Ads Surreptitiously Using Sound to Communicate Across Devices

This is creepy and disturbing:

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Related: a Chrome extension that broadcasts URLs over audio.

EDITED TO ADD (12/14): More here.

Posted on November 18, 2015 at 6:59 AM • 62 Comments

Comments

WinterNovember 18, 2015 7:11 AM

I think the complaints that blocking Ads/Cookies/Flash is "killing of the free internet". But it is clear the commercial sector does not have its act together.

Like this one:
http://www.theguardian.com/commentisfree/2015/sep/27/ad-blocking-herald-end-of-free-internet-ios9-apple

I feel no remorse blocking everything I can block. I will only reconsider it when the industry can finally accept that this is MY browser and they should behave as my GUESTS, not some bunch of Vandals on a looting campaign.

Brian SNovember 18, 2015 7:38 AM

This is something that's been done in various ways for awhile. Nice to see it getting some attention.

As for Advertisements. I have no issues with normal ones. I never had a need for add blockers "back in the day". There were just a few ads on the edges (side, bottom, top) of various pages that let me know who was helping to keep sites on.
Some even offered subscription services to remove even that.

But then they start with the comparatively huge flash ads. The obnoxious ads with audio that always seemed several times louder than any other audio on the page, pop up ads seemingly without end, the full page floating ads, etc.

They have no one to blame but themselves for making blocking them the default for so many people. Make them non intrusive, not obnoxious, and non invasive and maybe people won't care so much.

And that's not even getting into the tracking garbage, which just adds another layer of BS on top of the rest.

uh, MikeNovember 18, 2015 7:53 AM

@Brian S, it's nice to imagine a world with nice ads.

It's not just my device, it's my data cap, my level of service, it's my endpoint.

I reserve the right to say "go away," up to and including automated blocking.

If there were a steady stream of hucksters knocking on my door, you bet I'd use a gate.

GrauhutNovember 18, 2015 8:06 AM

@Gerard: "Yet another reason not to watch TV."

TV is not the only potential ultrasonic ping source.

More interesting is the question: Of what nature is the receiving software and how can we block this part?

ChrisNovember 18, 2015 8:12 AM

While I'm sure this is feasible I doubt it's actually done in a widespread scale because that would kill cell phone/tablet batteries. It would basically require their cpu to be running at all times to decode the ultrasonic messages it is receiving (if any, it can't know). So it would be readily picked up by attentive users who might check what crappy game is eating their battery and uninstall it.

In fact the article fails to mention a single case of it happening in the wild, merely waving its arms and screaming "it's happening", that's not acceptable journalism IMO.

keinerNovember 18, 2015 8:16 AM

Uuuuh... 2 months ago a clear case of tinfoil hat to be adjusted! Now reality. Things change quickly these days...

How about badBIOS and things like that?

Clive RobinsonNovember 18, 2015 8:20 AM

It's an interesting development, it was just a couple of years ago that BadBIOS started to be talked about in almost mystic tones abd to a great deal of incredulity from quite a few posters to this blog.

However one or two of us were far from.incredulous and I amongst others developed a simple experimental lash up one weekend to show it worked.

Now we find it's not your everyday cracker / cybercriminal exploting this but the unpleasantly insidious parts of the marketing industry.

The thought that occurs now they have gone to the lengths of getting it onto peoples computers is, "just how secure is their junk?"...

The fact it has to get low level access to hardware suggests that it has sufficient access to open other channels that cybercriminals might now start exploiting to get their malware onto your computer.

Whilst many might not think it likely it is "air-gap" crossing, which shows that for the more security conscious you need to step up to "energy-gapping" which is a whole order of magnitude harder...

The question thus becomes "Even if we provide the information to make an energy-gap, not just will they go to the effort but is it legal to do so in their jurisdiction?"

For those that think it's cutrently legal in their jurisdiction --hands down if you are in the US-- what is the betting it soon won't be after the FUD over the Paris terrorists?

SJNovember 18, 2015 8:31 AM

I used to be annoyed when my Dad would mute TV commercials.

When we would listen to the morning news-radio, one member of the family was supposed to turn the volume down during the ads.

Later, we would mute the commercials and play guessing games about what was being sold.

(See? Ad-blocking isn't new...though it can be an annoyance to do the ad-blocking yourself.)

