Using Ultrasonic Beacons to Track Users

I've previously written about ad networks using ultrasonic communications to jump from one device to another. The idea is for devices like televisions to play ultrasonic codes in advertisements and for nearby smartphones to detect them. This way the two devices can be linked.

Creepy, yes. And also increasingly common, as this research demonstrates:

Privacy Threats through Ultrasonic Side Channels on Mobile Devices

by Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck

Abstract: Device tracking is a serious threat to the privacy of users, as it enables spying on their habits and activities. A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices. This side channel allows an adversary to identify a user's current location, spy on her TV viewing habits or link together her different mobile devices. In this paper, we explore the capabilities, the current prevalence and technical limitations of this new tracking technique based on three commercial tracking solutions. To this end, we develop detection approaches for ultrasonic beacons and Android applications capable of processing these. Our findings confirm our privacy concerns: We spot ultrasonic beacons in various web media content and detect signals in 4 of 35 stores in two European cities that are used for location tracking. While we do not find ultrasonic beacons in TV streams from 7 countries, we spot 234 Android applications that are constantly listening for ultrasonic beacons in the background without the user's knowledge.

News article. BoingBoing post.

Posted on May 8, 2017 at 9:16 AM • 37 Comments

Comments

TSMay 8, 2017 9:42 AM

Wouldn't dogs go crazy with all these noises only they can hear?
Or, what frequency range are these sounds being played at?
And, do they still get broadcast even if you disable sound on your phone?

Apple / Android / Windows - which ones are affected?
And most importantly, how can you combat this as a user?

Rick LobrechtMay 8, 2017 9:48 AM

This is troubling. I wonder how many other places are using this kind of technology? Television programming? Television ads? FM radio? Satellite radio?

Could the doppler effect be used to determine your speed relative to the source?

I wonder what frequency range your typical mobile phone is able to detect.

At least with iOS devices, you have per application settings for the microphone. For those concerned, this should limit the attack surface. Not sure about Android.

Clive RobinsonMay 8, 2017 9:50 AM

Apparently the developer of the code saus that they have stopped developing the code quite some time ago and that there never were more than a few customers...

How ever the researchers appear to have done their work well.

The question is what happens to all those apps, will they get pulled for whatever reason the app site controling entity can come up with or will they just "Do a Nelson" and turn a blind eye...

HMMay 8, 2017 10:25 AM

It does seem the original sin in this case is "why are random applications allowed to listen to the microphone in the background?"

If most apps can't listen at all then they can't listen to ultrasonic signals ...

sauganashMay 8, 2017 11:10 AM

Are these beacons only ultrasonic? You can hide signal patterns in human-audible ranges as well

Nonhappening EventMay 8, 2017 12:00 PM

A lowpass filter on your home entertainment system designed to cut off anything above 18,000 Hz would protect you at home. But won't prevent your phone from being tracked at a friend's house or the local sports bar where they won't have a lowpass filter.

The elegant solution is to have more control over our own phones and reporting of privacy settings that is easy to understand. ...There's an app idea.

ZorroMay 8, 2017 12:22 PM

If our phones can hear these ultrasonic beacons, they can hear everything else... What have you talked about, or what sounds have you made, that you didn't want overheard? Stocks? Business? Sex?

This could be a problem in the few states that make it illegal to record someone without their permission... Though I suppose it was buried somewhere in the ELUA...

MarkMay 8, 2017 12:29 PM

@Zorro, in Maryland it would be a problem where consent for audio recording is required. The other issue that comes to mind is that your microphone is always listening, how else would it know when you say "OK Google"?

NickjMay 8, 2017 12:54 PM

@Rick Lobrecht: you have a touching faith in the security of iOS.
If a computer has a microphone permanently connected, it can be hacked so that the hacker's code can listen to the microphone whenever it wants to. I'd bet money that the NSA has already cracked that one.

