Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Communications Network Networking Security Television The Internet Science

Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com) 207

New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
This discussion has been archived. No new comments can be posted.

Ultrasound Tracking Could Be Used To Deanonymize Tor Users

Comments Filter:
  • by waspleg ( 316038 ) on Thursday January 05, 2017 @08:48PM (#53614345) Journal

    ads couldn't be any fucking worse...

    • What are ads? I haven't seen them in so long that I forgot.

      Good to see some real info on hacking on here for once, even if it's a bit dated. I was getting sick of talking about phishing scams and the idiots who fall for them.

      • by simplypeachy ( 706253 ) on Friday January 06, 2017 @06:07AM (#53615817)
        When I use other people's computers to use the Internet...good god it's like I'm in some sort of fledgling Total Recall. So many of the adverts have reached past the threshold of being parodies of themselves, they seem like their own self-satire. The relevancy or attention span of any amount of text is reduced to almost nil by pictures of mostly-naked people on diet pill adverts, shiny shiny motor vehicles with angry-looking grilles or hilarious gambling animations. There is a massive joke that you and I are not seeing, and that's because we're not suffering the expense of being the butt of the joke that is Internet advertising.
        • When I use other people's computers to use the Internet...good god it's like I'm in some sort of fledgling Total Recall ...There is a massive joke that you and I are not seeing, and that's because we're not suffering the expense of being the butt of the joke that is Internet advertising.

          Hear, hear! If the majority of unsophisticated users could see our browsing experience for just one day, and then understand how easy it would be for them to have the same, I think a large portion of Internet ad revenue would dry up overnight.

          I'm of two minds on this. On the one hand, I'd like everyone to experience the Web without ads. On the other hand, I'm grateful that they don't, because their acquiescence allows me to avoid ads without taking heroic measures.

      • what is a speaker and a mic? I leave both turned off on my pc. when I want to listen to music, I run a linux box that does not have a browser or normal network access enabled. and there is never a mic on a music playback system that I build or use.

        I block ads and each time I read things like this article, it increases my belief that blocking ads is the right thing to do. I block incoming network connections at the firewall and nearly everyone does, too; but I find it odd that not everyone wants to fight

    • Never, EVER say it couldn't be worse, because someone or something will prove you wrong.

      Enjoy your bios rootkit now that you jinxed yourself.
      • The browser could simply ask the user, "Allow access to audio API from script.js"? Seems like this was probably already a great idea so that you couldn't make a browser moan for the entire Starbucks to hear.
        • That might have worked once upon a time when we had simply Javascript scripts that were more or less self contained. Today you'd almost certainly get a bunch of "Allow access to audio API from cdn.google.com/oneofthreepopularplayers.js?" type requests coming from both legitimate applications and ads. At best, you'd have to include the equivalent of a stack trace within the dialog (oh! So opendashplayer.js is being called by honestads.ru huh? I'll block that!), but then you're making the dialog way more com

        • Another variant of this attack used several other mechanisms for generating the sound. If you're doing a very targeted attack, spiking the CPU to 100% until the fans come on and then letting the machine cool gives you a good idea who it is. For a lot of machines, various different operation sequences can make some components emit high-frequency sound that a reasonable microphone can pick up. There was a really neat attack on Tor in data centres about a decade ago that monitored the ambient temperature (u
    • I try only to comment when I have something thoughtful to add, but decided I had to comment despite myself this time. You summed it up nicely. Those advertiser scum could barely be any worse. These is some of those most obtrusive, obscene and despicable ideas yet. They might as well video record me taking a shit and use the colour and texture of my faeces to determine which food or vitamin pills they're going to force down my gullet when I next pause between breathing. Breathtakingly despairing.
  • by Anonymous Coward on Thursday January 05, 2017 @08:54PM (#53614365)

    Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.

    Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.

    Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?