This makes me wonder whether mute-the-advertisements is a good method for encouraging privacy.

BardiNovember 18, 2015 8:36 AM

My question is, can OEM speakers really handle ultrasonic frequencies? If so, would not those episodes require such energy levels that all the dogs in the neighborhood would howl for their lives?

QuirinusNovember 18, 2015 8:39 AM

Users does not like ads, but does not like subscription fees either - almost as authors dislikes to work for free.

As alternative income sources, in my experience donations are one to two orders of magnitude below the sustainability for any small/medium/niche project (afaik only very large sites as Wikipedia earn enough attention to live on offers).
And private funding opens (as well as ads) the important question of how much are articles / opinions independent from who pays more.
So there is no free lunch, literally.

Ads are one for of income as on other media, they are guest on your machines as you are guest on content generated by the work of other people like you, both should behave well as good guest, users allowing non-invasive ads and ads being non invasive.

That said, invasive ads, loud, disturbing, scammy, flashing, bandwidth eating, privacy violating, MUST be severely sanctioned, not just blocked, providers of those ads should be identified and prosecuted by law as for any illegal activity (privacy violations are crime in most countries, just to name one, and almost any country prosecute scammers stealing credit cards numbers or selling fake goods).
Malvertising is the primary (and best) reason people uses ad blockers, malvertising is the root cause killing free web.

JoeNovember 18, 2015 9:03 AM

@Chris: Recall the "Ok, Google" feature that's on some recent phones? It uses a dedicated, very low power DSP to listen for that phrase all the time. That DSP could listen for _other_ things. If Google ever decides to implement this technology, they already have an all-the-time listening device on there.

And then there's smart TVs. We've already heard stories about the all-the-time listening powers of some brands.

RobNovember 18, 2015 9:06 AM

Seems like quite a few things to go wrong even if the technology works as intended. Typically in my sitting room if there is a TV on, there will be several viewers each paying more or less attention. What gets watched or muted or channel switched is heavily dependent on who is nearest to the remote control. At the same time there are typically 2 or 3 smartphones in the room, a tablet and at least one laptop.

So an ultrasonic ping is picked up by the phones, maybe the tablet and laptop; but the person actually watching the TV might be associated with none of those. In fact the mobile equipment that is 'on' is less likely to belong to whoever is paying attention to the TV.

A good way to generate more 'noise' in the viewing statistics and marketing fluff, IMHO.

On the other hand maybe this is just a Trojan Horse for some other scam.

Mark MayerNovember 18, 2015 9:10 AM

@Clive Robinson

Now we find it's not your everyday cracker / cybercriminal exploting this but the unpleasantly insidious parts of the marketing industry.

The unpleasantly insidious parts are actually the relatively benign ones. It's the cravenly criminal element of the marketing industry behind this. The whole sector is more or less evil.

ZachNovember 18, 2015 9:39 AM

I can't believe anyone still believes that BadBios was real. It's been two years since the first reports and we still don't have any proof. Everything Dragos has released on the subject has been shown to have entirely innocent explanations that he ignored or discounted, and nothing has left a smoking gun showing any malware at all. Think about how large that malware would have to be to do everything that has been claimed about it. Could such malware really fit into the available space of the average USB device's firmware?

Dan Goodin wrote uncritically about BadBios when it first came out, and he still seems to be treating it like something that is real despite the lack of evidence. Given that, I am highly skeptical of his claims towards these beacons. While I have no doubt that there are companies that are attempting to use this technique, I do not believe they are having the success that the article claims. Ignoring iOS (as Apple has put up many more barriers that will make using this technique very difficult, like requiring an app to ask for permission to use the mic) and focusing only on Android, there are simply too many ways this scheme can result in false positives and dirty up the data.

What happens for people who work in other people's homes, such as appliance repair, cable/satellite installation, door-to-door sales, etc? They will have a lot of false correlations from their phone overheaing random TV ads.

How about TV's in public blaring these signals? I may be at a restaurant with a TV and have more false correlations added to my profile.

What happens when my wife's phone gets linked to my computer? What happens when my (younger than 13 y/o) daughter's phone gets linked to the same profile? How do they differentiate between a family living in the same house and a gadget bug who has multiple computers, tablets, and phones?