BillMay 8, 2017 1:00 PM

@TS

Maybe that's why my dogs go crazy at certain commercials on TV.

The sounds would be under the control of the ad producer, I would imagine, or possibly the broadcaster.

christopherMay 8, 2017 2:11 PM

Wouldn't the next logical step be an app that detected those signals for you?

JG4May 8, 2017 2:45 PM


I hate to parade my ignorance, but is the login link at "Leave a comment" new? A result of the discussion about having an optional login to post comments? I can't find a place to set up a username, but I like the idea of tying a password and username to my nom de plume to prevent mischief.


Only Comey Can Save Us NowMay 8, 2017 2:50 PM

Shouldn't this say "nearby Android phones" instead of "nearby smartphones"?

No one's iOS device is compromised like this.

Clive RobinsonMay 8, 2017 3:46 PM

@ JG4,

I hate to parade my ignorance, but is the login link at "Leave a comment" new?

I've seen it before, BUT only when I've had javascript on by mistake.

David LeppikMay 8, 2017 4:55 PM

@Mark: the original Google Nexus phones had custom low-power speech recognition circuits designed only to detect "OK Google." That's probably not how they do it for devices that don't have stringent energy requirements, but it's one way to handle security. I don't know how they handled other languages (if at all) but it shouldn't be hard; limited vocabulary speech recognition goes back a long way...

...back to the 1920s with Radio Rex.

Space Ghost's helperMay 8, 2017 7:21 PM

All onion services. Yes. All 1.2 septillion of them. Sorted :)

https://onions.system33.pw/

Well actually [something about next generation onion services]

You're right! This index doesn't include any of the next generation of onion services! As of May 2017, the naming scheme hasn't been finalized. It's kind of hard to index something that (i) doesn't exist yet, and (ii) doesn't have a naming scheme set in stone yet.

Space Ghost's helperMay 8, 2017 7:27 PM

@Patriot COMSEC • May 8, 2017 9:25 AM

Soon we will all have a spectrum analyzer on the kitchen table. For "fine dining"...


Great comment!

Imagine dining through constant loud white noise (shudder) - since you never really know which appliances are trustworthy.

AWNMay 8, 2017 8:18 PM

@David Leppik
@Mark: the original Google Nexus phones had custom low-power speech recognition circuits designed only to detect "OK Google."

you have any references for that?

No Liberty No FreedomMay 9, 2017 12:49 AM

Google is an inherently EVIL organization.
ANDROID-Google-Apple-Windows should be removed from your life.

These signals were spotted YEARS ago.
Also spotted the background communication going on between electronic
devices and cell phone. Even though the cell phone blue tooth was turned OFF.
Communication was still going on in the background.
Automobiles are also compromised. Your key fob is a tracking device.
Everything you say in a modern automobile is recorded.
Who is getting the data I am unsure. I just know the signals are there.

I tried to tell people what was going on TEN years ago.
EVERYONE I told, said I was "paranoid'. Even after I showed them signal data signatures.
Now after Ed Snowden everyone acts like this type of thing is "new."
Has been going on for many YEARS. Maybe decades?

Thank you Bruce for the work you put in on your web site. You are sincerely Appreciated and Loved.
I make it a point to buy every book you write/are associated with, in order to support your work.
I also buy your books as gifts for others. Suggest others on this web site do the same.
Again, Thank you Bruce. We Love you.

***** Check out intellistreets.com
Even street light snitch and snoop on you.

The control freaks never tire.

Who?May 9, 2017 3:00 AM

Someone should write an app that detects those ultrasonic beacons and warns the owner of the device when it happens. Another possibility (this one will require root access to the device) would be filtering audio on these devices so they cannot send and/or receive in the ultrasonic range.

Just a wild guess from someone that does not have a mobile phone, either smart or not.

