Ultrasonic Hacking
Ad networks are surreptitiously using ultrasonic communications to jump from device to device. It should come as no surprise that this communications channel can be used to hack devices as well.
Comments
Joshua Bowman • November 10, 2016 1:13 PM
It makes sense. The providers are basically adding a new untrusted input channel, and secure coding is always the very last thing (if ever) that ad networks and IoT designers think about. I wouldn’t be surprised if a number of these tracking programs allowed arbitrary URL links or even code injection; all it takes is determining the encoding process, and that’s easy enough with a decompiler.
Mace Moneta • November 10, 2016 1:14 PM
Add this to the long list of good reasons for ad blockers.
Dan3264 • November 10, 2016 2:13 PM
@Barry,
You don’t really have to disable it. If you attach a low-pass filter between the microphone and digitizer, it will block all sound above a certain frequency. You could also do that for the speaker. If I were to do that, I would also stick in a physical disconnect switch so I can cut off sound input and output to the phone.
dystopia • November 10, 2016 2:43 PM
Boy, is that real this time?
After reading this, I feel an urge to watch “They Live” by John Carpenter again…
LiveDemo • November 10, 2016 4:03 PM
It should be fairly simple to make a small device that can be hidden in a public area that generates ultrasonic sounds to disrupt these beacons.
Ted • November 10, 2016 4:36 PM
From the October 2016 New Scientist article:
“Ultrasound beacons don’t have specs yet,” he says. “There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.” …“It’s going to get worse unless we fix it,” says Mavroudis.
“
The FTC filed a NTIA-requested comment on the IoT this summer. In the filling, they provide a good overview of their role in protecting the privacy and security of consumer data. They also write about their November 2015 cross-device tracking workshop, and the material risks that could be associated with such practices.
Collectively to date, the FTC reports that they have initiated over 500 enforcement cases to protect the privacy and security of consumer data, and 25 cases to enforce COPPA laws (Child Online Privacy Protection Act). They confirm that they will continue to take actions on the laws that they do enforce in order to protect consumers.
At the time of the filing, the FTC recommends that any newly-drafted IoT security and privacy laws be general in nature, but that they further protect consumers against unauthorized access to personal information, and that they also promote transparency and consumer control in order to foster trust in the IoT marketplace.
Link to FTC’s comment:
https://www.ftc.gov/news-events/press-releases/2016/06/ftc-staff-provides-response-ntia-request-comment-internet-things
El Aura • November 10, 2016 6:00 PM
To attack or merely communicate with any process running on a device, that process needs to have been given access to the microphone by the OS. You’d a bug in the OS to allow, eg, javascript running in a browser to ‘read’ the data coming from the microphone.
And without any help from the inside (eg, code executed locally after visiting a malicious website), you’d need find a bug in the software stack that implements Siri, Cortana, etc.. And I would guess that what, eg, Siri can actually do is still pretty limited. And interestingly, since Siri is executed server-side using code that can be (and is) changed frequently and quickly that is a moving target.
Who? • November 11, 2016 3:52 AM
@ El Aura
Not exactly a bug… all web browsers have access to the camera and microphone these days.
Kenny • November 11, 2016 12:53 PM
Isn’t it possible to create filters for the audio drivers on these devices that simply stripped out the ultrasonic frequencies of the audio signals?
sounder • November 11, 2016 4:32 PM
IMHO:
Actually, microphones have low-pass filter, either built-in or in the ADC electronics.
Similar thing happens with speakers, they are not good at high frequencies, and DAC have a low-pass filter (antialias filter). Also class D amplifiers (which are the best option for low power consumption).
So, if this is factual, this ultrasonics should be close to 20kHz, causing headaches and barking dogs.
Clive Robinson • November 12, 2016 2:40 AM
@ Kenny, Sounder,
In this day and age, “real analog” filters don’t get much usage due to cost constraints. Thus Digital Signal Processing (DSP) is the norm.
The thing about DSP filters is it’s very very easy to write a filter that does not filter, and the sampling process aliases thus you end up with a “comb filtter” which lets through DC-Daylight in all but a few harmonicaly related notches based on the sampling frequency. In properly designed DSP systems you have two real analog filters prior to the sampler, the antialiasing and roofing filters. These generaly do not get fitted into “consumer grade” computer equipment like PCs, Netbooks, tablets and smartphones. The reason is most humans are insensitive to the artifacts that appear in their hearing range as the human brain is fairly effective at ignoring such “noise”.
Which brings us onto the “ultrasound makes howling dogs” myth. What makes a dog howl is when a signal in it’s hearing range had significantly excesive amplitude that it cause pain, just as it does with humans. It is this principle the WASP youth deterant system uses with as low as a 10KHz signal depending on the age range you wish to deter.
splash • November 15, 2016 4:11 PM
There’s several [free!] projects floating around. Here’s something simple as an example:
quietnet
https://github.com/Katee/quietnet
Simple chat program using near ultrasonic frequencies. Works without Wifi or Bluetooth and won’t show up in a pcap.
Note: If you can clearly hear the send script working then your speakers may not be high quality enough to produce sounds in the near ultrasonic range.
pete • November 16, 2016 8:59 AM
Why bother with that?
Listen for a key phrase e.g. “I’m going to the shops to buy cat food”
Start showing Purina ads….
TJ • November 16, 2016 4:21 PM
Like the microphone air-gap stuff
Clive Robinson • November 16, 2016 5:04 PM
@ TJ,
Like the microphone air-gap stuff
It’s not just microphones that cross air-gaps these days…
That’s why I talk about “Energy-Gapping” it’s both more encompassing and these days accurate…
I can remember all the doubters with BadBIOS which struck me as sad because it was so easy to demonstrate. The sneaking the software in from the ROM of another IO card so it would survive all Hard Drive and floppy drive changes etc, was doubted even though it was clearly in the IBM BIOS spec and Microsoft’s documentation. But when Lenovo was caught using a more modern variation for Persistant Malware, people started believing.
Both myself and @RobertT had got ultrasonic comms to work for other reasons long prior to BadBIOS on the likes of laptops (with electret-microphones and importantly pizo speakers both of which are very efficient at the low end of the ultrasonic range). We pointed out the virtual mono culture on PC sound chips etc.
Still people doubted it, then academic security researches started publishing papers and still there were doubters. Now we have “Marketing Malware” using it to finger people… I wonder if there are still doubters?
As @Bruce has pointed out there is a progression from PhD to script kiddies with ordinary malware. But when it comes to hardware and it’s firmware, it’s the engineers who know but rarely say anything, because we know just how vulnerable things are, which the TAO catalog kind of made clear (but still there were doubters).
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Barry • November 10, 2016 1:03 PM
So, now we have to disable mikes on smart phones. With everything else we have to disable to be safe time to resurrect the old dumb phone and just make calls?