None of these scenarios makes the technique totally worthless, but they sure tip the cost/balance ratio, and Dan Goodin did not examine any of them.

BilskoNovember 18, 2015 10:16 AM

Seems like it wouldn't be too hard to detect these with an Arduino configured with an ultrasonic sensor.

Probably relatively easy to build an Arduino sensor+transducer that can first detect and then emit signal to negate the effect of the unwanted ultrasonic signal.

Clive RobinsonNovember 18, 2015 10:20 AM

@ Zach,

I can't believe anyone still believes that BadBios was real. It's been two years since the first reports and we still don't have any proof.

Do you mean the notion of a persistant BIOS infection, the use of the speaker and mic on laptops etc to transfer data above the normal hearing of humans or that Rui Dragos has not provided a "dead bug" example for others to dissect?

The Lenovo persistant BIOS malware for advertising has proven that to be both true and practical. I've hacked a rough and ready high frequency comms link using the old BIOS hardware driver ROM expansion technique over a weekend so that is true and practical as well.

As for R.Dragos not providing a "dead bug" for investigation, that might be down to his personality / experiance level more than non existance of clever malware.

If I had been the creator of covert persistant air-gap crossing malware back then, bearing in mind it's effective "crown jewels" status almost the first thing I would develop --certainly befor any snooping payload-- would be protection mechanisms such as an auto-destruct with all maner of ways of triggering it.

Thus whilst we don't have proof of existance we likewise don't have proof of nonexistance. What we do have proof of however, is that it would have been not just possible to do but trivially so...

And in the game of "smoke and mirrors" that espionage is usually that's all you ever get.

@ Chris, Joe,

When it comes to detecting "lead in" or "beacon" tones the hardware involved is actually quite trivial a phase locked loop (XOR gate and low pass) or matched filter (delay line) is all you need as the tone envelope detector. Then three integrators on the envelope signal to ensure a high probability it's a valid signal. Just a few CMOS gates running at 20KHz or less would run on a watch battery for far longer than a digital watch would running at 32KHz.

The same function in software as part of a "time keeper" interupt would likewise have a non perceptable effect on normal battery life...

jonesNovember 18, 2015 10:35 AM

@Grauhut

> More interesting is the question: Of what nature is the receiving software and how can we block this part?


Probably develop an Android app that intercepts signals coming in from the microphone and apply a low pass filter to remoive everything above 8khz or so. Wouldn't affect voice quality at all for telephony (though it might need to be disabled if you want to record a video that involves sound).

The problem is that most people wouldn't install it, and even though YOU might escape this monitoring, the aggregate data collected from everybody else will still be used by PR firms to manipulate you.

Not actually Kevin BaconNovember 18, 2015 10:39 AM

This is creepy and disturbing:

Refuse to be terrorized, people.

(Honestly. It's not even real yet.)

ZachNovember 18, 2015 10:48 AM

@Clive Robinson:

Do I believe those techniques exist? Absolutely! Do I believe they have all been combined into one malware that is small enough to be transmitted as part of USB device firmware yet big enough to infect machines from different manufacturers and with different bioses? Absolutely not, and this article explains why:

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

Simply put, the idea that it could infect so many disparate machines and OS's while remaining undetected is so improbable as to require extraordinary amounts of proof- and so far we haven't received even ordinary amounts of proof. You idea that the virus would be able to hide itself from detection means more code and a bigger size. In order to achieve both goals (the BIOS malware and hiding itself) it would have to be bigger still. And we haven't even added in the DSP processing code yet!

Your average USB firmware flash has less than 1mb available total. Typically less than 512K. Could you fit malware that does so many things into 512K while still leaving the device usable in the normal fashion? Perhaps, but it'd be a very extraordinary feat. And that goes back to extraordinary claims requiring extraordinary proof. And again, we don't even have ordinary proof.

JoeNovember 18, 2015 11:24 AM

If government use of ultrasonic signalling technology is going to be used in malware to get around airgaps, it requires plausible deniability. This technology provides that.

I remember thinking years ago how the ultrasonic signalling in badbios would have been a perfect solution to the Iranian nuclear airgapped computers that stuxnet targeted if the USB keys were discovered or disinfected somehow.

