Ambient light sensors can steal data, says security researcher Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops. The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings. But Olejnik says such sensors …
Reading the first link......
It works by converting the display to a black and white image and then filling the screen with one pixel at a time so it can monitor the state of the pixel from the light that leaks onto it from the display. This works, as noted, but in practice it would be very obvious that something strange was happening.
"This works, as noted, but in practice it would be very obvious that something strange was happening."
As with most of this sort of proof-of-principle attack, it's not the practicality that is important, but rather the fact that it is possible at all. If one guy working in his spare time can throw together a proof of concept in barely a month, what might someone with more time and resources manage? What about a few years down the line when hardware might have improved enough to turn something slow and impractical into a useful attack? It's similar to the case with encryption algorithms. SHA-1 didn't magically become breakable by everyone and their dog the instant a collision was demonstrated, but it did demonstrate that what was considered a hopelessly impractical theoretical attack back in 2005 is now entirely practical and well within the reach of regular criminals, let alone state-funded hackers and TLAs.
In addition, it's entirely possible to come up with ways the attack could work even now. To start with, phones generally spend a lot of time not being looked at - in pockets, in cases, turned upside-down, or simply at night when people are sleeping. Even if you can only see whatever was last on the screen, that can mean emails and other private information, and you could build up some sort of profile over weeks or months without anyone seeing anything. Still much less generally useful than most attacks, but if it can be done without the user needing to give out any permissions or install anything, that's a problem.
In the end, this may or may not turn up actual practical attacks at some point. But even if not, it serves as yet another cautionary tale that sensors are inherently a security risk, and blindly allowing anyone to access them can have consequences even if you can't immediately see what those might be. Even apparently trivial information has some value, and given the opportunity someone will almost certainly try to collect and profit from it. Opening up people's personal belongings to such issues without letting them have a say in the matter just isn't a good idea. And that remains the case even when we know that 99% of them will blindly click "yes" and install whatever malware comes knocking anyway.
But I certainly would find a bit usettling that a website could have access to the light sensor, camera or accelerometer without asking for permission (and no, I don't browse THAT kind of website from my phone, before you ask). I mean, cam and accelerometer -with the permission of the user- might be OK for games and whatnot, but light sensor? What would be the legitimate, non-privacy-busting use?
At least on a smartphone or a tablet, I would be more concerned with the data from the ambient light sensor being used to infer my hand's movement when I am entering an unlock code or gesture. As a quick test, I can see that under the diffuse lighting conditions in my office, the ambient light sensor on my Moto G2 can pinpoint my finger location to within half an inch or so on the upper half of the screen (in the vicinity of the sensor). Thankfully, it does not return any useful data on the other half, where the pin-code entry pad would normally appear. This however may change in a brighter environment - and I am too lazy to do a proper test.
The same attack should also work on a laptop, where the keyboard is in a close proximity to the screen and the sensor (that's another argument for using 2FA with a physically separate token - this at least will prevent replay attacks). A desktop is less of a worry for obvious reasons.
This proliferation of software-controlled sensors, with no possibility of guaranteed, physical cut-off switch in most consumer devices is really a blight.
I cannot see why websites or apps or any other logic running on my device should be able to do *anything* without explicitly asking my permission.
The fact is most functions can work perfectly well in meeting their purported purpose with a minimal supply of specific data and inputs, and most people are able to see that (for example) "Pteranodon Acme Sketching App" DOES need limited access to the file system and does NOT need access to Contacts, Call Logs etc. (And indeed, Peteranodon should really only have write access to a single directory and sub-directories, if we were doing things properly.)
I'd like to believe that first, websites will be absolutely required to announce their spying and gain consent before doing it, and second, browsers will have explicit controls to block use of any inputs beyond keyboard and mouse on a global or per-site basis.
This is something you should have to positively opt in to—if only to make people actually ask themselves, "Why the frak would a sketching app need access to my current location?"
(If there is such as thing as "Pteranodon Sketching", my apologies, I simply made up a name to use as an example: but t'internet is full of surprises. Many of them, unpleasant.)
"I cannot see why websites or apps or any other logic running on my device should be able to do *anything* without explicitly asking my permission."
I think the bottom line is that end-users are too stupid to know whether to grant that permission or not.
The fundamental flaw with ActiveX, as originally envisaged, was that you had no control over the code that was running on your machine. Microsoft addressed that by adding a "Do you want this to run?" question and using code signing as a means of helping to answer it. However, in practice most users had no way of knowing whether it was trustworthy or not and simply said "Yes" because otherwise the web-site didn't work.
Java tried to build a sandbox so that there was no need to ask the question. That approach was limited by the fact that a sandbox good enough to keep you safe was also too good to let exciting things happen, so inevitably there came a basket of special permissions that you could grant and web-sites didn't work unless you granted lots of them. Modern-day Android users face the same problem and answer it with the same "Meh, whatever!" response. (Sandboxes also appear to face quality of implementation problems, which is odd because an OS isolates processes in the same way and yet privilege escalation bugs in OSes are quite rate compared to sandbox breakouts.)
Javascript appears to have begun life in a sandbox and is now desparately trying to shake that off to become more ActiveX-like. Quite why programmers are pushing for this is a mystery to me. Of all people, you'd have thought that they would be able to understand the risks and remember the history.
Meanwhile, traditional desktop apps are relatively safe because they tend to come from either people you know and trust or people who have a commercial reputation to lose if they mis-behave. Neither of those constraints applies to "crap slapped on a web page by a third-party ad-slinger".
WHY oh WHY does a browser share this info to a web site.
A browser should:
1) Be totally sandboxed, so nothing on a web page can infect Phone/Tablet/PC. Web page code unable to read any data other than browser supplied.
2) Only share enough to allow basic rendering, the X by Y pixels of window, physical resolution (i.e. 90 dpi, 133 dpi, retina 300 dpi etc)
3) Only supply browser make and version. Not OS or CPU etc.
Why does a web browser (especially on a smartphone/table) need access to the ambient light sensor? Considering everything useful on such devices has mostly gone towards custom apps, why would the browser need access to that hardware? If there's going to be a "reduce screen brightness depending on ambient light" function, shouldn't the OS itself handle that for the entire device, not a web browser?
Or should that be the web sites responsibility?
Or both?
Is the browser just a "dumb window" on your phone/tab/PC/laptop or is it more active?
That said WTF needs to take ambient light readings at more than 1Hz?
Is the browser just a "dumb window" on your phone/tab/PC/laptop or is it more active?
Last I checked, according to our profile of you, you are a "dumb fuck" and those who are better than you need to "improve your browsing experience" in order to justify your existence. If you have a problem with that you can just fuck off and not use the Inter Tubes.
Kay?
W3C mulling over whether websites should be able to access the light sensor? Why?
Well if a website can access the sensor, they can presumably get access to the brightness controls ...
ADZ AT NEWCKLEAR BRIGHTNESS LEVELZ??
No, the wouldn't would they?
How about not allowing web APIs to ANY devices on your phone unless it is specifically needed? Let's say no attack was possible for the light sensor - what the hell is the point of web sites having access to it? What good could possibly come of it??
This is what is wrong with Google's security model for Android. They default to 'allow all' because they are so used to grabbing tons of data that the thought of a default 'deny all' policy is anathema to them!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