    • by Koby77 ( 992785 )
      Potentially they would also be paranoid enough to simply disable sound, or at least run through some kind of headphones/speakers with a toggle. I can't even remember the last time that I browsed a webpage with my sound enabled. While this type of attack does seem devious, it also seems to be grasping at straws for any possible advantage.
    • by EvilSS ( 557649 )
      Well to the first point, it could also be used by an agency taking over a tor site covertly, no need to embed it in an ad. To the second, it doesn't require the phone to be compromised at all, just the user to download an app from an official app store and not pay attention to the terms and permissions it's asking for. This technology is used in advertising beacons today. The app developer adds a library and it reports back to the agency that provides the beacons. There have been several stories in the p
      • Yes - Facebook App for instance listens to the ambient sounds and you'll see the ads in your feed change based upon the words said. I saw this reported on a few years ago and couldn't believe it - so I tried it out myself and was very surprised when it worked. Granted that was a few years ago and I don't know if they still do it (too lazy to try it right now).

        Which is why I have disabled audio Input for FB. Actually - it is why I do not allow access to the microphone from any app. Or terminate those app

    • Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.

      Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication...

      You mean the kind of sophistication that would lead advertisers to pay the source (hardware vendors) to plant this capability in hardware by default?

      And that's just the power of money talking. Imagine what power governments could wield to ensure this technology is deployed across the masses, using the cause-terrorists-protect-the-children excuse.

      It's hardly news anymore to find [popular app] putting a microphone into constant listening mode, along with all the other popular listening devices and services

    • by AmiMoJo ( 196126 )

      Anyone using Tor should have Javascript disabled, which would completely mitigate this and most other attacks.

      I'm not sure why Tails has Javascript enabled by default these days.

    • I read a similar article several days ago and came to the same conclusion that you did - this is very sophisticated. Maybe too sophisticated. Which made me wonder whether this is theoretical "in the lab" by researchers or actually out in the wild. As for dogs hearing it? sure - maybe. There are lots of noises. My furnace fan makes a blowing air sound. I don't howl because of it - it's just annoying white noise that I ignore.

      Need a Raspberry Pi project to listen for this. Then becomes a keyfob that y

      • and I forgot to mention Tor. Sure wanting to uncover people is interesting. But do advertisers believe there are enough people using Tor to invest and develop this technology - that the target audience is big enough?

        Maybe a feedback loop on the same computer. A Tor ad playing and the computer listening to send it back through non-Tor channels. But that also assumes a computer has been compromised with an app that can listen. How many people have installed a Time Sync app? Fake/Hacked Java or Flash d

  • Is this theoretical? (Score:5, Interesting)

    by guruevi ( 827432 ) <evi@ev c i r c u i t s . com> on Thursday January 05, 2017 @08:58PM (#53614389) Homepage

    I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.

    • by Midnight_Falcon ( 2432802 ) on Thursday January 05, 2017 @09:15PM (#53614447)
      This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?
      • by F.Ultra ( 1673484 ) on Thursday January 05, 2017 @10:14PM (#53614717)
        And isn't there a cut-off filter in the DACs used by phones/computers to filter out anything above the Nyquist sampling rate? Or is that frequency so high now a days due to oversampling that it's in the ultrasound range?
        • A modern dac is supposed to digitally filter at 20 kHz (very hard cutoff), in exchange for lots of noise above 100 kHz. A soft roll-off analog filter takes care of the content above 100 kHz.

          I suspect that ultrasound in this context really means 16 kHz or so, at volumes that are too low for the ear, but easily picked up by a microohone and some signal processing.

        • by AmiMoJo ( 196126 )

          According to TFA the range is 18-20kHz, with 75Hz bands that represent individual symbols. Most TVs can produce 20kHz sounds, and you probably wouldn't hear them. Even if you can hear a 20kHz tone over headphones in a quiet room, with the noise of a commercial mixed in and the audio played at low volume you won't notice.

          I'm more sceptical that typical laptop speakers could produce such high pitch noises, but I guess for Tor attacks you could use lower frequencies. The TV ads need to work at a few metres ran

      • by EvilSS ( 557649 ) on Friday January 06, 2017 @03:03AM (#53615443)

        This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?