GrauhutNovember 18, 2015 11:28 AM

@Zach: "Your average USB firmware flash has less than 1mb available total. Typically less than 512K. Could you fit malware that does so many things into 512K while still leaving the device usable in the normal fashion?"

Did you think a fully working worm would fit into one single udp packet before sql-slammer? 376 bytes were enough.

Yes, assembled stuff works. And yes, USB malware can reserve additional block space on a stick for bigger components.

WaelNovember 18, 2015 11:28 AM

I had (still have) some ear ringing problems (Tinnitus.) When I went to the doctor he basically said I'll have to "live with it". It's really annoying. But the concept of the root cause is pretty amazing. He said I'm loosing hearing in a given frequency range. And that range is where I'm hearing the "ringing". So in my experiments, I downloaded an application from the App Store called "Tone Generator" to see if I play that frequency band range would nullify the ringing I have -- it didn't. What I want to say is that this application can play tones from 10 Hz to 25 KHz. As people get older they loose the ability to hear the higher frequency tones. Anyway, wanted to say that speakers in mobile devices and tablets (obviously iPhones and iPads) are capable of producing sounds that humans can't hear (beyond the upper limit of 20 KHz.) Give the application a try... I have no vested interest in it, and it's free.

On a second note (pun not intended), maybe it's high time to develop a "Sound Firewall"... I'll let @Clive Robinson work on the more elaborate "Energy Firewall" ;) I am willing to put money someone will develop this app in the near future :)

Tony H.November 18, 2015 11:36 AM

Of course your Nest (Google) smoke/CO alarm happens to have a speaker (for alarms) and microphone (for testing the speaker). The audio from the mic "isn't transmitted to Nest servers", so that's alright then.

GrauhutNovember 18, 2015 11:45 AM

@jones: "The problem is that most people wouldn't install it, and even though YOU might escape this monitoring, the aggregate data collected from everybody else will still be used by PR firms to manipulate you."

Nope, if i understood this right its an extension to the existing "sticky ads" scheme. If someone wants aggregated ad consumption data he goes to one of the big media control panel data traders.

AdrianNovember 18, 2015 11:46 AM

I was a "Neilsen Family" a couple years ago. As I recall, the People Meter (and related electronics) depended largely on audio signals.

A lead directly from the television's speakers when into the box. Auxillary sources, like the game console and DVD player, also had their audio outputs routed through another box before passing on to the television. By matching audio from the various components to what was actually coming out of the speakers, the device could know which input you were actually watching.

The installation tech explained that most television broadcasts have time-and-channel stamps embedded in the audio. If you watched a program that you had recorded earlier (say, with your DVR), then the Meter knew not only when you watched it, but when it was originally broadcast.

I had always assumed the time-and-channel stamps were ultrasonic, and I was surprised that they could survive lossy-encoding, decoding, and reconstruction by common consumer electronics. But maybe there's another way other to encode those imperceptibly into the audio signal?

CallMeLateForSupperNovember 18, 2015 11:53 AM

"Deja vous all over again." Yogi Berra
https://www.schneier.com/blog/archives/2015/11/personal_data_s.html#c6710635

The people who spawned this technology seem not to care that inferences they make through the data they collect are not necessarily meaningful.

This device-pairing thing troubles me even though it does not directly affect me *. I have a bunch of siblings, all but one of whom are considerably younger than I and therefore are wetted to the proposition that portable comms devices are vital to the human lifeform. I want to give them a heads-up about this device-pairing wet dream but I know that I shouldn't do so until I know more about 1) how it works and 2) how to mitigate it. I know in my bones that one sibling in particular will cast a jaundiced eye in my direction and ask dryly, "So what do we DO about it?" If I can't immediately reply with "actionable intelligence" then I will have lost my audience.

OFF topic -
I also plan to give my sibs a actionable heads-up re:
https://www.schneier.com/blog/archives/2015/11/personal_data_s.html
but haven't because ... writing a compelling and concise explanation is turning out to be hard.

----------
* I don't own a smart phone nor a tablet nor a phablet nor a laptop. I do use up to three desktop computers at a time, none of which is equipped with mic. Only one computer has a speaker.

keinerNovember 18, 2015 12:01 PM

@supper

Really sure with the Mics? The motherboards all have some beep-device and you will hardly detect if there is a mic function included...

