People put a lot of trust in their mobile phones; we use them to make payments, do work, and jot down last night’s weird dreams (thank you Notes app). But unfortunately, they can also be used to target us, and a new study from MIT researchers has revealed how hackers could take advantage of a phone’s light sensor to track and reconstruct our activity.
Ambient light sensors are used by phones to detect surrounding light levels and adjust brightness accordingly, if it’s on an auto-adjust setting. Whilst other phone features require user permission for apps to access them, such as the camera or microphone, light sensors typically don’t. It’s this that researchers believe could be exploited.
Led by Yang Liu, the team at MIT developed an algorithm that’s capable of using variations captured by the light sensor to reconstruct images of a person’s touch interactions with their phone, such as scrolling or swiping.
They tested the algorithm out on an off-the-shelf Android tablet in multiple scenarios, including sitting a dummy in front of the screen and using either a mannequin, cardboard cutout or human hand to touch it, as well as seeing if it could pick up on gestures whilst watching videos. In all circumstances, the results revealed that light sensor data could be used to pick up on interactions with the screen and create images of them.
“This imaging privacy threat has never been demonstrated before,” said Liu in a statement.
If that sounds a tad worrying, you’ll be pleased to know that such a threat is far from imminent. The rate at which images could be retrieved in the study was only one frame every 3.3 minutes – that’s slow enough that whoever was trying to get the images would struggle to keep up with your phone interactions in real-time. And even if they do get images, if retrieved from a natural video, the pictures can be pretty blurry.
Nevertheless, the researchers came up with some ways that could help to mitigate some of the potential risks. The main target is software; they recommend that access to ambient light sensors should be restricted, with users having to give permission in the same way as done with camera or microphone requests.
They also suggest putting a cap on the sensors’ capabilities, keeping the precision and speed low enough to prevent high-resolution images, and also placing the sensor on the side of the device where it can’t detect the most revealing gestures.
The study is published in Science Advances.