accessing location

Even coarse location based on cellular network information

Requires permissions

Reading voltage and current

Does not require permissions

/sys/class/power_supply/battery/voltage_now /sys/class/power_supply/battery/current_now

$Power = f(Signal\ Strength)$

  • More power used upon transmission under low SNR
  • Signal amplification, error correction on the receive part
  • Verified experimentally in Bartendr [Schulman et al.]

Signal strength depends on geography and environment

Signal strength stability

Signal strength stability

Can a power profile be stable too?

"SPIES CAN TRACK YOU JUST BY WATCHING YOUR PHONE’S POWER USE"

From Wired.com

Power profile consistency

Two phones of same model, same drive

Different models, same drive

What can we achieve by that?

  • Route distinguishability
  • Real-time motion tracking
  • New route inference

Route Distinguishability

What can we achieve by that?

  • Route distinguishability
  • Real-time motion tracking
  • New route inference

Real-time tracking

along a known (or assumed) route

What can we achieve by that?

  • Route distinguishability
  • Real-time motion tracking
  • New route inference

New route inference

Evaluation

Data processing

  • Standardization: $\frac{x - mean(x)}{std(x)}$
  • Smoothing: using a Moving Average filter (obtain general trends)
  • Downsampling (important for computation reduction)

Distinguishing routes

Each power profile is a time-series

Classifier based on time series comparison using Dynamic Time Warping (DTW)

Dynamic Time Warping

Euclidean distance

DTW distance

We can distinguish between routes

Unique Routes# Ref. Profiles/Route# Test Routes Success %Random Guess %
810558513
175119716
174136686
213157615
252182534
291211403

Real-time tracking

  1. A window of received samples is a subsequence of the reference power profile
  2. Using Subsequence-DTW determine the offset of the subsequence
  3. Infer location from reference profile

We can track along a route

We can track along a known route

And compensate for obvious errors...

New route inference

  • Points on map represented by nodes
  • Connecting road segments represented by edges
  • Probabilistic graphical model of location

Route inference based on road segments

Destination Localization

Route inference based on road segments

Exact Full Route Fit

Route inference based on road segments

Evaluation metric based on Levenshtein Distance

$d = 0.125$

$d = 0.25$

$d = 0.43$

Route inference based on road segments

Levenshtein Distance

Future work

  • Evaluation on larger datasets
    • More routes
    • More profiles per route
  • Improved tracking (Kalman filter?)
  • Improved route inference (HMM, Viterbi...)

Future work

  • Find better features
  • Current inference (from voltage)
  • State of Discharge (SOD) derivative as very coarse indicator
  • LTE
  • Choice of reference routes (time/condition based)

Defenses

Non-defenses

  • Adding noise
  • Limiting power sampling rate

Defenses

  • Secure hardware design
    • Exclude TX/RX chain from power measurement
  • Require superuser privileges to access power
  • Power consumption as a coarse location indicator

Conclusion

  • Giving applications direct access to hardware is dangerous
  • Permissions need to address sensor access
  • Hardware should not provide more than applications require (problematic)
  • Provide abstractions, not raw data [Jana et al.]

Thank you very much



Questions?