LambertNovember 18, 2015 12:10 PM

@Wael

I presume that deploying Marcus J. Ranum's 'Ultimate Firewall' between speakers, microphones and computers would be effective at stopping this kind of airgap-crossing.

Bob PaddockNovember 18, 2015 12:13 PM

@Wael

"I had (still have) some ear ringing problems (Tinnitus.) When I went to the doctor he basically said I'll have to "live with it"."

Time for a new doctor. Low magnesium levels, that just about everyone does have some just lower than others, can contribute to Tinnitus as can the Atlas Vertebra being rotated (see a chiropractor).

Bob PaddockNovember 18, 2015 12:14 PM

Ultrasonic Ring Tones have been around for a while.

Popular with Teenagers because they, and some pets, are the only ones that can hear them.

WaelNovember 18, 2015 12:25 PM

@Bob Paddock,

I appreciate your advice. Will get right on it. Had it for close to four annoying years!

Nick PNovember 18, 2015 12:36 PM

@ Grauhut

One must also remember the old trick of making the malware reuse existing code via overwriting parts of it and jumping around. One can also split the shellcode between main memory and microcontroller. A rarely used technique but can work.

All easier with the MCU's with no MMU or other security.

AlexNovember 18, 2015 12:38 PM

First off, it can't be ultrasonic. Not sure where this idea came from, but TV audio's limited to 15KHz (aural frequency, not sampling frequency) by spec, practically 10KHz out of the speakers of most TVs. Most likely they're using audio watermarking, a technology developed for DRM.

This is not the first time this has been done. Similar things were tried 15+ years ago: https://en.wikipedia.org/wiki/CueCat Note the audio cable part. Fortunately it flopped. When it did work, the program would play a brief tone in its audio and the CueCat software on your computer would open up the webpage for the ad.

I've also seen attempts to use audio watermarking by Nielsen/Arbitron (I forget which one) to determine what people were watching/listening to. I'm not sure what their official results were, but considering I got sent another paper diary, they're not willing to switch entirely over to it.

As far as advertising in general, it's a necessary evil, but the goal of advertisers should be to make it relevant and less evil. I say this, having worked in broadcasting for many years. Most advertising people are clueless, many marketing departments in companies are just as clueless. I could give countless examples from marketing people not understanding or even knowing what their target audience is, to ads which spend a lot of time and say nothing. Ads which are annoying or get in the way just piss off your potential customers. I've intentionally AVOIDED buying products due to bad/intrusive advertising. Anyone remember the X-10 adverts? Good marketing, on the other hand, is almost enjoyable. When shopping at a higher-end store with true sales professionals, they're very good at making suggestions about products you might be interested in. They also know how to present it in ways which aren't offensive. and most importantly, they know when NOT to push things.

FluffytheObeseCatNovember 18, 2015 12:42 PM

"build an Arduino sensor+transducer that can first detect and then emit signal to negate the effect of the unwanted ultrasonic signal"

An engineering philosophy precept: we want to broadly reduce our devices' tendency to 'emit signals' -- first and foremost. The damned things emit too much garbage; they're audio and EM polluters of the worst sort.

The best way to circumvent covert ultrasonic signaling would seem to be: block all of it. Ideally phone, tablet and computer speakers might be engineered so that they don't emit at wavelengths beyond human hearing. Easier said than done. But chopping off >20 kHz emissions at the level of software may be doable, particularly if speakers are the sole audio emitters in our devices. (speakers are probably the only component in most devices that can distance broadcast, regardless).

Anyone here familiar enough with audio signal processing to discuss whether one can program audio bandpass filters for our common electronic devices? Something that would block speakers from singing ultra-soprano? And are there reasons not to block >20 kHz outputs, such as existing benign device applications that employ ultrasound for valid purposes?

Mr. Robinson?

BilskoNovember 18, 2015 1:02 PM

@Fluffy
Agreed that we don't want more garbage through the spectrum - but absent hardware locks/limitations on existing or new devices (as you propose), I was thinking of a white-noise counter-measure.

That said, according to @Alex - TV broadcast (and probably television speakers) may have an inherent limitation at the 10/15KHz anyways. Then again, more and more content is being consumed on devices other than the television which are probably capable of emitting higher freq. signals.

