New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
The only microphone I have is the microphone in my Nokia N900 and I doubt the N900 and its ancient web browser could run any of whatever backend code has to listen for the special sound.
All you people are rubes! I use a can and a string...
Just when you thought (Score:5, Insightful)
ads couldn't be any fucking worse...
What are ads? I haven't seen them in so long that I forgot.
Good to see some real info on hacking on here for once, even if it's a bit dated. I was getting sick of talking about phishing scams and the idiots who fall for them.
Speakers (Score:1)
I doubt my crappy speakers can emit anything in that frequency. Even then, my phone's mic is not probably up to the task.
Besides, I'm sure those who are worried could buy/build a filter to remove audio in that frequency.
Lots of sophistication required here (Score:1)
Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.
Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.
Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult.
And should be blocking ALL JAVASCRIPT, period, so a site can't sneak its own little ultrasonic
How to block (Score:1)
What devices/apps listen, and how do I disable them?
How does the receiver work? (Score:2)
I understand how ads could emit these sounds, but how do advertisers install apps on your device to pick them up and phone home? Is this capability built into iOS and Android, or do they work with handset manufacturers?
According to Mavroudis, the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT.
I guess advertisers probably pay app developers to include the toolkit. I really hope it's not in the OS.
It is part of the advertising SDKs in some apps that you install from the app stores. The idea is that if the advertising network can link the tracking cookie IDs on your devices (e.g. sending a signal on your desktop and picking it up on your phone), they can build a better profile on you with more targeted ads.
Silverpush is one SDK that does that though there are several others. You can find some apps that use it here, though they are mostly junk apps: https://public.addonsdetector.... [addonsdetector.com]
/. is getting slow with actual news (Score:2)
Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.
Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)
Is this theoretical? (Score:2)
I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.
I've never got a good answer as to WHY... (Score:1)
explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?
The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call)
so they're emitting tracking ultrasound :( (Score:1)
this is bullshit. a cop / law enforcement could use this to walk around and receive identity information without even needing to interferometry scan your brain/DNA/pocket book full of ID/credit cards/cellphone etc.
How is this even legal? (Score:2)
Oh, I forgot. They donate more to congressclowns than I do.
They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.
If the FBI does it, yes. A law recently activated that lets them legally try to hack someone using Tor or anything else that could hide traffic (like, perhaps a VPN).
Attack model (Score:2)
No it doesn't. You are at a cafe that has microphones installed at the tables for voice-activated ordering. That infrastructure, along with the GPS data that is constantly tracking you, pinpoints you...
Audio compression? (Score:2)
Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?
I don't know who they're going to catch with this. (Score:2)
Detectors and Countermeasures (Score:2)
