Ambient Light Sensors Can Be Used To Steal Browser Data

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

"At last! Light sensor support in my browser!"

[Anonymous Coward]

... said no-one, ever.

Re:

[aiht]

What would be nice would be a tab in options in the browser that lists all the hardware you might want javascript to be able to access (mic, light sensor, camera, whatever) alongside a simple selector: allow-access, deny-access, pretend-to-allow-access-but-fake-the-result.

We have that already though.
At least in Chrome, there's global defaults for each type of thing, and per-site overrides that you can access by clicking the site icon in the address bar.
Granted, they don't have pretend-to-allow-access-but-fake-the-result, but I thought this was normal and had been in most browsers for ages?

Re:

[gnick]

It's a feature for the advertisers. I'm going to be severely annoyed when an ad pauses when my phone gets tossed under a pillow. My typical ad-watching experience is to focus on whatever I've got on TV until the noise under the pillow stops.

The W3C has lost its soul

[Anonymous Coward]

It's a completely soldout.

Re: Can I get a browser without HTML5

[Anonymous Coward]

Just turn off javascript.

Re:

[Anonymous Coward]

And all of the Interwebs as we know it will disappear.... including Facebook and FBI's exploits

Re:

[Anonymous Coward]

tell that to /.
all I need/want is to load all comments on the story (be them 20 or 800), read at -1. I don't know how to do that with js off and/or when logged off.

Re: Theoretical nonsense

[Zero__Kelvin]

The real story is "Crackpots make ridiculous claims and theoretically intelligent people are proven to be anything but". If anyone seriously believes an ambient light sensor can leak your URLs, please leave this site and head over to digg for something. You don't belong here. Editors, I am including you in that statement.

Re: Theoretical nonsense

[Anonymous Coward]

Intelligence you say? Here's an idea: malicious code uses sensor to measure light output of whole screen. It then - like a CRT scanning from top left to bottom right - pixel by pixel obscures the original page with a certain colour. If the total light output decreases, the underlying pixel must have been one with a higher intensity. For text this probably means a light background. Conversely, if it increases, it may be a text pixel. Repeat with different intensities, perhaps relying on differences gleaned from putting a pixel next to the one you measure (font aliasing, display specific RGB patterns) and you can even distinguish between different colours with the same light intensity (might be why you see a green pixel in the QR demo).

If your light sensor is sensitive enough and it can measure with a high frequency (and the victim is not a disco fan) the attack becomes not just possible (i.e. NOT theoretical), but actually practical. Which is exactly why the researcher proposes lowering both the resolution and measurement sensitivity of the sensor in browsers. This offers a good middle ground between commercial interests (having the sensor enabled by default) and security.

Re: Theoretical nonsense

[Lije Baley]

Yes, please revoke the grandparent's mod points and give them to this. It seems that we have reached the bottom of the "trying too hard without any perspective" slippery slope. Maximum contrivance achieved.

Re:

[cyberchondriac]

This is one of those "attacks" which probably needs laboratory conditions to work, since ambient light from outside sources could easily interfere, especially if the device is not held still. Nice proof of concept, but in the real world? Meh.

Re:

[pr0fessor]

I'm imagining how this would work while in rave like conditions...

Re: Theoretical nonsense

[Zero__Kelvin]

New Digg member found. (See also others comments below. They already pointed out why this guy is an idiot.)

Re:

[Anonymous Coward]

I'm pretty sure the blind hacker is the same guy that catches the hot girl answering the door naked when she asks "who is it?" and he replies "blind man," so she opens the door and he's standing there slack-jawed holding the new blinds she forgot she ordered.

Feature creep in standards.

[Gravis Zero]

What we're seeing here is the result of feature creep being integrated into standards because the W3C is financed by donations of corporations. As a result they have lost their spine and the ability to say no to bad ideas. So now, the inmates are running the asylum. [github.com]

Re:

[Dutch Gun]

Love your response to the blather about Code of Ethics and Professional Conduct, which was veiled attempt to get you to shut the hell up and go away.

"Your social justice imperative has been noted."

Re:yea right

[Errol backfiring]

In a way you would be turning your light sensor into a light pen. Yes, this is grandpa speaking, who can still remember how beautiful his Commodore 64 was with a light pen. In effect, the screen is built up of horizontal lines that are "painted" sequentially. So the light pen would detect a light peak, send a signal to the computer, who looked at the where the video chip was currently painting. That way, the computer "knew" where you pointed the light pen at.

So yes, I can totally imagine that you would be able to read a QR code from your own screen that way.

Doesn't work

[Anonymous Coward]

My nice old smartphone (note4) didn't have the API - so it is safe. I has a light sensor controlling the screen though. Web browsers don't need the ability. Tried several browsers too.

My PC reports light sensor readings - but failed to record their blinking mess. Not surprising, the sensor does not face the screen but the room. So of course it won't notice the blinking screen, the office is lit by lamps much more powerful than a white screen. Even holding up a white paper did not reflect enough light back t

Homemade Strobe

[Neuronwelder]

I wonder if you can drive them nuts with a random homemade ambient light stobe. Or aim the sensor with another computer, which is also browsing.

KNOCK IT OFF!

[Chelloveck]

Access to a sensor, any sensor, enables information to leak. Microphone, camera, ambient light sensor, accelerometer, thermometer, battery level... These can all be used to glean some amount of information beyond what they're explicitly intended to gather.

Browser manufacturers, KNOCK THAT SHIT OFF! Quit giving websites access to everything. If there seems to be a good reason to give sensor data, average it over time or fuzz it to reduce malicious use. And give the user control over which sensors you re