Security

Ambient light sensors can steal data, says security researcher

Not-so-bright API means web pages can use a W3C idea to pop your phone or laptop

By Simon Sharwood

18 SHARE

Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops.

The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings.

But Olejnik says such sensors are dangerous because the World Wide Web Consortium (W3C) is considering “whether to allow websites access the light sensor without requiring the user’s permission.” That discussion is taking place in the context of giving web pages the same access to hardware that native applications enjoy.

If web pages can do so, the sensor can be made to detect variations in brightness on a device's screen so, for instance, the sensors could “read” a QR code presented inside a web page, Olejnik says. And seeing as QR codes are sometimes published as an authentication tool for chores like password changes, Olejnik thinks that's a worry.

As readers are doubtless aware, many sites change the colour of links when a user has visited them. Olejnik has used the ambient light sensor to detect that change and therefore infer a user's browsing history.

There's some good news in the revelation that the attack is slow: it took Olejnik 48 seconds to detect a 16-character text string, and three minutes and twenty seconds to recognise a QR code. Few users would keep a QR code on screen that long, but it's still unsettling to know the sensors are an attack vector.

Olejnik proposes a pleasingly simple fix. If the API limits the frequency of sensor readings, and quantized their output, the sensors could still do their job of shining a light on users but would lose the accuracy needed to do evil.

This is not the first time an API has been shown to enable invasions of privacy and/or security worries. Apple and Mozilla recently disabled a battery-charge-snooping API that Olejnik thinks Uber used to figure out the state of customers' phones so it could charge them more for rides when their batteries are close to expiring. Chrome has also adopted a Bluetooth-sniffing API, sparking calls for users to be offered a chance to disable it. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Google leaps on the platform formerly known as Firefox with $22m splurge for KaiOS

The great feature phone revival rolls on

Go away, kid, you bother me: Apple, Google, Microsoft, Mozilla kick W3C nerds to the curb

Web standards body dressed down in spec spat

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Browser will stop asking nicely for privacy protections

Chrome, Firefox pull very unstylish Stylish invasive browser plugin

Add-on made sites look pretty while getting away with ugly data slurpage

Another W3C API exposing users to browser snitching

Web Payments API bugs, or perhaps features, can be abused: Lukasz Olejnik

Get the FTP outta here, says Firefox

Apparently someone still uses src to suck content into web pages from FTP servers

Have I been pwned, Firefox? OK, let's ask its Have I Been Pwned tool

Mozilla's Firefox Monitor makes a hash of email queries

Firefox to feature sponsored content as of next week

Mozilla thinks you won’t mind analytical action on the client

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Versions 56 through 58 need patching, pronto