The security expert Lukasz Olejnik discovered that it is possible to steal sensitive data exploiting the ambient light sensors built-in many smartphones and laptops.
The ambient light sensors are installed on electronic devices to automatically change the screen brightness, but Olejnik is warning of the intention of the World Wide Web Consortium (W3C) “whether to allow websites access the light sensor without requiring the user’s permission.”
In this way, an attacker can analyze variations in brightness through ambient light sensors and steal sensitive data such as a QR code included on a web page that are used for authentication mechanisms.
“How exactly can ambient light readings allow extracting private data? Our attack is based on two observations:
As example, Olejnik reminds us that many sites change the color of links once a user has visited them, then the expert used the ambient light sensors to detect these changes and access users’ browsing history.
“For privacy reasons, browsers lie to developers about the colors of links displayed on a page; otherwise a malicious developer could apply :visited styles and detect which websites are present in the user’s history.” continues Olejnik.
The expert highlighted that such kind of attack is very slow, it took 48 seconds to detect a 16-character text string and three minutes and twenty seconds to recognize a QR code.
“In principle, browser sensors can deliver a 60 Hz readout rate. However, this does not mean that we can actually extract 60 bits per second – that’s because the ultimate detection limit is tied to the rate at which a change in screen brightness can be detected by the sensor.” explained Olejnik.
In the test conducted by the expert he and his team measured a screen brightness to readout latency of 200-300ms, and for a fully reliable exploit it’s more realistic to assume one bit per 500ms.
Below examples of detection times obtainable at the above rate:
The good news is that the attack in some cases is not feasible because users would not keep a QR code on the screen for so long time.
Olejnik also proposes a countermeasure to mitigate the attack by limiting the frequency of ambient light sensors readings by API and quantized their output. In this way, the countermeasure will not impact the activity of the sensors preventing any abuse.
“The current proposal argues that the following protections are sufficient:
(Security Affairs – ambient light sensors, hacking)