Staying ahead of cyber attackers is a very difficult job, because not only are security researchers playing catch-up a lot of the time, but sometimes the people responsible for the standards that help our ever-evolving tech to inter-operate inadvertently offer up new ways for those attackers to do their thing.
One of the very latest attacks that researchers have caught is one that uses the ambient light sensors in phones, tablets and laptops to steal a user’s browser data. That’s right, the sensor that adjusts your screen’s brightness based on how much light it detects to save a bit of battery can be co-opted into passing on the data it has access to, to third parties.
No Permission Necessary
And that’s a big problem, because right now most mobile apps and websites don’t have to ask permission to access the sensors on your devices. This simple fact makes everything those sensors have access to vulnerable to attack, which includes things like your browsing history, PIN codes, sensitive data and even touch actions.
This came about because of an API developed by the World Wide Web Consortium (W3C), that established that websites don’t need to ask for permission in order to interact with ambient light sensors via a browser.
Colour me robbed
The attack works on current versions of Chrome, Firefox, Android, and laptop computers with light sensors, and it works by using the light sensor to detect the colour of the links in sites stored in your browsing history. That tells attackers whether a link has been clicked or not, and allows malicious websites to violate the Web’s “same-origin policy” and use it to steal your information.
This is what Wikipedia has to say about the “same-origin policy”:
In computing, the same–origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
This discovery came about due to discussions initiated by the W3C around the generic sensor API that it developed, in which they weighed up the possibility of allowing access to certain sensor data without asking the user for permission.
A privacy expert and security researcher, Lukazs Olejnik, responded to the discussion by investigating the potential such a move had for inadvertently giving attackers another way to access to someone’s private data. His team’s results are what you read above – that even something as seemingly-innocuous as a light sensor can be used by attackers for the purposes of data theft.
More alarmingly, it appears that even the people working on browser technology aren’t aware of the potential for sensor mis-use. Just last month, the Google Chrome team apparently put the idea forward to the W3C that accelerometers, gyroscopes, light sensors and others commonly found in consumer tech should be exempted from the browser permissions system, opening the door for websites to make use of those sensors without asking the user first.
Some Hope Exists
It’s not all bad news, however: preventing such sensor mis-use is a relatively simple matter of updating the API to limit how often sensors take readings and the precision of their output. How this will affect the legitimate tasks those sensors are there to perform is another question entirely, but it would at least limit the ease with which attackers could get up to their tricks.