Security & Ambient Light Sensors

A couple of months ago I was reading a write-up about video camera drones that can fly outside a window and take pictures of a target’s blinking hard drive activity LED. Not that you can gain any useful information from that; but it can be used by hostile entities to see if a hack on that target PC has been successful. Really, who thinks this stuff up? I sure hope that drone could make itself more useful by attacking a Domino’s driver and stealing a pizza on the way back!

So, a few days ago, I’m alerted to a *potential* problem that exists with Ambient Light Sensors and certain web browsers. Ambient Light Sensors are equipped on Apple Macbook Pros and many Android phones. The telemetry fed back from the sensor can have web applications render their web pages differently based upon the client’s lighting conditions. If you ask me, I’d say that’s a pretty nifty thing. Of course, there’s a catch. By keeping the screen on, a miscreant web page can manipulate the sensor and then extract the browser’s history.

‘ Be default, the Firefox browser is the most vulnerable. Google’s Chrome requires a configuration option be turned on to be vulnerable.

You can read all the technical details from this researcher here: < a href="https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/">https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/

Currently, it is only in the “proof of concept” phase – no sources on GitHub!!