Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com) 207
New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
Just when you thought (Score:5, Insightful)
ads couldn't be any fucking worse...
Re: (Score:2)
What are ads? I haven't seen them in so long that I forgot.
Good to see some real info on hacking on here for once, even if it's a bit dated. I was getting sick of talking about phishing scams and the idiots who fall for them.
Re:Just when you thought (Score:4, Interesting)
Re: (Score:2)
When I use other people's computers to use the Internet...good god it's like I'm in some sort of fledgling Total Recall ...There is a massive joke that you and I are not seeing, and that's because we're not suffering the expense of being the butt of the joke that is Internet advertising.
Hear, hear! If the majority of unsophisticated users could see our browsing experience for just one day, and then understand how easy it would be for them to have the same, I think a large portion of Internet ad revenue would dry up overnight.
I'm of two minds on this. On the one hand, I'd like everyone to experience the Web without ads. On the other hand, I'm grateful that they don't, because their acquiescence allows me to avoid ads without taking heroic measures.
Re: (Score:2)
what is a speaker and a mic? I leave both turned off on my pc. when I want to listen to music, I run a linux box that does not have a browser or normal network access enabled. and there is never a mic on a music playback system that I build or use.
I block ads and each time I read things like this article, it increases my belief that blocking ads is the right thing to do. I block incoming network connections at the firewall and nearly everyone does, too; but I find it odd that not everyone wants to fight
Re: (Score:2)
Enjoy your bios rootkit now that you jinxed yourself.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Lots of sophistication required here (Score:5, Insightful)
Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.
Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.
Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes - Facebook App for instance listens to the ambient sounds and you'll see the ads in your feed change based upon the words said. I saw this reported on a few years ago and couldn't believe it - so I tried it out myself and was very surprised when it worked. Granted that was a few years ago and I don't know if they still do it (too lazy to try it right now).
Which is why I have disabled audio Input for FB. Actually - it is why I do not allow access to the microphone from any app. Or terminate those app
Re: (Score:2)
Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.
Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication...
You mean the kind of sophistication that would lead advertisers to pay the source (hardware vendors) to plant this capability in hardware by default?
And that's just the power of money talking. Imagine what power governments could wield to ensure this technology is deployed across the masses, using the cause-terrorists-protect-the-children excuse.
It's hardly news anymore to find [popular app] putting a microphone into constant listening mode, along with all the other popular listening devices and services
Re: (Score:2)
At some point we'll be "talking" to an e-assistant for just about every smart device because ANY tech that allows a human to be as lazy as they possibly fucking can is HUGE these days.
That is farther off than you may think. Have you tried using Siri (or whatever) for real work - to actually save time? Too much mishearing, too noise sensitive, too much need to repeat/rephrase - so the lazy human types/clicks because that is faster.
A good digital assistant should be able to hear me telling a friend on the phone " ... and to turn off, I say 'Assistant, shutdown the computer!' ..." and NOT shut down the computer because it was merely a direct quotation. No AI is anywhere near that level of comprehension - and they're also too confused if there is a fan or a radio on in the room.
Although products like Dragon have been around for decades, one could argue the e-assistant era started with Siri, which is barely five years old.
Since then, there's been a LOT of advancement and proliferation across multiple devices and services, which have gained considerable popularity (such as Amazon's infamous listening devices selling out over the holidays), which only serve to highlight just how much humans have embraced convenience for the sake of security.
The lazy human will go so far as to turn o
Re: (Score:2)
Anyone using Tor should have Javascript disabled, which would completely mitigate this and most other attacks.
I'm not sure why Tails has Javascript enabled by default these days.
Is this even real? (Score:2)
I read a similar article several days ago and came to the same conclusion that you did - this is very sophisticated. Maybe too sophisticated. Which made me wonder whether this is theoretical "in the lab" by researchers or actually out in the wild. As for dogs hearing it? sure - maybe. There are lots of noises. My furnace fan makes a blowing air sound. I don't howl because of it - it's just annoying white noise that I ignore.
Need a Raspberry Pi project to listen for this. Then becomes a keyfob that y
Re: (Score:2)
and I forgot to mention Tor. Sure wanting to uncover people is interesting. But do advertisers believe there are enough people using Tor to invest and develop this technology - that the target audience is big enough?
Maybe a feedback loop on the same computer. A Tor ad playing and the computer listening to send it back through non-Tor channels. But that also assumes a computer has been compromised with an app that can listen. How many people have installed a Time Sync app? Fake/Hacked Java or Flash d
Is this theoretical? (Score:5, Interesting)
I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.
Re:Is this theoretical? (Score:5, Interesting)
Re:Is this theoretical? (Score:4, Insightful)
Re: (Score:2)
A modern dac is supposed to digitally filter at 20 kHz (very hard cutoff), in exchange for lots of noise above 100 kHz. A soft roll-off analog filter takes care of the content above 100 kHz.
