back to article Ambient light sensors can steal data, says security researcher

Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops. The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings. But Olejnik says such sensors …

  1. frank ly

    Light Show

    Reading the first link......

    It works by converting the display to a black and white image and then filling the screen with one pixel at a time so it can monitor the state of the pixel from the light that leaks onto it from the display. This works, as noted, but in practice it would be very obvious that something strange was happening.

    1. Anonymous Coward
      Facepalm

      Re: Light Show

      Indeed... it's a highly unlikely scenario...

      You could even hack an optical mouse to read a QR-code with it's light sensor if a user is dumb enough to hold it up to the screen when instructed to do so...

    2. Cuddles Silver badge

      Re: Light Show

      "This works, as noted, but in practice it would be very obvious that something strange was happening."

      As with most of this sort of proof-of-principle attack, it's not the practicality that is important, but rather the fact that it is possible at all. If one guy working in his spare time can throw together a proof of concept in barely a month, what might someone with more time and resources manage? What about a few years down the line when hardware might have improved enough to turn something slow and impractical into a useful attack? It's similar to the case with encryption algorithms. SHA-1 didn't magically become breakable by everyone and their dog the instant a collision was demonstrated, but it did demonstrate that what was considered a hopelessly impractical theoretical attack back in 2005 is now entirely practical and well within the reach of regular criminals, let alone state-funded hackers and TLAs.

      In addition, it's entirely possible to come up with ways the attack could work even now. To start with, phones generally spend a lot of time not being looked at - in pockets, in cases, turned upside-down, or simply at night when people are sleeping. Even if you can only see whatever was last on the screen, that can mean emails and other private information, and you could build up some sort of profile over weeks or months without anyone seeing anything. Still much less generally useful than most attacks, but if it can be done without the user needing to give out any permissions or install anything, that's a problem.

      In the end, this may or may not turn up actual practical attacks at some point. But even if not, it serves as yet another cautionary tale that sensors are inherently a security risk, and blindly allowing anyone to access them can have consequences even if you can't immediately see what those might be. Even apparently trivial information has some value, and given the opportunity someone will almost certainly try to collect and profit from it. Opening up people's personal belongings to such issues without letting them have a say in the matter just isn't a good idea. And that remains the case even when we know that 99% of them will blindly click "yes" and install whatever malware comes knocking anyway.

  2. ElReg!comments!Pierre

    Hard to buy the QR code argument

    But I certainly would find a bit usettling that a website could have access to the light sensor, camera or accelerometer without asking for permission (and no, I don't browse THAT kind of website from my phone, before you ask). I mean, cam and accelerometer -with the permission of the user- might be OK for games and whatnot, but light sensor? What would be the legitimate, non-privacy-busting use?

  3. Anonymous Coward
    Anonymous Coward

    All my sensors are belong to me

    At least on a smartphone or a tablet, I would be more concerned with the data from the ambient light sensor being used to infer my hand's movement when I am entering an unlock code or gesture. As a quick test, I can see that under the diffuse lighting conditions in my office, the ambient light sensor on my Moto G2 can pinpoint my finger location to within half an inch or so on the upper half of the screen (in the vicinity of the sensor). Thankfully, it does not return any useful data on the other half, where the pin-code entry pad would normally appear. This however may change in a brighter environment - and I am too lazy to do a proper test.

    The same attack should also work on a laptop, where the keyboard is in a close proximity to the screen and the sensor (that's another argument for using 2FA with a physically separate token - this at least will prevent replay attacks). A desktop is less of a worry for obvious reasons.

    This proliferation of software-controlled sensors, with no possibility of guaranteed, physical cut-off switch in most consumer devices is really a blight.

    1. Eddy Ito
      Black Helicopters

      Re: All my sensors are belong to me

      I'd wager that an attack could be devised for laptops with both a track pad and touch screen that is able to do fairly accurate key logging. Might not even need the track pad.

  4. Milton

    Ask my permission

    I cannot see why websites or apps or any other logic running on my device should be able to do *anything* without explicitly asking my permission.

    The fact is most functions can work perfectly well in meeting their purported purpose with a minimal supply of specific data and inputs, and most people are able to see that (for example) "Pteranodon Acme Sketching App" DOES need limited access to the file system and does NOT need access to Contacts, Call Logs etc. (And indeed, Peteranodon should really only have write access to a single directory and sub-directories, if we were doing things properly.)

    I'd like to believe that first, websites will be absolutely required to announce their spying and gain consent before doing it, and second, browsers will have explicit controls to block use of any inputs beyond keyboard and mouse on a global or per-site basis.

    This is something you should have to positively opt in to—if only to make people actually ask themselves, "Why the frak would a sketching app need access to my current location?"

