Ambient light sensors, found on most modern smart devices like smartphones and tablets, can capture images of how users interact with their devices and possibly more.
A new study published by a team of cybersecurity experts at the Massachusetts Institute of Technology (MIT) shows how hackers can use a device’s display and ambient light sensors to capture detailed images of touch interactions and hand gestures.
This method does not rely on cameras or other traditional visual capture mechanisms. Instead, it measures variations in light intensity reflected or blocked by the user’s hand, opening a new avenue for privacy invasion.
“We have demonstrated three types of imaging privacy threats. At this point, they may not be easy for attackers to leverage because of the long acquisition time (over 3 min) and the limited spatial resolution of the recovered images,” MIT researchers said.
Capturing Images via the Ambient Light Sensor
While permission controls give users some control over their device functionality, certain sensors, traditionally deemed low-risk, remain unprotected and accessible without explicit consent. The ambient light sensor, designed to adjust screen brightness based on surrounding light levels, falls into this category.
Light sensors are found on mobile phones, tablets, laptops, smart watches, wearable devices, smart TVs, computer monitors, smart home gadgets, digital cameras, camcorders, automobiles, and even e-readers.
Ambient light sensors can be manipulated to capture images of touch interaction without needing a camera, the researchers explained. This process involves using a sophisticated algorithm to overcome the sensor’s low sensitivity and reconstruct images from the screen’s perspective.
The method exploits the ambient light sensor’s ability to detect changes in light intensity when a user’s hand interacts with the device’s display.
By displaying a known video sequence and analyzing the light intensity variations partially blocked by the interacting hand, the researchers could capture images of the environment in front of the screen, including touch interactions and hand gestures.
The ability to capture hand gestures exposes user interactions, including passwords, jeopardizing authentication security. This technique could be exploited for broader environmental imaging, further invading personal privacy.
This is not the first time researchers have found that devices and their components not traditionally used for imaging can be exploited to compromise users’ privacy. In 2022, groundbreaking research conducted by a team from Carnegie Mellon University revealed a novel application of Wi-Fi routers that allowed the researchers to generate 3D images of humans via Wi-Fi signals.
What Can You Do About It?
Widely-used technologies like facial recognition, doorbell cameras, drones, and even IoT (Internet of Things) devices like smart washing machines invade our privacy, and these recent discoveries add to the concerns.
“Despite limitations in resolution and speed, we aim to raise awareness of potential security/privacy threats induced by the combination of passive and active components in smart devices and promote the development of ways to mitigate them,” the researchers said.
To address these privacy risks, the researchers suggest the tech industry revise the idea of what is considered to be a low-risk sensor and implement stricter permission controls.
Additionally, the researchers recommend adjusting the sensitivity and “quantization” levels of ambient sensors, modifying their placement on devices, or altering the display properties to help limit privacy threats.
While physical accessories like screen covers may not stop the detecting mechanisms of ambient light sensors — unless the entire upper portion of the screen is covered — you can still safeguard your privacy by:
- Disabling sensor permissions: Explore your device settings to restrict access to sensors for apps that do not need them to function. Although this option may not be widely available for ambient light sensors, staying informed about and advocating for such features in future software updates is important.
- For the technically savvy: Consider using custom firmware or ROMs that offer more granular control over hardware permissions, including sensors. This can potentially allow users to disable or control access to the ambient light sensor more effectively than the default operating system.
- Consider using a more secure smartphone or an older device that doesn’t have sensors.
- Get the latest software update on your device, which may include critical security fixes.
For more news, follow us on X (Twitter), Threads, and Mastodon!
