Why it matters to you
There's yet another unexpected way for hackers to attack a system and steal our data, this time using its ambient light sensor.
There are more ways to access your data than by exploiting the various software vulnerabilities and hardware bugs that we seem to hear about on a daily basis. Our gadgets actually have all kinds of weaknesses that could allow nefarious parties to steal our information, and some of them are things we’d probably never consider.
One of those weaknesses stems from the fact that our PCs, tablets, and smartphones are stocked with sensors that extract information from our environments and use that data to make our devices more useful. Some researchers have found a way to use the innocuous-seeming ambient light sensor to grab potentially sensitive browser data and pass it along.
The ambient light sensor is used for a couple of purposes. It detects background light levels and adjusts screen brightness, and it works as a proximity sensor to determine when to shut off a smartphone’s screen during a call. As the researchers point out, the ambient light sensor is quite precise, and can measure light intensity from completely dark to incredibly bright.
The specific hack that the researchers developed uses the ambient light sensor to pick up color and lighting information from the screen by tapping into the data the sensor passes to the system. Because the sensor’s data is affected by what’s being displayed on the screen, it can be used in a variety of ways to pick up browser information that affects the light that the screen is giving off.
One simple example is the colors of visited links, which are normally obfuscated by the browser to avoid just this kind of snooping. Essentially, the light sensor readings can be used to distinguish between visited and unvisited links and thus inform an attacker as to which links the user had previously visited.
Another example involves using the ambient light sensor data to grab QR codes. That data can be used for such things as hijacking a user’s account when a QR code is used to provide emergency access to an account.
So far, the researchers have managed to create attacks that work in Firefox and Chrome on Android devices and on PCs with ambient light sensors. Certain problems exists, such as changing lighting conditions in real-world situations, and also screen brightness variations. Nevertheless, the attack presents yet another reason to wonder who might be stealing our information in ways that we’d never imagine — or prepare against.