In the months since Rafael PowerSpy rocked the ISS world with news of a revolutionary approach to mobile location, this remarkable advance has all but disappeared from view. The initial report emerged in the most innocuous way, via an obscure academic paper published by Stanford University Computer Science Department in coordination with financial backer Rafael Advanced Defense Systems Ltd. Clearly it was not the intention to create waves or even ripples in the surface of the mobile location marketplace.
But when first revealed to the public, PowerSpy generated a tsunami of criticism in the technology and privacy media, where it was characterized as a venomous new trick for invading personal privacy. Just as quickly and eerily, PowerSpy vanished from public view, like a phantom. Since March 2015 not a single fresh insight on this venture has been published anywhere.
In all, the tale of PowerSpy is one of the strangest stories in ISS history. What exactly is this technology, who’s behind it and most importantly, how does it perform compared to traditional tools of the trade?
PowerSpy works by measuring variations in power consumption by smartphone apps as a device (and its owner) move through the network – a uniquely new approach to determining mobile location. In tests conducted, the technology is 90 percent accurate in locating target devices.
Is PowerSpy, as characterized by WIRED and others, the next generation of technology designed to “spy on your cell phone.” That may come to pass when a commercial version arrives, but it’s not true yet. Notwithstanding all the initial hype, PowerSpy at this time is still not a commercial product. But certain aspects of PowerSpy are so interesting that it is wise the keep this potential mobile location technology on the radarL
- No Malware or Man-in-the-Middle Attack Required. The smartphone power sensor, designed to keep track of remaining battery juice in every smartphone, is unprotected. PowerSpy can jump right in to access data on power consumption.
- Machine Learning, AI, Stanford and SRI International. PowerSpy uses algorithmic modeling that facilitates computer learning without human intervention, i.e., it leverages artificial intelligence. Stanford has an engineering school dedicated to machine learning and AI. Stanford was also the original intellectual home turf for the entity that would evolve to become SRI, which today specializes in commercial AI for defense and intelligence.
- Rafael’s Involvement. Rafael was founded as Israel’s National R&D Defense Laboratory for weapons and military technology in 1949, then spun off as an incorporated company in 2002. The US $2 billion enterprise is the second-ranked defense contractor in Israel, with a gamut of military interests produced for the homeland and other nations around the world: air defense, air-to-air systems, land and naval systems, air-to-ground systems, aerial surveillance, rocket motors, warheads and space propulsion systems. The company spends 10 percent of its annual sales on R & D in areas including electronics, microelectronics and software – up from 8 percent in 2015. When Rafael backs research, don’t ever make the mistake of dismissing it. When Rafael gets involved, there is a military or ISS application in the works.
While PowerSpy at first met with criticism for its limited testing, the technology remains promising.
PowerSpy Mobile Location Leverages Smartphone Apps
PowerSpy differs from conventional mobile location technologies by leveraging apps and a sensor that come built-in from the factory. Never mind that according to Kim Komando the overwhelming majority of smartphone owners – 65.5% – download zero new apps per month and simply stick with what they have. The resident apps that come embedded in smartphones are sufficient for PowerSpy to fire up and begin tracking a target’s whereabouts via the power used by apps – and measured by the smartphone’s own power monitor, the sole sensor in these devices that is completely unprotected from intrusion. From the data gathered on the phone’s power consumption, agents can draw a highly accurate picture of the target’s location. That’s a big departure from current state-of-the-art mobile location tracking.
For one thing, PowerSpy is not subject to the usual hoops associated with lawful intercept: a court order and notification of the service provider.
Because PowerSpy involves no special equipment, it will likely – when and if made commercially available – be significantly cheaper than intrusive methods such as IMSI catchers, “off-air” mobile interception systems that circumvent cooperation with the service provider.
PowerSpy is more accurate than Signaling System 7 (SS7), an early signaling technology developed for wireline networks and still incorporated in GSM networks. SS7 includes a Home Location Register (HLR) that provides location of the network node nearest the target in real time. But SS7 is generally considered a mediocre form of mobile location because a targeted device might be hundreds of yards from the nearest network node.
Unlike other mobile location technologies, PowerSpy never touches a device’s GPS or WiFi systems, and thus requires no special access permission from the manufacturer, operator or device owner. Nor does it use the IMSI catcher approach, emitting a signal that creates a fake base station to capture the device’s IMSI number, personal ID, then use an MITM attack to take over the device. All PowerSpy does is latch on to a smartphone’s ampere meter to measure power consumption, and from that data track the target’s proximity to base stations.
As put by the Stanford/Rafael team:
“Suppose that an attacker measures in advance the power profile consumed by a phone as it moves along a set of known routes in a predetermined area such as a city. We show that this enables the attacker to infer the target phone’s location over those routes or areas by simply analyzing the target phone’s power consumption over a period of time. This can be done with no knowledge of the base stations to which the phone is attached. . .”
The PowerSpy “Lab Test”
Because a mobile device’s power consumption directly correlates to its distance from a tower, the smaller the distance the less power used, and the greater the distance the more power used. As the signal drops, the gain must increase. The same holds true when the device is sending or receiving data, which requires continuous transmission with the base station.