        You guys realize this is not some theoretical flight of fancy, right? It's being used today for ad tracking: http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/ [arstechnica.com]

        Apps using SilverPush [addonsdetector.com]

        • "The inaudible code is recognized and received on the other smart device by the software development kit installed on it."

          So the other device has to be compromised as well which at least complicates delivery of this attack to targets.

          Although they claim:
          As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

          Maybe true, maybe marketing.

      • What kind of audio source did you use to find that you can hear 22 kHz? Unless you have an ultra low noise analog sine wave generator and amplifier, you are likely to hear noise, artifacts of the DA converter, and effects of clipping when you crank up the volume. The stated limit of 20 kHz for the human ear is the frequency where the pain threshold and the hearing threshold coincide for an average young person, so it is likely that you need >110 dB SPL to have any chance of hearing above 20 kHz. A device

      • It doesn't have to be ultrasound. The Sub sonic range is usable by machines but you won't hear a thing, or a signal in the audio range but at a low signal strength would work.
  • by Anonymous Coward on Thursday January 05, 2017 @08:58PM (#53614391)

    explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?

    The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.

    To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)

    and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Since you receive desired content on web pages, it is your moral obligation to allow the ads to play. They play sounds and display video to capture and hold you attention long enough for the message to get into your brain for processing, and paying attention to this is your end of the social contract built around ad-supported content.

      Allowing the tracking is also obligatory on your part.

      You can protect yourself from viruses and such by running such tools as McAfee antivirus, and also by keeping your browsi

  • They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.

    Oh, I forgot. They donate more to congressclowns than I do.
    • They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.

      If the FBI does it, yes. A law recently activated that lets them legally try to hack someone using Tor or anything else that could hide traffic (like, perhaps a VPN).

    • by naris ( 830549 )
      Because it's theoretical and not real (other than a proof of concept installed on the researcher's own computer)...
  • by Anonymous Coward

    You're our only hope :(

  • This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.
    • No it doesn't. You are at a cafe that has microphones installed at the tables for voice-activated ordering. That infrastructure, along with the GPS data that is constantly tracking you, pinpoints you...

    • by EvilSS ( 557649 )

      This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.

      They already exist! Leave it to ad agencies to beat the government to the punch on tracking out lives. Best part is we stupidly agree to it (or just don't read the fine print when installing some crap app on our phones)

      One thing iOS does that I wish Android did is they way they handle applications using the microphone. Not only do you need to grant mic permissions, when an app uses the mic, the status bar changes color, continuously flashes if the app is in the background, and it adds a banner under the

    • This attack model assumes there is an app on the phone able to listen all time for ultrasounds.

      TFA suggests that this even is the case for many phones already: they say many advertising APIs (which programmers simply link to in order to get ads in their apps) already include ultrasound listening options. This is supposedly yet another way for the advertisement provider to get more information on individual users, in this case by linking separate devices as belonging to the same user.

  • Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?

    • They might not be sending any audio at all. A software signal generator capable of producing only a single tone (or maybe two tones if you don't want to use silence as one of your bit states) is not complex.
    • CD quality sound is sampled at 44.1Khz, so it's only capable of faithfully sound that IS audible to the human ear (about 20Khz). Who builds systems capable of accurately reproducing sounds that humans cant here? That seem pretty pointless.
      • The flippant response is that there is a large and lucrative idiot market out there, and someone was bound to go after it sooner or later.

        The better answer is that we have two ears. By limiting audio signals to the hearing range of a single ear, we lose the ability to capture and reproduce subtle phase information. This is an unexpected side benefit of the 48k audio being sold to the morons mentioned above.

  • by Anonymous Coward on Thursday January 05, 2017 @09:44PM (#53614597)

    JavaScript code

    Stop right there. That's all you have to say.

    If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.

    Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.

