Ambient Light Sensors Can Be Used To Steal Browser Data

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

Re: Theoretical nonsense

Intelligence you say? Here's an idea: malicious code uses sensor to measure light output of whole screen. It then - like a CRT scanning from top left to bottom right - pixel by pixel obscures the original page with a certain colour. If the total light output decreases, the underlying pixel must have been one with a higher intensity. For text this probably means a light background. Conversely, if it increases, it may be a text pixel. Repeat with different intensities, perhaps relying on differences gleaned from putting a pixel next to the one you measure (font aliasing, display specific RGB patterns) and you can even distinguish between different colours with the same light intensity (might be why you see a green pixel in the QR demo).

If your light sensor is sensitive enough and it can measure with a high frequency (and the victim is not a disco fan) the attack becomes not just possible (i.e. NOT theoretical), but actually practical. Which is exactly why the researcher proposes lowering both the resolution and measurement sensitivity of the sensor in browsers. This offers a good middle ground between commercial interests (having the sensor enabled by default) and security.