This weakness occurs when software fails to limit how much power or battery a device consumes, allowing an attacker or malicious process to drain the device's…
This weakness occurs when software fails to limit how much power or battery a device consumes, allowing an attacker or malicious process to drain the device's battery or exceed power budgets. On battery-powered devices, mobile phones, IoT sensors, and embedded systems, uncontrolled power consumption can render a device unusable, cause data loss, or trigger unsafe shutdowns.
02How It Happens
Power consumption vulnerabilities arise when code performs expensive operations (CPU-intensive loops, constant network requests, persistent GPS polling, high-brightness display updates, or cryptographic operations) without throttling, rate-limiting, or resource budgeting. A developer may not consider power as a finite resource, or may assume that the operating system will automatically manage it. An attacker can trigger these expensive operations repeatedly—either through direct API calls, crafted input, or by exploiting a logic flaw—forcing the device to consume power faster than it can be replenished.
03Real-World Impact
A drained battery can disable a device entirely, preventing emergency calls or access to critical data. In industrial IoT or medical devices, unexpected shutdown may interrupt monitoring or treatment. Repeated battery drain attacks can accelerate battery degradation, shortening device lifespan. On shared systems, one user or process can monopolize power resources, starving other legitimate applications.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import requests
import time
def sync_data(user_id):
while True:
# No rate limit, no backoff, no power check
response = requests.get(f"https://api.example.com/data/{user_id}")
if response.status_code == 200:
process_data(response.json())
time.sleep(0.1) # Tight loop drains battery quickly
sync_data("user123")
Why it's vulnerable: The loop runs continuously with minimal delay, making constant network requests and CPU usage without checking device power state or implementing exponential backoff. An attacker can trigger this function repeatedly or keep it running indefinitely.
<?php
// Triggered on every page load
function update_cache() {
for ($i = 0; $i < 10000; $i++) {
// Expensive hashing with no throttle
$hash = hash('sha256', "data_" . $i);
file_put_contents('/tmp/cache_' . $i, $hash);
}
}
update_cache();
?>
Why it's vulnerable: The function performs 10,000 expensive hash operations and file writes on every invocation without checking system load, rate-limiting, or deferring work to off-peak times. If called frequently, it will consume CPU and I/O continuously.
Fixed pattern
<?php
function update_cache_throttled() {
$cache_file = '/tmp/cache_timestamp';
$last_run = file_exists($cache_file) ? (int)file_get_contents($cache_file) : 0;
$now = time();
// Only run once per hour
if ($now - $last_run < 3600) {
return;
}
// Process in smaller batches with sleep
for ($i = 0; $i < 10000; $i += 100) {
for ($j = $i; $j < min($i + 100, 10000); $j++) {
$hash = hash('sha256', "data_" . $j);
file_put_contents('/tmp/cache_' . $j, $hash);
}
// Yield CPU between batches
usleep(100000); // 100ms
}
file_put_contents($cache_file, $now);
}
update_cache_throttled();
?>
05Prevention Checklist
Implement rate-limiting and throttling on expensive operations (network requests, cryptographic functions, sensor polling). Use exponential backoff for retries.
Set timeouts and resource budgets for long-running tasks; cancel or defer work if power or CPU thresholds are exceeded.
Monitor and log power consumption patterns; alert on anomalies or sustained high usage.
Batch operations and defer non-critical work to scheduled maintenance windows or when the device is plugged in.
Respect OS power-management APIs (e.g., Android's BatteryManager, iOS's Low Power Mode) and reduce functionality when signaled.
Test on real hardware under battery constraints; simulator testing alone may miss power-related issues.
06Signs You May Already Be Affected
Observe whether a device's battery drains unusually fast during normal use, or if a specific app or background process consistently consumes high CPU or network bandwidth. Check system logs for repeated failed requests, tight polling loops, or processes that never sleep. On mobile devices, enable battery usage monitoring and look for apps that claim disproportionate power consumption.