Closed
Bug 681562
Opened 14 years ago
Closed 13 years ago
Restrict DeviceMotion to the active document
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla9
People
(Reporter: dougt, Assigned: dougt)
References
Details
(Whiteboard: [sg:moderate][qa-][secr:dchan])
Attachments
(1 file, 1 obsolete file)
|
2.55 KB,
patch
|
smaug
:
review+
asa
:
approval-mozilla-aurora+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
derf sent me this from https://db.usenix.org/events/hotsec11/tech/techAbstracts.html#Cai
TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion
Back to Program
Attacks that use side channels, such as sound and electromagnetic emanation, to infer keystrokes on physical keyboards are ineffective on smartphones without physical keyboards. We describe a new side channel, motion, on touch screen smartphones with only soft keyboards. Since typing on different locations on the screen causes different vibrations, motion data can be used to infer the keys being typed. To demonstrate this attack, we developed TouchLogger, an Android application that extracts features from device orientation data to infer keystrokes. TouchLogger correctly inferred more than 70% of the keys typed on a number-only soft keyboard on a smartphone. We hope to raise the awareness of motion as a significant side channel that may leak confidential data.
In a nutshell, we should prevent device motion from going to documents that are not active.
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → doug.turner
|
|
Assignee | |
Comment 1•14 years ago
|
||
I think what we want to do is just not send device motion events to any document that is in a window that is in the background or if that window is not active.
|
|
Assignee | |
Comment 2•14 years ago
|
||
smaug, this is sort of what I want to do, but this prevents all device motion in Fennec. Is there a better way?
|
||
Comment 3•14 years ago
|
||
Do you know why that prevents all the events in Fennec?
|
|
||
Comment 4•14 years ago
|
||
Also, you'd probably want to check if any of the parent windows (in docshell tree) is active.
|
||
Updated•14 years ago
|
Whiteboard: [sg:high]
|
|
||
Comment 5•14 years ago
|
||
when you say "documents that are not active" do you mean "top-level documents", or in a page with multiple iframes would you only send device motion to the frame that's focused? The latter seems like it would break things. By active "document" I hope you mean "tab".
|
||
Updated•14 years ago
|
Keywords: sec-review-needed
|
|
Assignee | |
Comment 6•13 years ago
|
||
IsBackground needs to be called on the outer window. IsActive is only for the -moz-window-inactive pseudoclass
Attachment #555337 -
Attachment is obsolete: true
Attachment #557256 -
Flags: review?(Olli.Pettay)
|
|
||
Comment 7•13 years ago
|
||
Comment on attachment 557256 [details] [diff] [review]
patch v.1
I think this should be ok.
When a window is taken out from background, these events should
fire often enough so that right acceleration/orientation data
is updated to the page. Right?
Attachment #557256 -
Flags: review?(Olli.Pettay) → review+
|
|
Assignee | |
Comment 8•13 years ago
|
||
Comment on attachment 557256 [details] [diff] [review]
patch v.1
yes. works well on my test pages.
|
|
Assignee | |
Comment 9•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Attachment #557256 -
Flags: approval-mozilla-beta?
Attachment #557256 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 10•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/9fa4dee3e947 (check-in by edmorley)
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox7:
--- → affected
status-firefox8:
--- → affected
status-firefox9:
--- → fixed
tracking-firefox7:
--- → +
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
|
||
Updated•13 years ago
|
Attachment #557256 -
Flags: approval-mozilla-beta?
Attachment #557256 -
Flags: approval-mozilla-beta+
Attachment #557256 -
Flags: approval-mozilla-aurora?
Attachment #557256 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•13 years ago
|
||
|
|
||
Comment 12•13 years ago
|
||
Do we need this fixed in 1.9.2? We don't support mobile there and I'm not sure we had Motion events, just Orientation events. Maybe they'd be enough to pull off this attack by themselves? Machines solidly on a desktop may not be as vulnerable.
Either way we'd need a new patch because the DeviceMotion files don't exist on the old branch (equivalent place looks like http://mxr.mozilla.org/mozilla1.9.2/source/widget/src/xpwidgets/nsAccelerometer.cpp#251).
blocking1.9.2: --- → ?
status1.9.2:
--- → ?
|
|
||
Comment 13•13 years ago
|
||
This does not appear to be a currently practical attack against 3.6.x desktop Firefox users (or any users with a full keyboard) and likely won't be for the next couple of months of 3.6.x's remaining support lifetime. Won't backport the patch unless something comes up the changes the risk profile.
blocking1.9.2: ? → ---
|
||
Comment 14•13 years ago
|
||
qa- as no QA fix verification needed
Whiteboard: [sg:high] → [sg:high][qa-]
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:high][qa-] → [sg:moderate][qa-]
|
|
||
Comment 15•13 years ago
|
||
The heart of the patch is
+ if (!pwindow || pwindow->GetOuterWindow()->IsBackground())
+ continue;
Will the foreground tab be considered IsBackground() when another app has focus? Or could the active Firefox tab quietly listen in on what you type into other apps?
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:moderate][qa-] → [sg:moderate][qa-][secr:imelven]
|
|
||
Comment 16•13 years ago
|
||
i looked at the implementation of IsBackground() and it basically checks
whether the associated docshell is active. If the docshell isn't active when Firefox isn't the active application, this should be fine. Will follow up with Doug to make sure this is the case.
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Updated•13 years ago
|
Keywords: sec-review-needed
Whiteboard: [sg:moderate][qa-][secr:imelven] → [sg:moderate][qa-]
|
|
||
Comment 17•13 years ago
|
||
Putting sec-review-needed back on here. We never got an answer as to whether the code behaves as we would like. I suggest someone give this a test to verify it's working as intended.
Keywords: sec-review-needed
|
||
Updated•13 years ago
|
Whiteboard: [sg:moderate][qa-] → [sg:moderate][qa-][secr:dchan]
|
||
Comment 18•13 years ago
|
||
I wrote a small webpage that added an eventListener to deviceorientation which incremented a counter.
Scenarios
- Fennec in foreground, test tab is active
-- counter IS incremented
- Fennec in foreground, test tab is inactive e.g. another tab has focus
-- counter ISN'T incremented
- Fennec in background, test tab is active
-- counter IS incremented
- Fennec in background, test tab is inactive
-- counter ISN'T incremented
where background is a result of hitting the HOME button / changing apps so that Fennec is no longer in front
The third case doesn't seem correct to me. I would have thought that the page stops receiving events if Fennec is in the background.
|
|
||
Comment 19•13 years ago
|
||
Can someone on the mobile team comment on whether the desired behavior is for Fennec to receive DeviceMotion events when it isn't in the foreground?
|
|
Assignee | |
Comment 20•13 years ago
|
||
dchan - no. fennec is busted. See bug 718364.
|
|
||
Comment 21•13 years ago
|
||
(In reply to Doug Turner (:dougt) from comment #20)
> dchan - no. fennec is busted. See bug 718364.
sounds like this bug should be reopened then ?
|
|
||
Comment 22•13 years ago
|
||
the security review was completed a while ago. See bug 739729 for the background sensor issue
Keywords: sec-review-needed → sec-review-complete
|
|
||
Updated•13 years ago
|
Flags: sec-review+
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•