Security

Ambient light sensors can steal data, says security researcher

Not-so-bright API means web pages can use a W3C idea to pop your phone or laptop

By Simon Sharwood, APAC Editor

18 SHARE

Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops.

The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings.

But Olejnik says such sensors are dangerous because the World Wide Web Consortium (W3C) is considering “whether to allow websites access the light sensor without requiring the user’s permission.” That discussion is taking place in the context of giving web pages the same access to hardware that native applications enjoy.

If web pages can do so, the sensor can be made to detect variations in brightness on a device's screen so, for instance, the sensors could “read” a QR code presented inside a web page, Olejnik says. And seeing as QR codes are sometimes published as an authentication tool for chores like password changes, Olejnik thinks that's a worry.

As readers are doubtless aware, many sites change the colour of links when a user has visited them. Olejnik has used the ambient light sensor to detect that change and therefore infer a user's browsing history.

There's some good news in the revelation that the attack is slow: it took Olejnik 48 seconds to detect a 16-character text string, and three minutes and twenty seconds to recognise a QR code. Few users would keep a QR code on screen that long, but it's still unsettling to know the sensors are an attack vector.

Olejnik proposes a pleasingly simple fix. If the API limits the frequency of sensor readings, and quantized their output, the sensors could still do their job of shining a light on users but would lose the accuracy needed to do evil.

This is not the first time an API has been shown to enable invasions of privacy and/or security worries. Apple and Mozilla recently disabled a battery-charge-snooping API that Olejnik thinks Uber used to figure out the state of customers' phones so it could charge them more for rides when their batteries are close to expiring. Chrome has also adopted a Bluetooth-sniffing API, sparking calls for users to be offered a chance to disable it. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Google leaps on the platform formerly known as Firefox with $22m splurge for KaiOS

The great feature phone revival rolls on

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works

Cops: Autonomous Uber driver may have been streaming The Voice before death crash

Reports say she was watching reality TV at time of fatal impact

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

Google's Larry Page faces four-hour grilling in Waymo-Uber spat

Ad giant's head sucked into self-driving car trade secrets saga

Uber says it's changed and is now ever-so ShinyHappy™

CEO Dara Khosrowshahi launches light-on-detail charm offensive