Ambient Light Sensors Can Be Used To Steal Browser Data

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

"At last! Light sensor support in my browser!"

... said no-one, ever.

Re:"At last! Light sensor support in my browser!"

What would be nice would be a tab in options in the browser that lists all the hardware you might want javascript to be able to access (mic, light sensor, camera, whatever) alongside a simple selector: allow-access, deny-access, pretend-to-allow-access-but-fake-the-result.

Re:"At last! Light sensor support in my browser!"

[aiht]

What would be nice would be a tab in options in the browser that lists all the hardware you might want javascript to be able to access (mic, light sensor, camera, whatever) alongside a simple selector: allow-access, deny-access, pretend-to-allow-access-but-fake-the-result.

We have that already though.
At least in Chrome, there's global defaults for each type of thing, and per-site overrides that you can access by clicking the site icon in the address bar.
Granted, they don't have pretend-to-allow-access-but-fake-the-result, but I thought this was normal and had been in most browsers for ages?

probably a "feature" not a vulnerability

the real problem is the spyware itself.

Re:probably a "feature" not a vulnerability

[gnick]

It's a feature for the advertisers. I'm going to be severely annoyed when an ad pauses when my phone gets tossed under a pillow. My typical ad-watching experience is to focus on whatever I've got on TV until the noise under the pillow stops.

The W3C has lost its soul

It's a completely soldout.

Wow! So excited about this!

It's got me wanting. More. Quick. Anyone. Where can I buy a bridge? The more famous, the more I will PAY!

Can I get a browser without HTML5

The DOM is ridiculously broken.

Re: Can I get a browser without HTML5

Just turn off javascript.

Re: Can I get a browser without HTML5

And all of the Interwebs as we know it will disappear.... including Facebook and FBI's exploits

Re: Can I get a browser without HTML5

and yet js is not necessary for things to work.

Re: Can I get a browser without HTML5

tell that to /.
all I need/want is to load all comments on the story (be them 20 or 800), read at -1. I don't know how to do that with js off and/or when logged off.

Theoretical nonsense

Okay, I can see something persistent like battery state of charge with predictable rise and fall being able to uniquely identify devices. Or just being able to listen to sound.

But a light sensor? Come on. We're really grasping at straws here with this one, because in an uncontrolled environment you can't really make predictions about anything that one little eyespot can see.

Re: Theoretical nonsense

[Zero__Kelvin]

The real story is "Crackpots make ridiculous claims and theoretically intelligent people are proven to be anything but". If anyone seriously believes an ambient light sensor can leak your URLs, please leave this site and head over to digg for something. You don't belong here. Editors, I am including you in that statement.

Re: Theoretical nonsense

Intelligence you say? Here's an idea: malicious code uses sensor to measure light output of whole screen. It then - like a CRT scanning from top left to bottom right - pixel by pixel obscures the original page with a certain colour. If the total light output decreases, the underlying pixel must have been one with a higher intensity. For text this probably means a light background. Conversely, if it increases, it may be a text pixel. Repeat with different intensities, perhaps relying on differences gleaned from putting a pixel next to the one you measure (font aliasing, display specific RGB patterns) and you can even distinguish between different colours with the same light intensity (might be why you see a green pixel in the QR demo).

If your light sensor is sensitive enough and it can measure with a high frequency (and the victim is not a disco fan) the attack becomes not just possible (i.e. NOT theoretical), but actually practical. Which is exactly why the researcher proposes lowering both the resolution and measurement sensitivity of the sensor in browsers. This offers a good middle ground between commercial interests (having the sensor enabled by default) and security.

Re: Theoretical nonsense

If you're running malicious code that can control your system to that extent, why not just read the fucking URL directly? I think you have bigger problems at that point.

Re: Theoretical nonsense

[Lije+Baley]

Yes, please revoke the grandparent's mod points and give them to this. It seems that we have reached the bottom of the "trying too hard without any perspective" slippery slope. Maximum contrivance achieved.

Re: Theoretical nonsense

[cyberchondriac]

This is one of those "attacks" which probably needs laboratory conditions to work, since ambient light from outside sources could easily interfere, especially if the device is not held still. Nice proof of concept, but in the real world? Meh.

Re: Theoretical nonsense

[pr0fessor]

I'm imagining how this would work while in rave like conditions...

Re: Theoretical nonsense

[Zero__Kelvin]

New Digg member found. (See also others comments below. They already pointed out why this guy is an idiot.)

