An overwhelming majority of handheld devices these days have ambient light sensors built into them. A large percentage of TVs and monitors do, too, and that proportion is growing. The sensors allow devices to automatically adjust the screen brightness based on how light or dark the surroundings are. That, in turn, reduces eye strain and improves power consumption.
New research reveals that embedded ambient light sensors can, under certain conditions, allow website operators, app makers, and others to pry into user actions that until now have been presumed to be private. A proof-of-concept attack coming out of the research, for instance, is able to determine what touch gestures a user is performing on the screen. Gestures including one-finger slides, two-finger scrolls, three-finger pinches, four-finger swipes, and five-finger rotates can all be determined. As screen resolutions and sensors improve, the attack is likely to get better.
Always-on sensors, no permissions required
There are plenty of limitations that prevent the attack as it exists now from being practical or posing an immediate threat. The biggest restrictions: it works only on devices with a large screen, in environments without bright ambient light, and when the screen is displaying certain types of content that are known to the attacker. The technique also can’t reveal the identity of people in front of the screen. The researchers, from Massachusetts Institute of Technology, readily acknowledge these constraints but say it’s important for device makers and end users to be aware of the potential threat going forward.