I suspect that ultrasound in this context really means 16 kHz or so, at volumes that are too low for the ear, but easily picked up by a microohone and some signal processing.
Re: (Score:3)
According to TFA the range is 18-20kHz, with 75Hz bands that represent individual symbols. Most TVs can produce 20kHz sounds, and you probably wouldn't hear them. Even if you can hear a 20kHz tone over headphones in a quiet room, with the noise of a commercial mixed in and the audio played at low volume you won't notice.
I'm more sceptical that typical laptop speakers could produce such high pitch noises, but I guess for Tor attacks you could use lower frequencies. The TV ads need to work at a few metres ran
Re:Is this theoretical? (Score:4, Informative)
This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?
You guys realize this is not some theoretical flight of fancy, right? It's being used today for ad tracking: http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/ [arstechnica.com]
Apps using SilverPush [addonsdetector.com]
Re: (Score:3)
"The inaudible code is recognized and received on the other smart device by the software development kit installed on it."
So the other device has to be compromised as well which at least complicates delivery of this attack to targets.
Although they claim:
As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.
Maybe true, maybe marketing.
Re: (Score:2)
What kind of audio source did you use to find that you can hear 22 kHz? Unless you have an ultra low noise analog sine wave generator and amplifier, you are likely to hear noise, artifacts of the DA converter, and effects of clipping when you crank up the volume. The stated limit of 20 kHz for the human ear is the frequency where the pain threshold and the hearing threshold coincide for an average young person, so it is likely that you need >110 dB SPL to have any chance of hearing above 20 kHz. A device
Re: (Score:2)
Re: (Score:2)
Right. Most people who 'hear' in the 20-28KHz range are picking up that their ear bones are vibrating a bit and that can get translated into sound but it's not real 'hearing' at the high frequencies.
For the vast majority of the population, there's plenty of bandwidth in the 12-16KHz range that speakers can reproduce and most people wouldn't discriminate from fan noise on the system.
I've never got a good answer as to WHY... (Score:3, Insightful)
explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?
The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.
To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)
and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...
Re: (Score:2, Funny)
Since you receive desired content on web pages, it is your moral obligation to allow the ads to play. They play sounds and display video to capture and hold you attention long enough for the message to get into your brain for processing, and paying attention to this is your end of the social contract built around ad-supported content.
Allowing the tracking is also obligatory on your part.
You can protect yourself from viruses and such by running such tools as McAfee antivirus, and also by keeping your browsi
How is this even legal? (Score:2)
Oh, I forgot. They donate more to congressclowns than I do.
Re: (Score:2)
They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.
If the FBI does it, yes. A law recently activated that lets them legally try to hack someone using Tor or anything else that could hide traffic (like, perhaps a VPN).
Re: (Score:2)
Save us APK! (Score:2, Funny)
You're our only hope :(
Attack model (Score:2)
Re: (Score:2)
No it doesn't. You are at a cafe that has microphones installed at the tables for voice-activated ordering. That infrastructure, along with the GPS data that is constantly tracking you, pinpoints you...
Re: (Score:2)
In a cafe, I'll either be muted, or be using earbuds/headphones
Re: (Score:2)
This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.
They already exist! Leave it to ad agencies to beat the government to the punch on tracking out lives. Best part is we stupidly agree to it (or just don't read the fine print when installing some crap app on our phones)
One thing iOS does that I wish Android did is they way they handle applications using the microphone. Not only do you need to grant mic permissions, when an app uses the mic, the status bar changes color, continuously flashes if the app is in the background, and it adds a banner under the
Re: (Score:2)
This attack model assumes there is an app on the phone able to listen all time for ultrasounds.
TFA suggests that this even is the case for many phones already: they say many advertising APIs (which programmers simply link to in order to get ads in their apps) already include ultrasound listening options. This is supposedly yet another way for the advertisement provider to get more information on individual users, in this case by linking separate devices as belonging to the same user.
Audio compression? (Score:2)
Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The flippant response is that there is a large and lucrative idiot market out there, and someone was bound to go after it sooner or later.
The better answer is that we have two ears. By limiting audio signals to the hearing range of a single ear, we lose the ability to capture and reproduce subtle phase information. This is an unexpected side benefit of the 48k audio being sold to the morons mentioned above.
javascript. fully stop. details don't matter. (Score:4, Insightful)
JavaScript code
Stop right there. That's all you have to say.
If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.
Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.
I don't know who they're going to catch with this. (Score:2)
Detectors and Countermeasures (Score:2)
Huh? (Score:2)
Defense: Unplug speakers or headphones (Score:2)
Can't do that because you are on a laptop? Too bad, you are screwed.