To demonstrate this point, researchers measured signal strengths of a device on a predetermined drive through multiple network cells. The results showed a consistent pattern of high and low strength signals through the course, determined by the device’s proximity to a tower.
Next they tried a second series of trials on the same roadways, but this time measuring power consumption. The measurements were not as consistent as those drawn from signal monitoring. The slightest change in the way a mobile device’s modem reacted to variations in signal strengths made a difference in power usage. For example, when a signal from a base station became too weak, the mobile device worked overtime to connect, and as a result power usage by apps increased significantly.
Similarly, stability cratered when the users approached a base station from a different direction. Why? In mobile networks, phones switch to different cells when the signal strength in one base station is surpassed by another. Signal strength can vary depending on geography and obstacles.
Initially, these findings demonstrated that an “attacker” – that is, an agent using PowerSpy – will be forced to use a consistent direction or route of travel as a reference for power measurement. If a target under surveillance via power-consumption-based mobile location takes a side trip he goes “off the grid” from PowerSpy’s perspective.
But all was not lost for the research team. One positive find: Different makes and models of smartphones showed the same reaction to signal strength variations while on the same path. The power samples aligned, allowing researchers “to obtain a reference power measurement without using the same phone as the victim’s.”
There were still issues. Targeted drivers who set out from Point A to Point B might not necessarily move in a straight line, or at the identical speed over the same period of time. How would one create and “score” profiles with so many variables in play? Further complicating matters, some variables might be “latent,” i.e., unknown.
Enter Artificial Intelligence (AI) – and Success
To handle these variables, the team used an offshoot of machine learning: Dynamic Time Warping (DTW), an algorithm for measuring the similarities between sequences that vary in time or speed in order to create an “optimal match.” DTW is used in speech recognition and voice biometrics to identify a target even when speaking at different speeds or in varying contexts. For PowerSpy, DTW was applied to profile power consumption at different drive times and distances along the same path.
To refine the results, the Stanford/Rafael team then measured power consumption along pieces of the travel route, using a variant, the “Subsequence DTW algorithm.”
What about the target who might decide to take a ride in country, drive in circles, or otherwise go out of his or her way to be tracked? The solution was to test and record the power profiles of every conceivable route in an area predetermined to be possible for the target.
Here, the algorithm that came into play is one well known to the voice biometrics world: the Hidden Markov Model (HMM), a dynamic Bayesian system based on the assumption that some states or variables are latent, i.e., unseen and unknown. For PowerSpy, an example of such an HMM might be a route traversed by intersections which, if taken by the target, would introduce multiple potential consequences in direction, distance and power consumption.
As an added assist, Stanford & Rafael introduced a particle filter called the Monte Carlo approximation, or engine. The Monte Carlo engine is a software tool that weighs all variables to produce multiple possible “futures” or outcomes. For PowerSpy, the filter showed researchers all probable states of an unknown factor based on samples that approximated the probability of a target’s movement at each point. Accuracy was improved by removing device “noise” and normalizing the target’s location profile against points along a route where power consumption was greatest.
With this model in place – DTW + Subsequence DTW + HMM + Monte Carlo filter + noise removal – the Stanford/Rafael team aimed for 90 percent accuracy for its power-consumption-based mobile location trial.
Using a data set of 43 power consumption profiles and four separate routes of roughly 19 kilometers resulted in a success rate of 93 percent in pinpointing the target. Adding three additional routes and another eight power consumption profiles, the target’s mobile location was still tracked with 90.2 percent accuracy.
One problem did occur when tests were conducted in more densely populated areas with higher numbers of mobile base stations. In such instances accuracy fell to 78 percent. Researchers cited higher density of cell coverage and “monotonous” power profiles as the culprits. Given that urban areas were defined as the principal field of operation in test parameters, any such deficiency in PowerSpy clearly needs to be addressed.
Comparing PowerSpy to Conventional Mobile Location
The Stanford/Rafael team maintains that PowerSpy is on par with “fingerprinting” techniques that use pre-recorded radio maps of an area to infer locations via “best matching” techniques. The researchers referenced signal monitoring and RF measurement of path loss as alternatives to their approach, but did not pursue a line item comparison of PowerSpy performance to that of these more conventional mobile location methodologies.
As a result, some reviews of PowerSpy were harsh. Paul Ducklin, at the time a senior advisor for network security company Sophos panned the experiment:
“To summarize their main result. . .they correctly guessed which of the four known routes were driven, from power usage alone, 93% of the time. To be honest, that’s not a spectacular outcome, especially when they admit that driving from A to B is considered an entirely distinct route from B to A over the same path.”
That characterization, and the likelihood that Stanford/Rafael never anticipated the rush of media criticism that erupted from an academic paper, may explain why PowerSpy went quiet and has yet to resurface. However, in all fairness, it must be said that nearly all major technology innovation stumbles out the gate the first time. Stanford’s long history of advancing machine learning and AI should never be discounted or dismissed. When it reappers one day, refined and perfected, PowerSpy could well take the lead in the race for mobile location leadership.
To this day, Rafael remains mum on the topic. For a quick overview of PowerSpy, check out this video by the Stanford researchers.