Re: Light Show
"This works, as noted, but in practice it would be very obvious that something strange was happening."
As with most of this sort of proof-of-principle attack, it's not the practicality that is important, but rather the fact that it is possible at all. If one guy working in his spare time can throw together a proof of concept in barely a month, what might someone with more time and resources manage? What about a few years down the line when hardware might have improved enough to turn something slow and impractical into a useful attack? It's similar to the case with encryption algorithms. SHA-1 didn't magically become breakable by everyone and their dog the instant a collision was demonstrated, but it did demonstrate that what was considered a hopelessly impractical theoretical attack back in 2005 is now entirely practical and well within the reach of regular criminals, let alone state-funded hackers and TLAs.
In addition, it's entirely possible to come up with ways the attack could work even now. To start with, phones generally spend a lot of time not being looked at - in pockets, in cases, turned upside-down, or simply at night when people are sleeping. Even if you can only see whatever was last on the screen, that can mean emails and other private information, and you could build up some sort of profile over weeks or months without anyone seeing anything. Still much less generally useful than most attacks, but if it can be done without the user needing to give out any permissions or install anything, that's a problem.
In the end, this may or may not turn up actual practical attacks at some point. But even if not, it serves as yet another cautionary tale that sensors are inherently a security risk, and blindly allowing anyone to access them can have consequences even if you can't immediately see what those might be. Even apparently trivial information has some value, and given the opportunity someone will almost certainly try to collect and profit from it. Opening up people's personal belongings to such issues without letting them have a say in the matter just isn't a good idea. And that remains the case even when we know that 99% of them will blindly click "yes" and install whatever malware comes knocking anyway.