The ambient light sensors present in phones, tablets and laptops can be abused to obtain potentially sensitive information from a user’s web browser, researchers warned.
Ambient light sensors measure light intensity in the environment, which is useful for adjusting the brightness of the display and for proximity detection. The data collected by the sensor is fairly precise and the frequency of readings is relatively high.
Last year, researcher Lukasz Olejnik analyzed theoretical security and privacy implications of ambient light sensors. The expert recently teamed up with Artur Janc and they demonstrated how the W3C’s ambient light sensor API can be abused to steal data from web browsers.
Some members of the industry have proposed allowing websites to access ambient and other sensors without requiring explicit permission from the user. Recent versions of Firefox and Chrome have already implemented the W3C API – it’s enabled by default in the former and it can be manually activated in the latter.
Proof-of-concept (PoC) exploits created by the researchers show how an attacker can determine a user’s browsing history based on the color of links, and how they can steal cross-origin resources, such as images and frames.
In order to determine which websites have been visited by a user, Olejnik and Janc relied on the fact that a site can apply different styles to links that have been visited and ones that have not been accessed.
An attacker can create a webpage that sets link styles to white for visited links and black for not-visited links. The attacker’s page then starts displaying a list of popular domain names one by one. If a link has been visited, the screen turns white; if it hasn’t been accessed, it turns black. The ambient sensor can log the light level when each link is displayed, and determine if that website had been accessed by the user.
Researchers also demonstrated how an attacker can steal cross-origin resources, such as account recovery QR codes. In this case, the hacker’s website embeds an image of the QR code from the targeted domain into their own site. The image is converted to monochrome using SVG filters, and it’s scaled so that each pixel is expanded one by one to fill up the screen. The exploit goes through each pixel, and the ambient sensor logs a white or black pixel depending on what is on the screen.
In their experiments, researchers determined that this technique can be used for a fully reliable exploit at a rate of one bit per 500 ms. At this rate, an attacker can exfiltrate an 8-character password in 24 seconds, a 20x20 QR code in 3 minutes and 20 seconds, and a 64x64 pixel image in just over half an hour. As for stealing a user’s browsing history, it takes 8 minutes and 20 seconds to go through 1,000 popular URLs and determine if they have been visited.
While it’s unlikely that such an obvious attack can be carried out while the phone is used, Olejnik and Janc pointed out that an attack can be conducted at night via a site that uses the screen.keepAwake API to keep the display on while the exploit is running.
Researchers believe these types of attacks could be prevented by limiting the frequency of sensor readings. An even more efficient mitigation involves limiting the precision of sensor output (i.e. make it difficult for the color of the screen to influence the sensor reading).
Attacks can also be prevented if browser vendors require users to grant permission before giving websites access to the sensor. Both Google and Mozilla have been notified of the potential risks.