MatteoMay 9, 2017 3:11 AM

@Nonhappening Event you are missing the poinint, your solution will work but it solve the wrong problem.
@HM is correct: why random apps are allowed to constantly listen your mic???

pro tip for android:
settings
apps
click on the gear (top right)
click app autorizations

now you will have *per category* permissons list:
so you will see something like "microphone: 4 apps" and clicking there you can see every app with mic access (you can click "show system apps" if you want)
and with privacy guard by holding click/tap on the single app you can deny single permissions to any app you want.

from my android 7.1.

MatteoMay 9, 2017 3:14 AM

@Arclight with my method you can find yourself any app with mic access and deny any app you want mic access (or more permissions if you want)
for example deny open on phone boot or run in background to save battery life if they don't need to run.
(see comment above)
(sorry for double comment)

ATNMay 9, 2017 3:44 AM

The only reason an app is written in the first place is to include this kind of technology, so that the costumer will pay for the development time.
If you are not paying to install the app, you obviously are not the costumer, someone else is.

Space Ghost's helperMay 9, 2017 8:03 PM

@No Liberty No Freedom


Now rue the day I dismissed the tinhat people as cranks :(


I was very, very wrong.

Patrot COMSECMay 9, 2017 9:13 PM

It is a very interesting article. It explains a zero day attack method. The new attack methods are often more interesting than particular weaknesses in software.

This new method reminds us how an air-gapped computer needs to be physically separated from an unsecure, internet-connected one. Distance generally helps, but it is not a real solution.

Stopping RF and sound via physical barriers is important for a truly air-gapped system.

I wonder how many people (or organizations) go so far as to maintain a spectrometer near their critical internal network/device.

John HardinMay 9, 2017 9:52 PM

@Patrot COMSEC:

This new method reminds us how an air-gapped computer needs to be physically separated from an unsecure, internet-connected one. ... Stopping ... sound ... is important for a truly air-gapped system.

New security model: Vacuum Gap.

WaelMay 9, 2017 10:21 PM

@John Hardin,

New security model: Vacuum Gap.

That and other types of "gaps". @Clive Robinson collectively calls them "Energy-gap".

JG4May 10, 2017 6:21 AM


"I wonder how many people (or organizations) go so far as to maintain a spectrometer near their critical internal network/device."

A hypervisor can be a spectrum analyzer and all of the other filters that are required to visualize the important states of a machine, particuarly including those that result from successful and unsuccesful attacks. Detecting use of undocumented features, whether of a cell phone or a computing engine, is one essence of security.

We might cast this in terms Boyd's OODA framework, which is the essence of intelligence. Observe, orient, decide, act. The hypervisor must implement the first two steps by enabling insight into the state of a machine. Implementing the two additional steps goes well beyond hypervisor into artificial intelligence.

Links 5/10/17 | naked capitalism - Tor Browser
http://www.nakedcapitalism.com/2017/05/links-51017.html
...
Big Brother is Watching You Watch

Here’s How Easy It Is to Get Trump Officials to Click on a Fake Link in Email Gizmodo (furzy)

http://gizmodo.com/heres-how-easy-it-is-to-get-trump-officials-to-click-on-1794963635

Google Project Zero researchers find ‘crazy bad’ Windows RCE flaw Network World. Bill B: “Exposing users to risk under the pretense of protecting them. A recurring theme.”

http://www.networkworld.com/article/3195145/security/google-project-zero-researchers-find-crazy-bad-windows-rce-that-is-wormable.html

Wikileaks: Chelsea Manning confirms her release from prison next week BBC (martha r)

http://www.bbc.com/news/world-us-canada-39864468

Anonymous CowardMay 13, 2017 6:58 PM

There was a bug report opened on this 8 months ago at https://trac.torproject.org/projects/tor/ticket/20214
It hasn't seen any love for over 3 months and I've never written in the C programming language, making a fix beyond me.
Many talented individuals around here seem skilled in it, would any of you have time to submit a PR? This could save the lives of countless journalists, whistleblowers and political activists who are trapped in oppressive regimes such as North Korea.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.