Laptops, smartphones, and other mobile devices are increasingly coming equipped with webcams and other sensor devices, according to a new Microsoft study. But such sensors represent a ripe way for hackers to eavesdrop on device owners, the researchers warn.
The report, written by researchers Jon Howell and Stuart Schechter, outlines a concept graphical interface that could give users better protection from unwanted data sharing.
Current security solutions do not adequately monitor applications' access to sensors, according to the report. The risk of eavesdropping is compounded by the proliferation of new applications that can access sensor-related data, according to the researchers.
Many operating systems currently give users a choice to grant or deny an application permission to access a sensor, the report states. But users may not fully understand the scope of the data collected or the exact duration of data collection. Some applications may contain malicious content and further risks can stem from situations such as device sharing.
The privacy risks of mobile sensors have been highlighted in recent months after a case involving a Pennsylvania school district, school-issued laptops, and spying allegations by students. The Lower Merion School District has admitted that it took thousands of photos of students, according to reports, in what it says was a misguided attempt to locate lost and stolen laptops. Students have filed a class-action lawsuit.
(For more on Lower Merion's alleged laptop surveillance, see "Webcamgate: Student Accuses Suburban Philly High School of Using Webcam to Spy on Him.")
A main aim of the tool, called the sensor-access widget, is to give users a visible, ongoing way to know exactly when any data sharing occurs, according to the report. Any application attempt to access sensor data would trigger a pop-up window to display on the screen giving users a set of policy choices. Users might choose to initially allow access, for example. They could also choose to have the pop-up display on future access attempts and to have a timer provide a countdown of about five seconds before data access occurs. The tool could then be set to automatically allow access or to deny it unless expressly given.
♦ Photo by trip.mckay/Flickr