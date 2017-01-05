Please create an account to participate in the Slashdot moderation system

 


Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com) 48

Posted by BeauHD from the nobody-is-safe dept.
New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.

  • Just when you thought (Score:5, Insightful)

    by waspleg ( 316038 ) on Thursday January 05, 2017 @07:48PM (#53614345) Journal

    ads couldn't be any fucking worse...

    • What are ads? I haven't seen them in so long that I forgot.

      Good to see some real info on hacking on here for once, even if it's a bit dated. I was getting sick of talking about phishing scams and the idiots who fall for them.

  • I doubt my crappy speakers can emit anything in that frequency. Even then, my phone's mic is not probably up to the task.

    Besides, I'm sure those who are worried could buy/build a filter to remove audio in that frequency.

  • Lots of sophistication required here (Score:1)

    by Anonymous Coward

    Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.

    Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.

    Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this

    • Re: (Score:1)

      by Anonymous Coward

      Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult.

      And should be blocking ALL JAVASCRIPT, period, so a site can't sneak its own little ultrasonic .js file past the ad blocker.

  • How to block (Score:1)

    by Anonymous Coward

    What devices/apps listen, and how do I disable them?

    • I understand how ads could emit these sounds, but how do advertisers install apps on your device to pick them up and phone home? Is this capability built into iOS and Android, or do they work with handset manufacturers?

      • According to Mavroudis, the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT.

        I guess advertisers probably pay app developers to include the toolkit. I really hope it's not in the OS.

      • Re: (Score:2)

        by bragr ( 1612015 ) *

        It is part of the advertising SDKs in some apps that you install from the app stores. The idea is that if the advertising network can link the tracking cookie IDs on your devices (e.g. sending a signal on your desktop and picking it up on your phone), they can build a better profile on you with more targeted ads.

        Silverpush is one SDK that does that though there are several others. You can find some apps that use it here, though they are mostly junk apps: https://public.addonsdetector.... [addonsdetector.com]

    • Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.

      Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)

      So now G

  • I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.

    • This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?
      • And isn't there a cut-off filter in the DACs used by phones/computers to filter out anything above the Nyquist sampling rate? Or is that frequency so high now a days due to oversampling that it's in the ultrasound range?

  • I've never got a good answer as to WHY... (Score:1)

    by Anonymous Coward

    explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?

    The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call)

  • this is bullshit. a cop / law enforcement could use this to walk around and receive identity information without even needing to interferometry scan your brain/DNA/pocket book full of ID/credit cards/cellphone etc.

    this also enables low tech citizens to perform the same feat. often times once a low tech person has info about you such as tracking ID, IP address, phone number, address, name, social security number, date of birth+location information, or email address they can take that to databases and find ou

  • They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.

    Oh, I forgot. They donate more to congressclowns than I do.

    • They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.

      If the FBI does it, yes. A law recently activated that lets them legally try to hack someone using Tor or anything else that could hide traffic (like, perhaps a VPN).

  • This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.

    • No it doesn't. You are at a cafe that has microphones installed at the tables for voice-activated ordering. That infrastructure, along with the GPS data that is constantly tracking you, pinpoints you...

  • Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?

    • They might not be sending any audio at all. A software signal generator capable of producing only a single tone (or maybe two tones if you don't want to use silence as one of your bit states) is not complex.
  • I Tor with javascript disabled, and I'm not even a pedophile / drug dealer.
  • Certainly the ads have no idea if there is a device listening for them and will broadcast anyway. I suppose ultrasound detectors could detect the activity. Maybe you could spam with some conventional source of ultrasound to drown these devices with indecipherable noise. Or just the network approach, whatever.
  • That relies on people being stupid enough to leave compromised apps running on a machine with a microphone, and only tells you what broadcast coverage area the user is in... it's not like it narrows the location down that much! If you've got a compromised app constantly sending data over the internet, wouldn't it be easier to just trace the IP packets back to the source?

