In Talking Behind Your Back, security researchers Vasilios Mavroudis and Federico Maggi describe attacks and countermeasures of ultrasonic cross-device tracking.
Ultrasonic tracking is a relatively new form of user tracking that uses inaudible sounds for that. A basic example is a TV ad that contains ultrasonic sounds that get picked up by an application running on the user’s smartphone. It could then push the same ad on the smartphone, or monitor user behavior to find out whether a product website is visited.
Another example is the so-called proximity marketing. This too works with an application that the user carries, and relies on ultrasound emitters placed in the store. Companies may use the information to study user behavior in the store, and provide real-time notifications for products in proximity of the user.
The main issues with ultrasound beacons — high-frequency audio tags — is that they are inaudible by humans, and that most speakers and microphones have no problems capturing or emitting them.
The spectrum is usually in the 18000Hz to 20000Hz range, but there is no one standard that companies follow. While you do need at least two devices for this to work — one that sends the signal, another that captures it — it is fair to say that the practice has become more common in recent time and is on the rise.
Silverdog is a sound firewall for Chrome that blocks ultrasound frequencies in the browser. This prevents ultrasound tracking when you use it, but does nothing when other devices do it.
The extension works fine out of the box. It is set to a frequency of 18000Hz by default and a certain filter type, gain and Q. You may want to read up on the various filters that it supports, as the extension itself offers no explanation on the differences between those filters.
The Chrome extensions works automatically once you have configured it. You can turn the firewall on or off with a click on the extension icon in the Chrome address bar.
One limitation of Silverdog is that it won’t work with Flash, but only with HTML5 content. The researchers have created a patch for Android’s permission system which gives users more control over the audio channel.
Both the Chrome extension and the AOSP patches can be downloaded from the developer website.
Now You: What’s your take on the tracking method?
Please share this article
About Martin Brinkmann
Privacy and Security Aspects of the Ultrasound Ecosystem
Gimme some context!
Nowadays users often possess a variety of electronic devices for communication and entertainment. In particular, smartphones are playing an increasingly central role in users‘ lives: Users carry them everywhere they go and often use them to control other devices. This trend provides incentives for the industry to tackle new challenges, such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultrasounds has recently emerged to meet these demands. Ultrasound technology has a number of desirable features: it is easy to deploy, flexible, and inaudible by humans. This technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking.
What’s the problem?
For the first time, we examine the different facets of ultrasound-based technology. Initially, we discuss how it is already used in the real world, and subsequently examine this emerging technology from the privacy and security perspectives. In particular, we first observe that the lack of OS features results in violations of the principle of least privilege: an app that wants to use this technology currently needs to require full access to the device microphone. We then analyse real-world Android apps and find that tracking techniques based on ultrasounds suffer from a number of vulnerabilities and are susceptible to various attacks. For example, we show that ultrasound cross-device tracking deployments can be abused to perform stealthy deanonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak a user’s private information.
Where do we go from here?
Based on our findings, we introduce several defense mechanisms. We first propose and implement immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we introduce a browser extension and an Android permission that enable the user to selectively suppress frequencies falling within the ultrasonic spectrum. We then argue for the standardization of ultrasound beacons, and we envision a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications, and the prevention of existing privacy and security problems.
Frequently Asked Questions
- Am I affected?
- Likely not, unless you installed an Android app that uses an ultrasound-based framework and requests access to your microphone.
- Aren’t ultrasounds bad for my health?
- We’re not expert in this matter. Please refer to proper resources.
- How widespread is all this?
- We haven’t performed large-scale measurements, although some of the apps that embed ultrasound-based frameworks were downloaded by hundreds of thousands users, according to the metadata published on the Google Play Store.
- Can this be fixed?
- Yes, but it’ll take a long, long time. This is not a software vulnerability that can be fixed by applying a simple patch. Although we have created a proof-of-concept patch for the Android Open Source Project (AOSP) and a „personal firewall“ to prevent your browser’s Web API to emit ultrasounds, a holistic action is needed. Decision and policy makers should agree on what’s the next step in terms of regulations and standardization, OS vendors and developers should integrate support for ultrasound beacons to provide a transparent API (e.g., like for other physical and data layers such as Bluetooth), and finally developers should adopt such API.
