Stories
Slash Boxes
Comments

SoylentNews is people

Ultrasound Tracking Could be Used to Deanonymize Tor Users

posted by on Monday January 09 2017, @11:37AM   Printer-friendly
from the it's-the-NSA,-not-a-mosquito dept.

Arthur T Knackerbracket has found the following story:

Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena.

This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week.

Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014.

uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones.

These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ultrasound Tracking Could be Used to Deanonymize Tor Users | Log In/Create an Account | Top | 44 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by nitehawk214 on Monday January 09 2017, @01:04PM

    by nitehawk214 (1304) on Monday January 09 2017, @01:04PM (#451425)

    Why would my phone or laptop just send information to this tracking site on it's own.

    Are they forgetting the much harder task of getting malware on every single phone and laptop in existence?

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh

  • (Score: 2) by MrGuy on Monday January 09 2017, @01:32PM

    by MrGuy (1007) on Monday January 09 2017, @01:32PM (#451435)

    The idea is not that the phone/laptop does it "on its own." It's to secretly embed "listening" code into web pages (for example, as part of ads). If you have a page containing the javascript open AND an ultrasonic tag plays on your TV, then the javascript will report it.

    If your web browser is closed, or you don't have a page containing a tracking script open, your device won't be listening or report anything. But the thing advertisers (initially) and surveillance professionals (eventually) hope is that if you can make both the "listening scripts" sufficiently ubiquitous in web pages, and the "ultrasonic tags" sufficiently widespread in broadcast media, the likelihood is eventually you'll bring A into contact with B often enough for identification to be done.

    • (Score: 3, Interesting) by nitehawk214 on Monday January 09 2017, @04:20PM

      by nitehawk214 (1304) on Monday January 09 2017, @04:20PM (#451493)

      Web pages can activate a microphone? What the fuck?

      --
      "Don't you ever miss the days when you used to be nostalgic?" -Loiosh

  • (Score: 2) by EvilSS on Monday January 09 2017, @05:39PM

    by EvilSS (1456) Subscriber Badge on Monday January 09 2017, @05:39PM (#451529)
    Problem is, your phone might already have that software installed. Several companies have been playing with this technology for advertising purposes. They make SDKs that app devs can use in their apps (and, of course, get paid for using). SilverPush is one of the big "pioneers" in this arena. They claim to be backing away from it, for now. But it's out there, and it's already proven possible to do it.