Re: (Score:2)
Can't do that because you are on a laptop? Too bad, you are screwed.
Stick a 3.5mm plug into the headphone jack. solved.
Re: (Score:2)
Stick a 3.5mm plug into the headphone jack. solved.
I'm not convinced - on my galaxy note at any rate - that this is guaranteed to work.
I've noticed that when I push the plug in, it detects the plug being inserted and then switches the sound from the internal speakers. I'm not convinced that, unlike old fashioned radios, inserting the plug physically disconnects the internal speakers.
But I could be wrong - it's something I've noticed in passing rather than something I've been looking out for.
Re: (Score:2)
on laptops it is not. You can activate both speakers and headphones in the mixer. Maybe not (that easy) on windows, but on linux there is no problem. It's a feature, not a bug.
Re: (Score:2)
Unless that is done by the firmware of the sound-chip. Then it may be possible to hack it. Have you verified this?
Re: (Score:2)
Nothing depending on software is secure here. Remember that this is an attack, and while the required zero-days my initially only be available to nation-state-level criminals, they often become the tools of other hackers pretty fast.
Wouldn't it be more cost-effective . . . (Score:2)
Alternatively (Score:2)
Alternatively you could just have an ad that screams "hey, this evil hacker is using evil hacking tools!" at full volume.
I certainly leave the volume on my computer turned up nice and high when I'm browsing questionable content in public.
So this is why my ... (Score:2)
... dogs bark during that goddam Weight Watchers commercial!
Quick fix (Score:2)
Plug headphones into laptop. Alternatively, get some old headphones, chop the jack off and plug that in.
Bourne Movie? (Score:2)
Didn't I see this in the last Bourne movie? And here I thought that was just they typical Hollywood tech cluelessness.
Non-problem? (Score:2)
I wonder, though: how many people surf with their sound on? Most people I see (granted, not a representative sample) either have headphones or have the sound off, so as not to disturb everyone around them. If I were surfing something via Tor, i.e., sensitive, then I'd be double sure not to have publicly audible sound.
The worthless power of Privacy Advocates. (Score:3)
"Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future"
If any citizen were caught deploying this kind of tech to electronically profile the masses, they would be labeled a terrorist and locked up for life. But hey, spend a few hundred and file your questionable activities under a corporation, and it's ALL good! What a fucking joke of a loophole.
I swear, reading about shit like this makes me wonder what power privacy advocate groups really wield anymore.
I could see this used for the Amazon Echo (Score:2)
Also the XBone.
Other than that how many other apps keep microphones open and recording?
And not so much hackers as they are paranoid. But it would be a good tactic for finding and tracking Journalists.
Journalists can be quite dim; just look at the one that released his key for the the Manning data in a book.
Could this be circumvented by... (Score:2)
Re: (Score:2)
Missing the obvious? (Score:2)
Insufficiently paranoid? (Score:2)
I would have thought that anyone serious about using Tor, would also be savvy and suspicious enough to have data turned off on their smartphones and tablets when it's not being used. I don't even use Tor, but WiFi and cellular data on my phone are turned on only when I'm browsing or emailing. As for computers, any cameras are taped over, and microphones are unplugged, or, in the case of a laptop, muted.
Why??? (Score:3)
These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.
Why are people not in prison for this?
Ridiculous (Score:2)
Wont work for me either (Score:2)
The only microphone I have is the microphone in my Nokia N900 and I doubt the N900 and its ancient web browser could run any of whatever backend code has to listen for the special sound.
Re: (Score:2)
The only microphone I have is the microphone in my Nokia N900 and I doubt the N900 and its ancient web browser could run any of whatever backend code has to listen for the special sound.
All you people are rubes! I use a can and a string...
Re: (Score:2)
Wait! (Score:2)
Re: (Score:3)
Tor is transport.
Re: (Score:2)
My thoughts exactly.... Plus, why would I have sound unmuted. That's just asking for a bunch of porn ads to start blasting out moans and that hot married women near me want to bone.
Yes, the technique has a degree of merit in that it may work, but it's another one of those solutions that will only catch the dumbest of the dumb.
Re: (Score:2)
That is what you think. Actually it will be something like 6dB/octave dampening, so it still puts out about 12% of maximum volume at 24kHz. Receiving ultrasound is easier than normal sound, as there is less of it around in a normal environment. And in this application there is no need to worry about signal quality, a straight rectangle signal will do just fine, because of the dampening. The next generation of this malware will probably use ultra-wideband audio-pulses and be even more resilient.
Re: (Score:3)
as there is less [ultrasound] around in a normal environment.
Is that true? How do you know?
I hope this claim isn't based on the fact that you normally don't hear any ultrasound in your normal environment...
