When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often often access an array of device sensors without any notifications or permissions whatsoever.
That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers—Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University—found that the standards allow for unfettered access to certain sensors. And sites are using it.
The researchers found that of the top 100,000 sites—as ranked by Amazon-owned analytics company Alexa—3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.
"If you use Google Maps in a mobile browser you’ll get a little popup that says, 'This website wants to see your location,' and you can authorize that," says Borisov. "But with motion, lighting, and proximity sensors there isn’t any mechanism to notify the user and ask for permission, so they're being accessed and that is invisible to the user. For this collection of sensors there isn't a permissions infrastructure."
That unapproved access to motion, orientation, proximity, or light sensor data alone probably wouldn't compromise a user's identity or device. And a web page can only access sensors as long as a user is actively browsing the page, not in the background. But the researchers note that on a malicious website, the information could fuel various types of attacks, like using ambient light data to make inferences about a user's browsing, or using motion sensor data as a sort of keylogger to deduce things like PIN numbers.
In past work, researchers have also shown that they can use the unique calibration features of motion sensors on individual devices to identify and track them across websites. And while the World Wide Web Consortium standards classify data from these sensors as "not sensitive enough to warrant specific sensor permission grants," the group does acknowledge that there are some potential privacy concerns. "Implementations may consider permissions or visual indicators to signify the use of sensors by the page," the standard suggests.
The group looked at how nine browsers—Chrome, Edge, Safari, Firefox, Brave, Focus, Dolphin, Opera Mini, and UC Browser—handle access to motion, orientation, proximity, and light sensors. They found that all of them allow web pages to access motion and orientation sensors without permission. Only Firefox also allowed access to proximity and light sensors in recent versions; the browser removed this default access beginning with Version 60 in May 2018.1 The researchers also found that the popular ad and tracking blockers they tested didn't reliably block scripts seeking sensor access, catching them less than 10 percent of the time, and in most cases only 2 to 3 percent of the time.
"There are limitations of the available protections for users," Acar says. "In general we don’t think ad blockers and black lists were efficient in blocking these scripts."
The researchers classified the sensor scripts they found by what they seemed to be doing. Some had benign uses, like orienting and resizing pages or reacting to gestures. A few even used the data to fuel random number generators. But the researchers also found about 1200 sites that seemed to be using sensor data to aide tracking and analytics-gathering or audience recognition. And 63 percent of the scripts the researchers analyzed that access motion sensors also fingerprint browsers for tracking.
"I did not expect that we would find thousands of sites and hundreds of domains that are engaged in using these sensors," Borisov says. "Or that there’s a link between doing that and other stateless tracking approaches. These are advanced techniques in browser fingerprinting."
The researchers say they hope to bring awareness to the topic and start a discussion within the browser industry about the best way to give users more control and information about what sensors websites can access without interrupting browsing every time a user wants to reorient their phone. And the group notes that there is more work to be done, since they encountered many scripts that they couldn't easily classify as using sensor data in a particular way. This means that there may be more uses for this type of data—both legitimate and potentially invasive—that they haven't yet identified.
The prevalence of ad networks also makes it difficult to get a handle on the issue. The researchers even found three scripts attempting to access user sensors in ad modules on WIRED.com, though at least one had been removed when the researchers rechecked the site for this story. Other media sites, including CNN, the Los Angeles Times, and CNET have ad networks using similar scripts as well.
"There’s a difference between the access from the web scripts compared to say mobile apps," Acar says. "And a lot of this is legitimate. But the fact that access can be granted without prompting the user is surprising. It's currently up to the vendors, and vendors tend to choose the side of more usability."
1Update September 26, 2018 10:40am ET: This story has been updated to reflect changes made in Firefox Version 60.