In this article, we will introduce you to a way to extract sensitive information from the browser, and we need to use the tool is your smartphone or laptop in the ambient light sensor. The article structure is as follows:
1. First, we will introduce the light sensor-related content.
2. Next, we will describe how the screen color of the user’s device will affect the data of the light sensor. Our main goal is to extract the browser’s data and history across domains, and the attacker will be able to extract sensitive documents and images (such as 2D code for account recovery).
3. Finally, we will introduce the browser vendors can take the response strategy, and help you mitigate this risk.
Note: The current version of Firefox and Chrome browser can not resist such attacks, including with light sensor Android and desktop devices (such as MacBookPro).
Background knowledge: Light sensor in smartphone
Now, almost all models of smartphones and the vast majority of laptops are equipped with ambient light sensors. This sensor will typically be installed at the top of the device, that is, near the front camera. Smartphones can not only use the ambient light sensor to detect the user distance, but also can sense the external environment, and by adjusting the screen brightness to achieve the purpose of saving power. In addition, the light environment information can also be used to adjust the smartphone response or configure the hardware. Therefore, the optical sensor data is very sensitive.
The accuracy of the data returned by the ambient light sensor is very high. In the international standard unit, the unit used to measure the light intensity is lux, and the output data ranges from 0 (dark) to tens of thousands of lux. And the frequency of the output data of the optical sensor is also very high, the reading interval is about 100-200 milliseconds.
In order to compete with the native App and to provide users with a better user experience, more and more sites began to have access to ambient light sensor data needs. However, the W3C Device and Sensor Workplace is currently discussing whether to allow the site to access the optical sensor data without the user’s permission. However, the current version of Chrome and Firefox have already implemented the corresponding API.
The W3C organization is currently discussing the contents of the generic sensor API, one of the main topics is whether third-party services need access to specific sensor data to obtain the user’s permission. Therefore, the purpose of our study is to study the environmental light sensor (ALS) is currently facing security threats. Prior to this, I have the security and privacy of these two aspects of the ALS conducted a comprehensive analysis, through the study found that the attacker can not only detect the data through the sensor to detect whether someone in the room, but also can find the target user’s bank password.
In this article, our focus is on how the sensor data will help the attacker from the target user’s browser to extract the privacy data. Next, we will discuss the actual attack scene.
Extract data using light sensor
So how can we in the end through the ambient light sensor to extract the user’s privacy data? First of all, we should pay attention to the following two points:
1. The user’s screen color carries a lot of useful information, but for security reasons, the site is prohibited to read this information directly.
2. An attacker can distinguish between different screen colors by reading the light sensor
We will describe the second point later, but in short, the light emitted by the screen will not only affect the readings of the light sensor, but will also allow the site to determine the color of the device screen.
And the first point will make you feel surprised? After all, the site can control their display on the user’s screen, so why are they interested in the data? But you have to know that the following two color states The site can not be obtained directly:
1. The color of the link that has been visited: For privacy reasons, the browser will not disclose to the developer the link color displayed on the page, otherwise the malicious developer can use the “visited” page style to detect what the user has visited The website of the.
2. Cross-domain resources: homology strategy can prevent malicious sites cross-domain access to the legitimate resources of the victim site. While websites can not cross-domain check the frames and images of other sites, they can display their content, such as zooming in size and changing colors, depending on their needs.
Next, we will introduce the implementation of the attack.
Detects visited links
Although the site can use different styles to show the visited and have not visited the link color, but they can not detect how the link is displayed to the user. However, we can use the sensor to identify the true color of the link. The general steps are as follows:
1. Set the style of the link: has been visited (white), not visited (black).
2. Calibrate: Displays a white background and then displays a black background to identify the user’s light level. However, it should be noted that the large fluctuations in sensor readings will increase the difficulty of our attack.
3. Traverse the list of links: Read the addresses in the list one by one and display them on the screen. The links that have been visited will be displayed in white, and the links that have not been accessed are black.
4. Record the light levels of each link and identify their colors. Since we have calibrated the screen in the second step, we can now know the color of each reading of the light sensor.
Finally, the attacker will get all the white links so that they will know which pages the user has previously visited.
The demo video is as follows:
In the demo video, the light conditions of our experimental environment will not change during the data extraction phase, but it is not difficult to remove this restriction.
Steal cross-domain resources
In our experiment process, our focus will be on the theft of pictures, because the picture resources are better extracted. In the following demo video, the site allows the user to urgently access or restore the account by scanning the two-dimensional code (http://ift.tt/2r9XusX), and the attacker can use the two-dimensional code to hijack the user Account of the account.
The attack mechanism is as follows:
1. Embed an image from the attacked domain name. Under normal circumstances, this picture for different users is not the same identity, such as the user avatar or security code.
2. Use the SVG filter to create a black and white image.
3. Zoom the picture so that the picture fills the entire screen.
4. Traverse all the pixels in the picture and display each pixel on the user’s screen, and then record the light sensor for each pixel reading.
5. Combine all the pixels into the resulting image.
Since we can only extract a single data at a time, the detection speed has become the main bottleneck of this attack technology. Although the browser sensor read speed is only 60Hz, but this does not mean that we can extract 60 bits per second data, and the final detection speed will be the sensor to detect the screen brightness limit.
The detection time corresponding to each case is as follows:
-8 characters consisting of plaintext string: 24 seconds
-16 characters consisting of plaintext string: 48 seconds
-20×20 two-dimensional code picture: 3 minutes and 20 seconds
– Scan the history of 1000 access to the highest frequency URL: 8 minutes and 20 seconds
-64×64 pixel image: 34 minutes 08 seconds
The following video demonstrates the complete process of stealing pictures:
At present, the more effective coping methods are mainly the following two kinds:
1. Limit the sensor read rate (less than 60Hz)
2. Limit the output accuracy of the sensor
However, for light sensors, the limit frequency can not prevent our attack, even if the frequency down to 1Hz we can also attack, but the limit frequency can significantly increase the time cost of the attack. In contrast, limiting the output accuracy of the sensor may be a better solution. But it is clear that the best solution should be to restrict access to the sensor data from the site, at least by the user’s permission to access the data.
to sum up
Our attack technology not only exposed the current security risks of light sensors but also proved that malicious sites can use optical sensor data to bypass the site’s homology strategy and cross-domain theft of user sensitive information. In fact, in addition to light sensors, such as temperature sensors, GPS and gyroscope and other sensors are more or less there are a variety of security issues, and security and privacy as the main considerations to design these equipment industry standards is not an easy thing. Therefore, we hope that manufacturers can pay more attention to the safety of the sensor, and in the future for these devices to add more security features.