I for one can think of a crapton of stuff in my 'normal environment' that likely emits ultrasound, first and foremost every switching PSU (except the crappy ones that switch in the audible spectrum, producing a sound like a muted TV....)
Re: (Score:2)
So that's why Apple is killing the headphone jack!
Re: (Score:3, Insightful)
What are these ads or javascripts that run on my machine without me knowing about them? Do people actually surf the web without crippling the sites that attempt to do so?
That's like web aids, or web gonorrhea .For gods sake, strap on some protection!
Re: (Score:2)
For most people, the disadvantages of wearing a tinfoil hat all the time outweigh the benefits. Believe it or not they actually like being able to use web sites without them being horribly broken. Crazy, I know.
What really is hard to understand is why the Tor browser, at least on Tails, seems to have Javascript enabled by default. If the user has gone to the effort of using Tor, it seems reasonable to require them to whitelist manually.
Re: (Score:2)
I was surprised by this the first time I installed Tor Browser as well.
US-emitting tabs. (Score:2)
Even if some pages emit ultrasound - others will play sound and remind me to always mute.
And the default behaviour in firefox is to display a small "speaker" icon next the title of any tab that plays audio.
You can cut the audio off simply by clicking on the icon.
On android, the non-focused tabs don't even play audio by default (it's not possible to listen to music in a background tab).
Even if some PCs emits ultrasound, who will leave a mic on and run receiving sw? Not me, for sure.If this gets popular, muting the mic will be standard . . .
The thing is : YOU might not be in control of the mic (that does the recording).
The whole point is locating YOUR laptop. So by definition, the mic that is doing the recording is on some other hardware.
- That could
Re: (Score:2)
My crappy Dell laptop speakers are limited to about 3 kHz.
I have some fairly decent speakers but they still don't do anything outside human range hearing, probably don't go above 16k. How do they think they are going to get it to do ultrasound?
How does the receiver work? (Score:2)
I understand how ads could emit these sounds, but how do advertisers install apps on your device to pick them up and phone home? Is this capability built into iOS and Android, or do they work with handset manufacturers?
Re: (Score:2)
According to Mavroudis, the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT.
I guess advertisers probably pay app developers to include the toolkit. I really hope it's not in the OS.
Re: (Score:2)
It is part of the advertising SDKs in some apps that you install from the app stores. The idea is that if the advertising network can link the tracking cookie IDs on your devices (e.g. sending a signal on your desktop and picking it up on your phone), they can build a better profile on you with more targeted ads.
Silverpush is one SDK that does that though there are several others. You can find some apps that use it here, though they are mostly junk apps: https://public.addonsdetector.... [addonsdetector.com]
Re: (Score:2)
It isn't built into phones (that I know of) ... Do you have the Facebook App installed? Any "Rewards" apps? This is the channel they are using. Any apps that causes the phone to prompt "allow access to microphone" has the potential to do this. I believe that iOS apps can only listen when running in the foreground.
When you are creating a Post on FB - FB is listening for songs and TV/Movies. Think Shazam. If they recognize something they suggest a tag "You are listening to XYZ song" I swear a few
/. is getting slow with actual news (Score:3)
Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.
Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)
So now G
Re: (Score:2)
it isn't slow, but there was a recent presentation at the big hacker event in hamburg, bringing up the topic again.
Re: (Score:3)
What devices/apps listen, and how do I disable them?
All of them, a hammer.
Re: (Score:2)
Re: (Score:2)
The NSA even used a firefox zeroday. So you're better too paranoid.
Re: (Score:2)
Run Tor in a VM without audio support (Score:2)
A relatively simple, if not 100% secure solution. Download your favourite anonymizing live USB distribution and run it under a virtual machine with only the bare minimum of media support (e.g. disable any virtual sound card option). Enable at most a generic VGA video driver using a resolution different from your default monitor aspect or resolution. Run the browser with ad-blockading software and JavaScript white-listing only. The attacker will of course realize of course that you're using a VM.
Re: (Score:2)
That'll work but it's overkill. This particular technique can be defeated by muting audio at the OS level - even just for the browser.
Re: Run Tor in a VM without audio support (Score:2)
It is not far fetched at all! Chromecast has already offered my phone to recognize it via sound via the chromecast app. So it is already implemented as standard practice. There is no bottom to the depths ...
Re: Run Tor in a VM without audio support (Score:3, Informative)
Re: (Score:3)
Or turn off JavaScript if yow want to remain anonymous on Tor.
Re: (Score:2)
Re: (Score:2)
Maybe you should watch the presentation recording.
Re: (Score:2)
The browser isn't the only attack vector. Imagine, you download a message from snowden as video via tor (okay okay ...) and watch it with sound on your pc. The NSA inserted a ultrasound-id in YOUR download and your phone receives the id and reports its IMEI to the advertiser, which cooperates with the NSA.