    (If there is such as thing as "Pteranodon Sketching", my apologies, I simply made up a name to use as an example: but t'internet is full of surprises. Many of them, unpleasant.)

    1. Ken Hagan Gold badge

      Re: Ask my permission

      "I cannot see why websites or apps or any other logic running on my device should be able to do *anything* without explicitly asking my permission."

      I think the bottom line is that end-users are too stupid to know whether to grant that permission or not.

      The fundamental flaw with ActiveX, as originally envisaged, was that you had no control over the code that was running on your machine. Microsoft addressed that by adding a "Do you want this to run?" question and using code signing as a means of helping to answer it. However, in practice most users had no way of knowing whether it was trustworthy or not and simply said "Yes" because otherwise the web-site didn't work.

      Java tried to build a sandbox so that there was no need to ask the question. That approach was limited by the fact that a sandbox good enough to keep you safe was also too good to let exciting things happen, so inevitably there came a basket of special permissions that you could grant and web-sites didn't work unless you granted lots of them. Modern-day Android users face the same problem and answer it with the same "Meh, whatever!" response. (Sandboxes also appear to face quality of implementation problems, which is odd because an OS isolates processes in the same way and yet privilege escalation bugs in OSes are quite rate compared to sandbox breakouts.)

      Javascript appears to have begun life in a sandbox and is now desparately trying to shake that off to become more ActiveX-like. Quite why programmers are pushing for this is a mystery to me. Of all people, you'd have thought that they would be able to understand the risks and remember the history.

      Meanwhile, traditional desktop apps are relatively safe because they tend to come from either people you know and trust or people who have a commercial reputation to lose if they mis-behave. Neither of those constraints applies to "crap slapped on a web page by a third-party ad-slinger".

  5. Mage

    What?

    WHY oh WHY does a browser share this info to a web site.

    A browser should:

    1) Be totally sandboxed, so nothing on a web page can infect Phone/Tablet/PC. Web page code unable to read any data other than browser supplied.

    2) Only share enough to allow basic rendering, the X by Y pixels of window, physical resolution (i.e. 90 dpi, 133 dpi, retina 300 dpi etc)

    3) Only supply browser make and version. Not OS or CPU etc.

  6. Anonymous Coward
    Anonymous Coward

    A slight correction to your number 3:

    3) Only supply browser standard conformance status. Not the browser make and version or OS or CPU etc.

  7. Camilla Smythe

    Ask My Permission!?!

    If your browsing device was a House Brick marketing scum would still find a way to extract personal data from it and advertise socks at you.

  8. GrumpyOldMan

    If this comes in...

    I'm going back to me old Nokia brick. Stuff smart fones. Getting a bit too smart if you ask me.

  9. Pirate Dave Silver badge
    Pirate

    Why?

    Why does a web browser (especially on a smartphone/table) need access to the ambient light sensor? Considering everything useful on such devices has mostly gone towards custom apps, why would the browser need access to that hardware? If there's going to be a "reduce screen brightness depending on ambient light" function, shouldn't the OS itself handle that for the entire device, not a web browser?

  10. John Smith 19 Gold badge
    Unhappy

    OK so the browser reads ambient light leve to adjust screen brightness and font size

    Or should that be the web sites responsibility?

    Or both?

    Is the browser just a "dumb window" on your phone/tab/PC/laptop or is it more active?

    That said WTF needs to take ambient light readings at more than 1Hz?

    1. Camilla Smythe

      Re: OK so the browser reads ambient light leve to adjust screen brightness and font size

      Is the browser just a "dumb window" on your phone/tab/PC/laptop or is it more active?

      Last I checked, according to our profile of you, you are a "dumb fuck" and those who are better than you need to "improve your browsing experience" in order to justify your existence. If you have a problem with that you can just fuck off and not use the Inter Tubes.

      Kay?

  11. PNGuinn
    Mushroom

    I think you may all have missed the point ...

    W3C mulling over whether websites should be able to access the light sensor? Why?

    Well if a website can access the sensor, they can presumably get access to the brightness controls ...

    ADZ AT NEWCKLEAR BRIGHTNESS LEVELZ??

    No, the wouldn't would they?

  12. Anonymous Coward
    Anonymous Coward

    Rather than disabling stuff found to be an attack vector

    How about not allowing web APIs to ANY devices on your phone unless it is specifically needed? Let's say no attack was possible for the light sensor - what the hell is the point of web sites having access to it? What good could possibly come of it??

    This is what is wrong with Google's security model for Android. They default to 'allow all' because they are so used to grabbing tons of data that the thought of a default 'deny all' policy is anathema to them!

  13. Zorg

    The issue isn't the ambient light sensor. The ambient light sensor is just the foot in the door, obviously.

    No website should have access to anything ever.

    (W3C) must be comprised of idiots or crooks or both.

    Sounds eerily similar to every government on the planet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like