Just put a little tape over your phone camera

[TheOuterLinux]

Besides, if they're in your phone already, why the hell would they care about your desktop web browsing? Do they really need to know your porn fetishes? And if the "light sensor hacker" is in your house using his phone, then he is a common senseless eccentric moron. Or, we got blind hackers coming soon. The Blind Hacker: his/your phone sees what he can't.

Re:Just put a little tape over your phone camera

I'm pretty sure the blind hacker is the same guy that catches the hot girl answering the door naked when she asks "who is it?" and he replies "blind man," so she opens the door and he's standing there slack-jawed holding the new blinds she forgot she ordered.

Feature creep in standards.

[Gravis+Zero]

What we're seeing here is the result of feature creep being integrated into standards because the W3C is financed by donations of corporations. As a result they have lost their spine and the ability to say no to bad ideas. So now, the inmates are running the asylum.

Re: Feature creep in standards.

A Web browser should display plain text and images and do nothing more.

Re:Feature creep in standards.

So now, the inmates are running the asylum.

they always did!

Re:Feature creep in standards.

dilbert lives!

Re:Feature creep in standards.

[Dutch+Gun]

Love your response to the blather about Code of Ethics and Professional Conduct, which was veiled attempt to get you to shut the hell up and go away.

"Your social justice imperative has been noted."

yea right

reading a QR code through a light sensor? really?

Re: yea right

btw, is it ok to remove the tape covering my modem lights now?

Re:yea right

[Errol+backfiring]

In a way you would be turning your light sensor into a light pen. Yes, this is grandpa speaking, who can still remember how beautiful his Commodore 64 was with a light pen. In effect, the screen is built up of horizontal lines that are "painted" sequentially. So the light pen would detect a light peak, send a signal to the computer, who looked at the where the video chip was currently painting. That way, the computer "knew" where you pointed the light pen at.

So yes, I can totally imagine that you would be able to read a QR code from your own screen that way.

Doesn't work

My nice old smartphone (note4) didn't have the API - so it is safe. I has a light sensor controlling the screen though. Web browsers don't need the ability. Tried several browsers too.

My PC reports light sensor readings - but failed to record their blinking mess. Not surprising, the sensor does not face the screen but the room. So of course it won't notice the blinking screen, the office is lit by lamps much more powerful than a white screen. Even holding up a white paper did not reflect enough light back that this hack worked.

The W3C needs to stop making APIs for things

At the very least every one of those APIs needs to be disabled by default. I'm tired of them increasing my attack surface for no good reason.

Useful?

When would browser-level access to the ambient light sensors even be useful (to the end user, not to marketing organizations)? Screen brightness should already be managed by the OS, so... I'm sure there's a legitimate use-case; I just don't know what it is.

Re:Useful?

I'm sure there's a legitimate use-case; I just don't know what it is.

My car nav has a day mode and a night mode. The day mode draws the ground beige. When the car ambient sensor detects nightfall the nav display switches to ground in black so the screen is not so blinding. So websites could do the same thing. When the ambient light sensor is reading low light the dark themed version of the website is served for improved readability in a dark room. Or if extremely bright light is sensed, using the phone in full sunlight, a high contrast version of the website can be used. It might even be feasible to have javascript based continuous contrast changing so that this happens dynamically as the lighting changes while looking at fixed content.

Homemade Strobe

[Neuronwelder]

I wonder if you can drive them nuts with a random homemade ambient light stobe. Or aim the sensor with another computer, which is also browsing.

Adds Mess with the result

So can we be thankful for targeted advertisements. The various ads we get served are going to change the page on a per person basis and per visit basis. This would make having a master table of luminosities impossible without knowing the ads that were served.
But if you know the ads served you already know the page visited.

KNOCK IT OFF!

[Chelloveck]

Access to a sensor, any sensor, enables information to leak. Microphone, camera, ambient light sensor, accelerometer, thermometer, battery level... These can all be used to glean some amount of information beyond what they're explicitly intended to gather.

Browser manufacturers, KNOCK THAT SHIT OFF! Quit giving websites access to everything. If there seems to be a good reason to give sensor data, average it over time or fuzz it to reduce malicious use. And give the user control over which sensors you report to which sites, with what degree of precision and accuracy. Too complicated? Too much for your users to handle? Then you should err on the side of privacy and just not give access to third parties.