WaelNovember 18, 2015 1:07 PM

@Lambert,

I presume that deploying Marcus J. Ranum's 'Ultimate Firewall'...

I wasn't aware of this Ultimate Firewall. Will look it up.

Anon YmousNovember 18, 2015 1:16 PM

I don't get how this is supposed to work. If one device emits the high-pitch sound then another device must be able to acquire it. "OK google" and the like are not programmed to write to cookies. That means that the technology must be active on both devices at the same time (one is the receiver and one the transmitter). How is this achieved?

WinterNovember 18, 2015 1:58 PM

@Anon Ymous
"That means that the technology must be active on both devices at the same time (one is the receiver and one the transmitter). How is this achieved?"

If there is already a code that is send by TV adds, say audio watermarking, then a phone can pick it up. But that sounds totally irrelevant as it is not very informative. I assume that phone apps have total control of the phone (we all click through the questions). I am not sure whether a web page advertisement can listen in from a PC. However, the audio of a PC add can be picked up by a phone app. Then the cookies might be correlated.

I do not understand the super-sonic part. That is totally unnecessary. Simply picking up a few sounds from the add should be enough, or even a watermark (but even that would be overkill).

Anon YmousNovember 18, 2015 2:08 PM

Thanks @Winter.

Let's say I have TV on and an iPhone with me (I want to use Apple as the more privacy conscious choice).

The TV sends the 'signal'.
My iPhone must have an app that previously must have asked " is asking to use the microphone".
This app must be running.
I must have consented to this request.

Alternative scenario: TV on and I'm browsing the web on an iPhone.
The TV sends the 'signal'.
At some point My iPhone previously must have asked me " is asking to use the microphone".
I must have consented to this request.

Both cases seem far fetched to me?

Anon YmousNovember 18, 2015 2:10 PM

REPOSTED (had used characters that the site edits out)
Thanks @Winter.

Let's say I have TV on and an iPhone with me (I want to use Apple as the more privacy conscious choice).

The TV sends the 'signal'.
My iPhone must have an app that previously must have asked "[app x] is asking to use the microphone".
This app must be running.
I must have consented to this request.

Alternative scenario: TV on and I'm browsing the web on an iPhone.
The TV sends the 'signal'.
At some point My iPhone previously must have asked me "[browser x] is asking to use the microphone".
I must have consented to this request.

Both cases seem far fetched to me?

LuciusNovember 18, 2015 2:13 PM

Seams feasible, but not very reliable. How to be sure speakers and mic of misc hardware equipment works reliably in ultrasonic range?
Most of the work behind those devices is cutting costs the more it is possible, and sure making them capable to operate relably out of the audible range should not be a priority, unless big hardware/device manufacturer is also involved in ads market... oh wait!

WinterNovember 18, 2015 2:27 PM

@Anon Ymous
"Both cases seem far fetched to me?"

Indeed. The more feasible scenario would be in my opinion such:
I am browsing the web on my laptop/PC. Some Add network displays an audible app with an audible marker signal. An app on your (i)Phone runs in the background and listens in (you consented or it is malware). The app connects to the add network and picks up the marker. Now both devices are correlated by the cookies from the add network.

It seems feasible. But is it practical? And is it profitable?

Anon YmousNovember 18, 2015 3:41 PM

@ Winter
"An app on your (i)Phone runs in the background and listens in (you consented or it is malware). [...] It seems feasible. But is it practical? And is it profitable?"

My understanding is, we're talking about a marketable solution through a proper company here: that would exclude malware in this case.
As far as I understand of the iPhone/iOS architecture, for a microphone to be active the app needs to be in the foreground (i.e. active). If it's in the background its capabilities are frozen. Anybody correct me if I'm wrong.
This of course may change with more recent models (e.g. iPad pro is able to run 2 apps in split screen mode).

Bottom line though, I concur with your questions. Seems not a viable, practical model. If anything, makes interesting coffee conversation though. Like badBIOS.

Clive RobinsonNovember 18, 2015 3:52 PM

@ All,

There appears to be a bit of confusion --as there was with BadBIOS discussions-- about terms in strict and loose usage.

Ultra sonic and ultra sound are not technicaly the same. Many people informaly use either to mean above human hearing without specifing what type of human and age they are.

