Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: The Battery and Security in Mobile Devices SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Battery and Security in Mobile Devices

Once a phone, Trio, Pocket PC, etc. runs out of power in the middle of the day, you remember how reliant mobile devices are on their power sources. During a recent visit to Virginia Tech, I learned of the research Grant Jacoby conducted there several years ago. His dissertation was titled Battery-Based Intrusion Detection. I was fascinated by the fact that Jeremy looked beyond the standard network or host-level indicators to detect malicious activities. Instead, he looked at anomalies in the battery's current (mA) patterns.

IDS via power consumption

Grant observed that "by measuring battery power consumption, it is possible to discover anomalous behavior, which can serve as a form of intrusion detection for a variety of attacks. Central to this is the observation that intrusions manifest observable power-related events that deviate from normal behavior."

For example, take a look at the current patterns Grant collected on an iPaq PDA when the device was the subject of an nmap port scan and of an ICMP ping flood. There are clearly-observable differences in the attack patterns and those of the baseline.

Nmap Scan - Current

Ping - Current

DDoS via power consumption

Grant also brought up an interesting attack scenario that could deplete batteries of mobile devices, affecting the "availability" aspect of security. The idea is for the attacker to attempt communicating with the device via a wireless network. Even if the victim's device does not complete the connection, the device's power will be used up at a higher rate than if it remained idle. An attacker can issue a high number of such connection requests to deplete batteries of all mobile devices in the proximity. (I suppose both Wi-Fi and Bluetooth could be used to accomplish this.)

Creative sources of intrusion indicators

What non-traditional sources of indicators could be used to detect attack-related activities? Let us know if you think of something creative. What comes to mind at the moment is the urban legend that an increase in pizza orders to a government agency indicates an impeding military operation. Or, perhaps more practically, a hard disk activity light blinking during odd hours may suggest that a system is being controlled by someone other than its regular user.


-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.


216 Posts
Mar 17th 2008
Do not assume that battery power consumption has increased if a device's battery "dies" in shorter time from a full charge. That would be a secondary indicator influenced by additional factors, one of which is normal charge capacity decay of rechargeable batteries over their lifetime.

When considering any indicator, always think about what could cause false positives and the likelihood of those events to occur.
G.Scott H.

48 Posts
This article highlights yet more reasons to disable wifi capability when not being used. If we're talking smartphones, its probably difficult (if not impossible) to turn off connectivity when not needed...they ard designed to always be connected to the network. If we're talking just PDAs, I believe most PDAs have the capability to turn off wireless functionality, whether it is bluetooth or wifi. Scott also brings up a good point about normal charge capacity decay. Also, what about those people who tend to take multiple batteries with them? I do have dual batteries for my PDA and I keep one charged fully while using the other. Most people also carry some type of charger with them, whether at work or at home (and even can charge devices in transit to/from work). These are things to consider, I guess.

29 Posts

Sign Up for Free or Log In to start participating in the conversation!