Security News > 2022 > August > Let there be ambient light sensing, without fear of data theft

Six years after web security and privacy concerns surfaced about ambient light sensors in mobile phones and notebooks, browser boffins have finally implemented defenses.

The W3C, everyone's favorite web standards body, began formulating an Ambient Light Events API specification back in 2012 to define how web browsers should handle data and events from ambient light sensors.

The spec evolved to include acknowledgement of the possibility that ALS might allow data correlation and device fingerprinting, to the detriment of people's privacy.

Olejnik cited a number of ways in which ambient light sensor readings might be abused, including data leakage, profiling, behavioral analysis, and various forms of cross-device communication.

"Skin reflectance only accounts for the 4-7 percent emitted light but modern display screens emit light with significant luminance. We exploited these facts of nature to craft an attack that reasoned about the website content via information encoded in the light level and conveyed via the user skin, back to the browsing context tracking the light sensor readings."

In May 2018, with the release of Firefox 60, Mozilla moved access to the W3C proximity and ambient light APIs behind flags, and applied further limitations in subsequent Firefox releases.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/13/ambient_light_security/