Security

Ambient light sensors can steal data, says security researcher

Not-so-bright API means web pages can use a W3C idea to pop your phone or laptop

By Simon Sharwood

18 SHARE

Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops.

The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings.

But Olejnik says such sensors are dangerous because the World Wide Web Consortium (W3C) is considering “whether to allow websites access the light sensor without requiring the user’s permission.” That discussion is taking place in the context of giving web pages the same access to hardware that native applications enjoy.

If web pages can do so, the sensor can be made to detect variations in brightness on a device's screen so, for instance, the sensors could “read” a QR code presented inside a web page, Olejnik says. And seeing as QR codes are sometimes published as an authentication tool for chores like password changes, Olejnik thinks that's a worry.

As readers are doubtless aware, many sites change the colour of links when a user has visited them. Olejnik has used the ambient light sensor to detect that change and therefore infer a user's browsing history.

There's some good news in the revelation that the attack is slow: it took Olejnik 48 seconds to detect a 16-character text string, and three minutes and twenty seconds to recognise a QR code. Few users would keep a QR code on screen that long, but it's still unsettling to know the sensors are an attack vector.

Olejnik proposes a pleasingly simple fix. If the API limits the frequency of sensor readings, and quantized their output, the sensors could still do their job of shining a light on users but would lose the accuracy needed to do evil.

This is not the first time an API has been shown to enable invasions of privacy and/or security worries. Apple and Mozilla recently disabled a battery-charge-snooping API that Olejnik thinks Uber used to figure out the state of customers' phones so it could charge them more for rides when their batteries are close to expiring. Chrome has also adopted a Bluetooth-sniffing API, sparking calls for users to be offered a chance to disable it. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Google is still chasing the self-driving engineer that jumped ship to Uber

And has just won a bizarre argument to let arbitrators read a public document

Google leaps on the platform formerly known as Firefox with $22m splurge for KaiOS

The great feature phone revival rolls on

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach

Dara and pals told to hand over yet another cash wodge for hack it spent $100k covering up

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Sidecar drags itself out the grave, sues Uber for putting it there

Cab hailing app accuses rival of predatory prices and fake bookings

Until now, if Canadian Uber drivers wanted to battle the tech giant, they had to do it in the Netherlands – for real

Yes, taxi app biz has managed the impossible – angering the good folks of Canada

Uber to dole out $148m settlement among US states over breach it paid $100k to bury

Nice. Ride-hailing app firm also vows to comply with law