Very roughly if you are White Middle Classed and liked various forms of rock music in your late teens and early twenties, then once you are middle aged your lucky if you can hear a 10k tone of the same dbSPL as a comfortable 1K tone.

If however you are of certain ethnic minorities (Australian Aborigines for example) then both your hearing and eye sight will be orders of magnitudes more sensitive than those of Northan European decent. Obviously the younger you are and the less stress you have put on your hearing the better your frequency response is.

Thus low level tones in the 10-15Khz range will go unnoticed by most adults, and if even quite narrow spread spectrum modulated will be inaudible even to children provided the level is about 10db down on the 0.7-2.1KHz range.

But importantly there are speakers and then there are speakers, all transducers have a frequency response of some form, the old moving coil speakers tend to have a band pass response, the low frequency due approximately to the cone size and coil travel distance, the upper frequency response due to the coil inertia/damping from the cone stiffness. Laptop and LCD screen speakers have a habit of being piezo or similar that have a multimode high pass response with a very definate Q peak or dip near the natural resonance points. Both types of transducer are usually sent a "pre-distorted signal" to give an aproximatly flat response for the ear.

The thing about certain trasducers is that they have comb type responses and will respond to signals well above twice the sample rate. The process of sampling such a microphone signal will be that inaudible to human signals will get down converted into the audio range by sampling unless due care is taken.

This due care is done by pre-filtering the signal by using simple DSP filters that sample at a very high rate. But this is done "out of sight" in the audio chip as analog filtering components are in effect more expensive than the silicon real estate in the chip.

There is a further dirty little secret those audio chips have CPUs and Flash memory as many SoCs do these days, and those pre-filters can be adjusted or even turned off.

Further there is actually very few audio chips in commodity computers the front end block is one of just a couple of macros that get licensed. The chances are that Apple pad, Android smart phone and Chinese no-name clone laptop have the same audio macro in the SoCs they use.

Thus arguments about platforms being different are mainly irrelevant when it comes to interpreted "payload code" destined for the CPU in the SoC with the audio macro...

If people care to read the previous discussions running up to and on the BadBIOS page on this blog they will see this information in a little more depth.

WinterNovember 18, 2015 4:07 PM

@Clive
Why the obsession with ultra/supra sonic?

If the frequencies are too high, a lot of equipment won't work. If it is not so high, there will be people that complain about the sound. It complicates matters without much benefit when you are just tracking people. Watermarking audio watermarking will allow some bits to be send in the audio. Together with a time stamp this should be enough to allow tracking.

AJWMNovember 18, 2015 4:08 PM

My question is, can OEM speakers really handle ultrasonic frequencies?

Alas, what is ultrasonic to my baby-boomer ears is not necessarily to my son's millenial ears (and used to be not to mine). 20khz is out of the range of most teen/adult ears (the old flyback transformer whine from CRTs was around 17khz) but probably within range of most speakers.

I was going to ask how hard it could be to add a lowpass filter (basically, just a capacitor in parallel with the mic or speaker) to existing speakers/mikes, but most consumer products don't lend themselves to any modification at all, and it would add all of a couple of cents to the manufacturing process.

Dirk PraetNovember 18, 2015 4:30 PM

@ Wael

Marcus's high-capacity FOSS DPI-firewall has been the ultimate "going dark" tool for years, ubiquitous adoption of which would be the NSA's and Comey's worst nightmare.

Tinnitus runs wild among many of my old friends, mostly due to attending way too many Motörhead shows and then passing out blind drunk in front of the speaker systems at our then favourite club afterwards. Fortunately, I'm not affected myself, probably because Jack Daniel's made me impervious to anything. If yours is not noise-induced, then I agree with @Bob Paddock that you need to find yourself another doctor.

WaelNovember 18, 2015 9:51 PM

@Dirk Praet,

If yours is not noise-induced, then I agree with @Bob Paddock that you need to find yourself another doctor.

I'll have to do that. I gave up on "Engineering" myself out of it. I was almost sure this was the root cause

John Galt IVNovember 19, 2015 5:23 AM


My recent comments about uses of out-of-band sounds for measuring distances between cell phones are at least tangentially related:

https://www.schneier.com/blog/archives/2015/10/friday_squid_bl_499.html#c6709471

I forgot to point out that even a small ensemble of cell phones (perhaps even one, given enough time and movement) can be used to surreptitiously map out the interior dimensions of rooms, suites, houses and buildings. It should be possible to do the same with the combination of any ultrasonic emitters (e.g., TV, cell phone, laptop, tablet) and ultrasonic detectors (same list).