  • I Tor with javascript disabled, and I'm not even a pedophile / drug dealer.
  • Certainly the ads have no idea if there is a device listening for them and will broadcast anyway. I suppose ultrasound detectors could detect the activity. Maybe you could spam with some conventional source of ultrasound to drown these devices with indecipherable noise. Or just the network approach, whatever.
  • That relies on people being stupid enough to leave compromised apps running on a machine with a microphone, and only tells you what broadcast coverage area the user is in... it's not like it narrows the location down that much! If you've got a compromised app constantly sending data over the internet, wouldn't it be easier to just trace the IP packets back to the source?
  • Can't do that because you are on a laptop? Too bad, you are screwed.

    • by EvilSS ( 557649 )

      Can't do that because you are on a laptop? Too bad, you are screwed.

      Stick a 3.5mm plug into the headphone jack. solved.

      • Stick a 3.5mm plug into the headphone jack. solved.

        I'm not convinced - on my galaxy note at any rate - that this is guaranteed to work.

        I've noticed that when I push the plug in, it detects the plug being inserted and then switches the sound from the internal speakers. I'm not convinced that, unlike old fashioned radios, inserting the plug physically disconnects the internal speakers.

        But I could be wrong - it's something I've noticed in passing rather than something I've been looking out for.

        • by allo ( 1728082 )

          on laptops it is not. You can activate both speakers and headphones in the mixer. Maybe not (that easy) on windows, but on linux there is no problem. It's a feature, not a bug.

      • by gweihir ( 88907 )

        Unless that is done by the firmware of the sound-chip. Then it may be possible to hack it. Have you verified this?

  • . . . to just station an observer within line of sight of your monitor? Or tap the stray EM coming off of monitor, keyboard and mouse? Or physically tap your hardware? Or ensure you've bought pre-compromised hardware? Or . . .
  • Alternatively you could just have an ad that screams "hey, this evil hacker is using evil hacking tools!" at full volume.

    I certainly leave the volume on my computer turned up nice and high when I'm browsing questionable content in public.

  • ... dogs bark during that goddam Weight Watchers commercial!

  • Plug headphones into laptop. Alternatively, get some old headphones, chop the jack off and plug that in.

  • Didn't I see this in the last Bourne movie? And here I thought that was just they typical Hollywood tech cluelessness.

  • I wonder, though: how many people surf with their sound on? Most people I see (granted, not a representative sample) either have headphones or have the sound off, so as not to disturb everyone around them. If I were surfing something via Tor, i.e., sensitive, then I'd be double sure not to have publicly audible sound.

  • by geekmux ( 1040042 ) on Friday January 06, 2017 @03:59AM (#53615575)

    "Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future"

    If any citizen were caught deploying this kind of tech to electronically profile the masses, they would be labeled a terrorist and locked up for life. But hey, spend a few hundred and file your questionable activities under a corporation, and it's ALL good! What a fucking joke of a loophole.

    I swear, reading about shit like this makes me wonder what power privacy advocate groups really wield anymore.

  • Also the XBone.

    Other than that how many other apps keep microphones open and recording?

    And not so much hackers as they are paranoid. But it would be a good tactic for finding and tracking Journalists.

    Journalists can be quite dim; just look at the one that released his key for the the Manning data in a book.

  • Could you not just create a program to run that pumps out a bunch of random ultrasounds? It could flood the environment and make the original ultrasound signal impossible to discover, no?
  • I don't have speakers on my computer, and the external amp is only on when I want to listen to music.
  • I would have thought that anyone serious about using Tor, would also be savvy and suspicious enough to have data turned off on their smartphones and tablets when it's not being used. I don't even use Tor, but WiFi and cellular data on my phone are turned on only when I'm browsing or emailing. As for computers, any cameras are taped over, and microphones are unplugged, or, in the case of a laptop, muted.

  • by Impy the Impiuos Imp ( 442658 ) on Friday January 06, 2017 @11:27AM (#53616983) Journal

    These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.

    Why are people not in prison for this?

  • This is a ridiculous over thought bond movie gimmick of a threat.

Computer programs expand so as to fill the core available.

Working...