- Is every mobile operating system capable of capturing uBeacons, or just Android?
- It depends more on the hardware of the device (i.e., the microphone) and less on the operating system. The great majority of commercial microphones found in mobile phone can capture uBeacons. Nevertheless, the operating system plays a role as it determines what an application can and can’t do. For our research, we worked with Android and we can confirm that it is possible to listen for ultrasounds in the background. We haven’t checked iOS, but we cannot exclude either possibilities.
- Do you have information on the actual frequencies these beacons operate on?
- We have seen frameworks listening for beacons starting from 18.000Hz and higher. For instance, a relevant patent can be found here. However, the exact implementation of ultrasound beacons varies between companies.
Who we are
- Vasilios Mavroudis, @mavroudisv
- PhD student, University College London (UCL)
- Shuang Hao
- Postdoc researcher, University of California, Santa Barbara (UCSB)
- Yanick Fratantonio, @reyammer
- PhD student, University of California, Santa Barbara (UCSB)
- Federico Maggi, @phretor
- Professor, Politecnico di Milano (POLIMI)
Visiting Researcher at Univeristy of California, Santa Barbara (UCSB)
- Giovanni Vigna
- Professor, University of California, Santa Barbara (UCSB)
- Christopher Kruegel,
- Professor, University of California, Santa Barbara (UCSB)
Publications and Talks
Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. Talking Behind Your Back: On the Security of the Ultrasound Tracking Ecosystem. Chaos Communication Congress, Hamburg, Germany, 27-30 December 2016. [To appear]
Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. The Ultrasound Tracking Ecosystem. Report. November 2016. [PDF]
Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-device Tracking. Blackhat Europe, London, UK, 3–4 November 2016. [Slides]
Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. On the Privacy and Security of the Ultrasound Ecosystem. 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, July 2017. [To appear] (early draft available upon request)
This section includes our proof-of-concept countermeasures (all released under the Apache 2.0 license):
- SilverDog: your sound firewall! A chrome extension that we developed to filter ultrasound frequencies. [Download] [Sources]
- Set of AOSP patches to implement a new permission to filter ultrasound spectrum. The patch should apply cleanly against AOSP android-5.0.0_r3. Note: it is just a research prototype! [Download]
Feedback, ideas and source code contributions are very welcome!
Articles covering our work (in reverse chronological order):
- Bleeping Computer, Jan 3th, 2017: Ultrasound Tracking Could Be Used to Deanonymize Tor Users
- NDTV Gadgets360, Nov 14th 2016: Your Phone May Be Listening to Ultrasonic Signals for Better Ad Tracking: Report
- On The Wire, Nov 7th, 2016: Android Patch Released to Stop Ultrasonic Tracking
- The Register, Nov 3rd, 2016: Anti-ultrasound tech aims to foil the dog-whistle marketeers
- WIRED, Nov 3rd, 2016: How to Block the Ultrasonic Signals You Didn’t Know Were Tracking You
- TechWorm, Nov 1st, 2016: Hackers can hack smartphones and laptops by hacking inaudible sounds embedded into ads
- BitsHacker, Nov 1st, 2016: Device can be Hacked using inaudible Sounds embedded into ads
- International Business Times, Oct 31st, 2016: The silent hack: Devices can be hijacked using inaudible sounds embedded into ads
- Fortune, Oct 30th, 2016: Inaudible Soundwaves Expose a Spooky New Pathway for Hackers
- Boing Boing, Oct 30th, 2016: Sneaky ultrasonic adware makes homes vulnerable to ultrasonic hacking
- Yahoo! Sports: Some mobile apps continue to track ultrasound signals even when closed
- On The Wire, Oct 30th, 2016: Silently Tracking Users With Ultrasonic Beacons
- Digital Trends, Some mobile apps continue to track ultrasound signals even when closed
- Slashdot, Oct 30th, 2016: Serious Hacks Possible Through Inaudible Ultrasound
- New Scientist, Oct 27th, 2016: Your Home’s Online Gadgets Could Be Hacked by Ultrasound
Want to write about this research? The best starting point is our report, as it provides a detailed but easy-to-understand explanation of the essential points.