I suggested in my recent comments that the first step is monitoring these devices to see if undocumented features are being used. Even if the emitter and detector are well below their 3 dB points, there still could be sufficient signal for many of these applications.

ytNovember 19, 2015 8:08 AM

I can tell you from experience that "inaudible, high-frequency sounds" generally means "inaudible to adult humans with average hearing".

As a kid, I hated walking past jewelry stores in the mall because the high-frequency sound of either the security system or the jewelry cleaning equipment was painfully loud to me. I'm starting to lose the extreme high end of my hearing, but I can still hear most high-frequency sounds that are supposed to be inaudible. And I know my child and our cats can hear them.

Maybe I don't watch enough TV, but I have personally never heard high-frequency sounds during commercials.

ChristianNovember 19, 2015 8:37 AM

I am wondering how low they can keep the dB of the signal.

Usually high frequencys will have higher dissipation.

I guess they won't care much for you loosing your hearing so if you need to play at 120 dB to reach other devices in Ultrasound... mayby they will do.

Problem is high energy audio can damage your ears. No need for you to get the audio into a range you can hear, the loudness will still cripple your hearing.

CallMeLateForSupperNovember 19, 2015 10:00 AM

@keiner
"Really sure with the Mics?"

Very good point, but I am really, really sure. Long ago desoldered and removed, to be free of that piercing power-op blast from BIOS.

Clive RobinsonNovember 19, 2015 10:09 AM

@ yt,

Long time no comment, it sounds like you have been busy chasing after a little one, enjoy whilst you can they quickly grow. My son is now tall enough to look down on my bald spot, and it only seems like yesterday he could fit comfortably on my lower arm...

Hearing loss is not just age related loud or fast rising sounds can shatter the resonating parts quite easily. So don't take up rock concerts or target shooting as hobbies (advice I should have listened to...).

The high frequency sounds don't have to be very loud compared to the rest of the normally compressed advert audio, they just need a sufficient guard band such that DSP type filters can work effectively.

@ Christian,

120dB would would be on the painfull side if a single tone, however spread the energy across the usable audio bandwidth and it would be quite a lot quieter.

It would also be less harmfull due to the way the human ear works because the energy would be spread across many resonating hairs not just one or two of a single tone.

@ Wael,

A question for you have you tried moving your head around to change the effect of the tinnitus?

With mine, putting my head at funny angles can reduce it.

Also get your blood preasure checked it like type II diabetes can cause hearing and balance problems...

WaelNovember 19, 2015 11:12 AM

@Clive Robinson,

My son is now tall enough to look down on my bald spot...

Aha! Your son is 6'6" - 6'8" :)

A question for you have you tried moving your head around to change the effect of the tinnitus?

I haven't consciously done that, but I'll try.

Also get your blood preasure checked it like type II diabetes can cause hearing and balance problems...

My blood pressure is within nominal specifications until I read something annoying on this blog. I'm quite sure I raise the blood pressure of others once in a while, and readers have been kind enough not to give me much of a hard time. Oh, my blood pressure also rises when I take some comments here with a grain of salt the size of Lot's wife right hip ;)

WntNovember 11, 2016 2:46 PM

I'm inclined to believe the ultrasound story because before it came out I was noticing "ultrasonic" sound from my laptop. (I was always the one who could hear when a CRT was on) In my case though the sound seemed related to processing - I mean, I was playing a game called "Dwarf Fortress" that churns away even when minimized, which has an annoying habit of pausing itself, and I could hear when the game paused itself because the ultrasound stopped. I am 100% sure spyware would not be designed to look at DF in particular. It's possible that's some kind of accidental noise from a component, rather than a virus, I don't know. But it started abruptly on two different laptops and stopped abruptly not long after the story came out.

ubisalesSeptember 8, 2017 7:24 AM

Truly said!! Especially those one when we are you-tubing and suddenly ads came and we are not interested to watch it though we aren''t able to cut the ad that is so annoying and raise up my mental pressure. Nice write up!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.