Pierluigi Paganini April 20, 2017

A security researcher presented a method to exfiltrate sensitive data from a laptop or a smartphone through built-in ambient light sensors.

The security expert Lukasz Olejnik discovered that it is possible to steal sensitive data exploiting the ambient light sensors built-in many smartphones and laptops.

The ambient light sensors are installed on electronic devices to automatically change the screen brightness, but Olejnik is warning of the intention of the World Wide Web Consortium (W3C) “whether to allow websites access the light sensor without requiring the user’s permission.”

In this way, an attacker can analyze variations in brightness through ambient light sensors and steal sensitive data such as a QR code included on a web page that are used for authentication mechanisms.

“How exactly can ambient light readings allow extracting private data? Our attack is based on two observations:

• The color of the user’s screen can carry useful information which websites are prevented from directly accessing for security reasons.
• Light sensor readings allow an attacker to distinguish between different screen colors.” wrote Olejnik in a blog post.

As example, Olejnik reminds us that many sites change the color of links once a user has visited them, then the expert used the ambient light sensors to detect these changes and access users’ browsing history.

“For privacy reasons, browsers lie to developers about the colors of links displayed on a page; otherwise a malicious developer could apply :visited styles and detect which websites are present in the user’s history.” continues Olejnik.

The expert highlighted that such kind of attack is very slow, it took 48 seconds to detect a 16-character text string and three minutes and twenty seconds to recognize a QR code.

“In principle, browser sensors can deliver a 60 Hz readout rate. However, this does not mean that we can actually extract 60 bits per second – that’s because the ultimate detection limit is tied to the rate at which a change in screen brightness can be detected by the sensor.” explained Olejnik.

In the test conducted by the expert he and his team measured a screen brightness to readout latency of 200-300ms, and for a fully reliable exploit it’s more realistic to assume one bit per 500ms.

Below examples of detection times obtainable at the above rate:

• Plain text string of 8 characters: 24 seconds (assuming 6 bits per character for an alphanumeric string rendered in a known font)
• Plain text string of 16 characters: 48 seconds
• 20×20 QR code: 3 minutes 20 seconds
• Detecting 1000 popular URLs in the history: 8 minutes 20 seconds
• 64×64 pixel image: 34 minutes 8 second

The good news is that the attack in some cases is not feasible because users would not keep a QR code on the screen for so long time.

Olejnik also proposes a countermeasure to mitigate the attack by limiting the frequency of ambient light sensors readings by API and quantized their output. In this way, the countermeasure will not impact the activity of the sensors preventing any abuse.

“The current proposal argues that the following protections are sufficient:

• Limit the frequency of sensor readings (to much less than 60Hz)
• Limit the precision of sensor output (quantize the result)” concluded Olejnik.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ambient light sensors, hacking)