Ambient light sensors in many smartphones may not be safe
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
April 20, 2017
If you think you've seen it all already, take a look at this. There's a good chance you'll be blown away.
Internet security researcher Lukasz Olejnik asserts that it's possible to gather sensitive and personal information with the ambient light sensors installed in many smartphones and laptops!
Unusual you say? Yes it sure is. The ambient light sensors in question are there so that devices can automatically change the brightness and contrast of user's screens, a handy feature that saves a bit of batery power on the affected device.
However, Olejnik says that such sensors aren't safe to use since the World Wide Web Consortium (W3C) is considering whether to allow websites access the light sensor without requiring the user’s permission.
That debate is taking place right now in the context of giving web pages the same access to hardware that native applications currently enjoy already.
If web pages can do so, the sensor can be made to detect variations in brightness on a device's screen so that the sensors could read a QR Code presented inside a web page, Olejnik says.
And seeing as QR codes are sometimes published as an authentication tool for chores like password changes, Olejnik thinks that could be a serious concern. He's got a point there.
As some readers might be aware already, several websites change the colour of links when a user has visited them. Olejnik has used the ambient light sensor to detect that change and therefore infer a user's browsing history, another security concern some users have.
There's some good news in the revelation that the attack is slow. It took Olejnik 48 seconds to detect a 16-character text string, and three minutes and twenty seconds to recognise a QR code.
Few users would keep a QR code on screen that long, but it's still unsettling to realize that the sensors in question are an attack vector.
To be sure, Olejnik proposes a simple fix to these security concerns. If the API limits the frequency of sensor readings, and quantized their output, the sensors could still do their job of shining a light on users but would still lose the accuracy needed to do evil.
This isn't the first time an API has been shown to enable invasions of privacy and/or security worries. Apple and Mozilla recently disabled a battery-charge-snooping API that Olejnik thinks Uber used to determine the state of customers' phones so it could charge them more for rides when their batteries are close to expiring.
Chrome has also adopted a Bluetooth-sniffing API, alerting users to be offered of a 'chance' to disable it. Olejnik is obviously on to something here, and his sharp observations are reason to worry about ambient light sensors and similar built-in apps in smartphones, tablets and laptops we use everyday.
Source: Lukasz Olejnik.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.