Imagine you are watching your favorite program on TV. The ads come on, you pick up your phone, and the pop up for the same scrumptious chocolate bar that was just being advertised on your TV appears on your smartphone. It’s getting harder to resist…
Ultrasonic cross-device tracking (uXDT) is here. It uses inaudible, high-frequency sounds to link your devices − TVs, phones, tablets and PCs − so that advertisers can better track you. The ultrasounds are embedded into television or radio commercials or hidden in JavaScript code in ads displayed by computer browsers. They are inaudible to the human ear (not sure about dogs and cats) but are picked up by microphones on other devices. Thus your smartphone knows to display a pop up for that chocolate bar you have been trying so very hard to resist.
This process happens through a receiving application already installed on a listening device. Sometimes users consent to this, often being offered rewards and incentives for keeping such apps active, but there have been numerous examples of mobile applications that actively listen for ultrasound without users’ consent and sometimes even without an opt out option.
Advertising platforms use uXDT technology to track what ads people are watching and how effective they are – do people buy products after seeing a certain ad, how long do they watch the ad for? Most people use multiple devices each day – smartphone(s), tablets, wearables, PCs, etc. It’s the holy grail of advertising to be able to link one user to all of their devices. It creates better advertising profiles and more targeted advertising opportunities.
Companies such as Google, Nestle and Dominoes are either investing in uXDT or using uXDT providers such as SilverPush or Signal360.
Security researchers at Blackhat EU and the 33rd Chaos Communication Congress, showed how uXDT can be used to de-anonymize Tor users, by leaking their real IP address. In the attack described by security researcher Vasilios Mavroudis and his colleagues, Tor users are tricked into accessing a page that emits ultrasound, either via an ad or by forcing their browser to emit an ultrasonic beacon (potentially using cross-site scripting). If the Tor user’s phone or tablet is within frequency and they have a receiving app installed on it, then the mobile device will send the advertiser details about the user, to link the computer to that device. A state-sponsored actor could subpoena the advertiser and obtain details about the real user’s identity, potentially including IP address, geo-location, Android ID, IMEI code and more.
So what can we do about it? Obviously turning off the microphone ruins the point of a mobile phone. Mavroudis and his team have developed a Chrome browser extension called SilverDog that filters HTML5 audio to remove ultrasounds. However, this doesn’t work with sounds played via Flash and doesn’t protect Tor users as it is based on Firefox. Next, the researchers have proposed a new OS permission control in Android that allows applications to explicitly ask for access to the ultrasound spectrum. Finally, the research team have advocated a standardized format for ultrasound advertising beacons, much like we have for Bluetooth.
But for now, how about that chocolate bar?
About the Author:
Sharon Conheady is the director of First Defence Information Security where she specialises in social engineering, security awareness and penetration testing. She has a background in professional services and has delivered security testing and training both locally and internationally.
Sharon is a founding member of the Risk Avengers collaborating with industry peers in the fraud prevention and cyber security arenas. Sharon is a regular speaker at security events around the world and has presented at conferences including DEF CON, Deepsec, Recon, CONFidence and InfoSec and has appeared as a subject matter expert on security podcasts including pauldotcom and social-engineer.org. She is also a member of the Regional Review Board for Blackhat Europe.
Sharon has an MSc in Information Security from the University of Westminster and a BA(Mod) in Computer Science, Linguistics and French from Trinity College Dublin. She is the author of Social Engineering in IT Security: Tools, Tactics, and Techniques published by McGraw-Hill.
About The Risk Avengers:
The Risk Avengers is a collaboration of three well respected and experienced industry experts. Dr Jessica Barker, Sharon Conheady and Toni Sless pool their extensive knowledge and experience in the fraud prevention, physical security, cyber security, social engineering and penetration testing arenas. The Risk Avengers provide consultancy and training to businesses on the minefield that is information security, fraud awareness and prevention.