Ultrasonic Hacking

Ad networks are surreptitiously using ultrasonic communications to jump from device to device. It should come as no surprise that this communications channel can be used to hack devices as well.

Posted on November 10, 2016 at 12:19 PM • 16 Comments


BarryNovember 10, 2016 1:03 PM

So, now we have to disable mikes on smart phones. With everything else we have to disable to be safe time to resurrect the old dumb phone and just make calls?

Joshua BowmanNovember 10, 2016 1:13 PM

It makes sense. The providers are basically adding a new untrusted input channel, and secure coding is always the very last thing (if ever) that ad networks and IoT designers think about. I wouldn't be surprised if a number of these tracking programs allowed arbitrary URL links or even code injection; all it takes is determining the encoding process, and that's easy enough with a decompiler.

Dan3264November 10, 2016 2:13 PM

You don't really have to disable it. If you attach a low-pass filter between the microphone and digitizer, it will block all sound above a certain frequency. You could also do that for the speaker. If I were to do that, I would also stick in a physical disconnect switch so I can cut off sound input and output to the phone.

dystopiaNovember 10, 2016 2:43 PM

Boy, is that real this time?
After reading this, I feel an urge to watch "They Live" by John Carpenter again...

LiveDemoNovember 10, 2016 4:03 PM

It should be fairly simple to make a small device that can be hidden in a public area that generates ultrasonic sounds to disrupt these beacons.

TedNovember 10, 2016 4:36 PM

From the October 2016 New Scientist article:

“Ultrasound beacons don’t have specs yet,” he says. “There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.” …“It’s going to get worse unless we fix it,” says Mavroudis.

The FTC filed a NTIA-requested comment on the IoT this summer. In the filling, they provide a good overview of their role in protecting the privacy and security of consumer data. They also write about their November 2015 cross-device tracking workshop, and the material risks that could be associated with such practices.

Collectively to date, the FTC reports that they have initiated over 500 enforcement cases to protect the privacy and security of consumer data, and 25 cases to enforce COPPA laws (Child Online Privacy Protection Act). They confirm that they will continue to take actions on the laws that they do enforce in order to protect consumers.

At the time of the filing, the FTC recommends that any newly-drafted IoT security and privacy laws be general in nature, but that they further protect consumers against unauthorized access to personal information, and that they also promote transparency and consumer control in order to foster trust in the IoT marketplace.

Link to FTC’s comment:

El AuraNovember 10, 2016 6:00 PM

To attack or merely communicate with any process running on a device, that process needs to have been given access to the microphone by the OS. You'd a bug in the OS to allow, eg, javascript running in a browser to 'read' the data coming from the microphone.

And without any help from the inside (eg, code executed locally after visiting a malicious website), you'd need find a bug in the software stack that implements Siri, Cortana, etc.. And I would guess that what, eg, Siri can actually do is still pretty limited. And interestingly, since Siri is executed server-side using code that can be (and is) changed frequently and quickly that is a moving target.

Who?November 11, 2016 3:52 AM

@ El Aura

Not exactly a bug... all web browsers have access to the camera and microphone these days.

KennyNovember 11, 2016 12:53 PM

Isn't it possible to create filters for the audio drivers on these devices that simply stripped out the ultrasonic frequencies of the audio signals?

sounderNovember 11, 2016 4:32 PM

Actually, microphones have low-pass filter, either built-in or in the ADC electronics.
Similar thing happens with speakers, they are not good at high frequencies, and DAC have a low-pass filter (antialias filter). Also class D amplifiers (which are the best option for low power consumption).
So, if this is factual, this ultrasonics should be close to 20kHz, causing headaches and barking dogs.

Clive RobinsonNovember 12, 2016 2:40 AM

@ Kenny, Sounder,

In this day and age, "real analog" filters don't get much usage due to cost constraints. Thus Digital Signal Processing (DSP) is the norm.

The thing about DSP filters is it's very very easy to write a filter that does not filter, and the sampling process aliases thus you end up with a "comb filtter" which lets through DC-Daylight in all but a few harmonicaly related notches based on the sampling frequency. In properly designed DSP systems you have two real analog filters prior to the sampler, the antialiasing and roofing filters. These generaly do not get fitted into "consumer grade" computer equipment like PCs, Netbooks, tablets and smartphones. The reason is most humans are insensitive to the artifacts that appear in their hearing range as the human brain is fairly effective at ignoring such "noise".

Which brings us onto the "ultrasound makes howling dogs" myth. What makes a dog howl is when a signal in it's hearing range had significantly excesive amplitude that it cause pain, just as it does with humans. It is this principle the WASP youth deterant system uses with as low as a 10KHz signal depending on the age range you wish to deter.

splashNovember 15, 2016 4:11 PM

There's several [free!] projects floating around. Here's something simple as an example:


Simple chat program using near ultrasonic frequencies. Works without Wifi or Bluetooth and won't show up in a pcap.

Note: If you can clearly hear the send script working then your speakers may not be high quality enough to produce sounds in the near ultrasonic range.

peteNovember 16, 2016 8:59 AM

Why bother with that?

Listen for a key phrase e.g. "I'm going to the shops to buy cat food"

Start showing Purina ads....

Clive RobinsonNovember 16, 2016 5:04 PM

@ TJ,

Like the microphone air-gap stuff

It's not just microphones that cross air-gaps these days...

That's why I talk about "Energy-Gapping" it's both more encompassing and these days accurate...

I can remember all the doubters with BadBIOS which struck me as sad because it was so easy to demonstrate. The sneaking the software in from the ROM of another IO card so it would survive all Hard Drive and floppy drive changes etc, was doubted even though it was clearly in the IBM BIOS spec and Microsoft's documentation. But when Lenovo was caught using a more modern variation for Persistant Malware, people started believing.

Both myself and @RobertT had got ultrasonic comms to work for other reasons long prior to BadBIOS on the likes of laptops (with electret-microphones and importantly pizo speakers both of which are very efficient at the low end of the ultrasonic range). We pointed out the virtual mono culture on PC sound chips etc.

Still people doubted it, then academic security researches started publishing papers and still there were doubters. Now we have "Marketing Malware" using it to finger people... I wonder if there are still doubters?

As @Bruce has pointed out there is a progression from PhD to script kiddies with ordinary malware. But when it comes to hardware and it's firmware, it's the engineers who know but rarely say anything, because we know just how vulnerable things are, which the TAO catalog kind of made clear (but still there were doubters).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.