Stealing Browsing History Using Your Phone's Ambient Light Sensor

There has been a flurry of research into using the various sensors on your phone to steal data in surprising ways. Here’s another: using the phone’s ambient light sensor to detect what’s on the screen. It’s a proof of concept, but the paper’s general conclusions are correct:

There is a lesson here that designing specifications and systems from a privacy engineering perspective is a complex process: decisions about exposing sensitive APIs to the web without any protections should not be taken lightly. One danger is that specification authors and browser vendors will base decisions on overly general principles and research results which don’t apply to a particular new feature (similarly to how protections on gyroscope readings might not be sufficient for light sensor data).

Tags: academic papers, phones, privacy, security engineering, sensors, side-channel attacks

Posted on April 28, 2017 at 6:17 AM • 13 Comments

Comments

Winter • April 28, 2017 8:46 AM

Question: Why does a website have to read ambient light levels at all?

Mike Pompeo • April 28, 2017 8:51 AM

The fact that it’s possible to exploit a light sensor which leads to such unrelated access of control IS the exact reason why im never going to sit behind the wheel of a “driverless” car. There are always security holes in the devices we use and the more reliant we become on these devices the more vulnerable we become.

Chelloveck • April 28, 2017 9:25 AM

@Mike Pompeo: Your concern is not without merit, but remember that the human drivers also have attack vectors (including spoofing and severe vulnerability to DoS attacks) via their visual sensors. Always consider the implicitly accepted risks of the existing system when evaluating the risks of a replacement.

AJWM • April 28, 2017 10:03 AM

@Mike Pompeo

I’m never going to sit behind the wheel of a “driverless” car.

Ah, no worries then. In the future, driverless cars won’t have steering wheels. 😉

Mike Pompeo • April 28, 2017 10:16 AM

@AJWM

Lmao….what about manual override?

Seriously though, my point is that the devices we are using are no longer just personal computers. Bruce made a good point about the difference between losing your spreadsheet because your system crashes and losing your life because of a software glitch in a navigation system. I’d prefer to take the wheel until people figure out how to separate critical systems from exploitation.

vas pup • April 28, 2017 11:02 AM

@Mike Pompeo • April 28, 2017 10:16 AM
Let see how it works in the aircraft. They have both autopilot and manual – they are not mutually exclusive. The load on each system could be distributed based on road conditions.
@all: privacy level of any device capable of collecting any type of information of owner/user meaning level of awareness/discloser to user in real time of collection and capability to manually override (with type of kill-switch function) any such collection by user should be evaluated by independent like UL company with assignment of privacy score/rate. I still can’t get why manufactures do not utilize to the full extend promotion of their products by comparison with privacy strength versus privacy weakness of the competitors products.

vas pup • April 28, 2017 11:03 AM

John Macdonald • April 28, 2017 11:25 AM

@vas pup – consider the training differences between airplane pilots and automobile drivers. An aero-autopilot has a very high bar to exceed to be able to totally replace a pilot. The auto drivers who are below average capability could be replaced with an auto-autopilot at a huge improvement in public safety; of course, the 90% who think they are above average capability will object strenuously. We might come to a state in which driving an automobile requires going through a training and testing regimen that is comparable to that of an airplane pilot; complete with simulation testing for a wide variety of failure modes and frequent recertification requirements.

albert • April 28, 2017 5:46 PM

@winter,
Websites don’t have to read ambient light levels. Adjusting screen brightness is trivial as most computers already have manual s.b. controls. It’s just more BS added to attract buyers. Smart phones and laptops have so many vulnerabilities anyway. If it worries you, put a piece of tape over it, unless you absolutely can’t live without it, in which case you might reexamine your priorities.

@Mike,
Most new autos have vulnerable computers in them now, as discussed ad nauseam in these pages. Any car that can park itself can be considered a ‘self driving’ car.

The problem with autonomous vehicles comes when the softwares complexity outstrips the humans ability to understand how it works. Often this needs to be done in seconds, as exemplified by flight control systems in aircraft accidents. Though many are technically, ‘pilot error’, it’s often unfair, because pilots though are high trained, they are not trained in -how- the systems work, they are trained in how to work the -systems-. Big difference. Autos are orders of magnitude easier to operate in emergency conditions.

Auto manufacturers have neither money nor the inclination to invest in the expertise necessary to build fault-free control systems. But they do it anyway, ’cause that’s how the system works.

Anon • April 29, 2017 8:00 PM

As I’ve said before, web browsers are no longer relatively dumb viewers of textual content, but complete virtual machines with root access.

I second the question why web sites have access to the light sensor.

Has anyone bothered to audit the true capabilities of current web browsers?

This wholly unacceptable level of access to systems makes the web browser vendors no better than malware creators in that they’re doing a whole lot more than would be reasonably expected by just looking at the packaging.

Wael • April 29, 2017 9:04 PM

Not too many attack methods surprise me these days. It’s amazing how much browsers expanded the attack surface compared to 15 – 20 years ago. Browser extensions, execution environments, plugins, …

OPSEC is becoming an essential part of defense, even at the browser level for users who aren’t security-savvy. What to do? No script, ghostry, change browser configurations, use private mode, one browser per site, run browsers on virtual machines, disable features, and a ton of other recommendations …. a headache.

Just look at an opensource browser and customize the source code. It’s only around 20 million lines of code or so. Should be able to do it in no time!

Clive Robinson • April 30, 2017 2:19 PM

@ Wael,

Just look at an opensource browser and customize the source code. It’s only around 20 million lines of code or so.

Long before Google let out they had started on Chrome and it’s browser, I’d identified a few problems with the browser model.

Number on on the “not to be done this way” was the fact that browsers had in effect become multitasking OSs with little or no segregation in the memory or IO. With the resulting security failures we all know and love to detest so much.

So 20million lines could be looked at as on the low side of what it should be.

Wael • April 30, 2017 2:39 PM

@Clive Robinson,

Good observation! One can certainly view browsers as operating systems with weak memory boundary management, aside from the one you mentioned.

Reminds me of what emacs became after all the feature bloatware. Suddenly an editor metamorphosized (ala Frank Kafka) into an OS – an ugly hairy OS, that is… Full of Kafka-type bugs.

Schneier on Security

Stealing Browsing History Using Your Phone's Ambient Light Sensor

Comments

Leave a comment Cancel reply