Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena.
This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week.
Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014.
uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones.
These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.
-- submitted from IRC
(Score: 2) by MrGuy on Monday January 09 2017, @01:27PM
Everything has "soft" controls and "soft" indicators (if they have ANY indicators) these days. Soft controls can be bypassed. Soft indicators (e.g. a light that goes on when your camera is recording) can be programmed to lie.
What we need is hardware controls, for both the microphone and camera. I want to switch it off and have that mean it's OFF, and cannot be turned on until I re-enable it with the hard switch. And indicators that are hard wired in a way that can't be bypassed (e.g. an LED that's powered by the same power lead as the camera).
This is not hard to do. But for some reason consumers continue to not demand it, so suppliers continue to not to build these reasonable security features into their products.
(Score: 2) by Runaway1956 on Monday January 09 2017, @01:51PM
"I want to switch it off and have that mean it's OFF"
Posted above: my audio card is turned off in BIOS. No sound device is attached to my audio. All sound is provided via USB. When I want sound turned off, I simply unplug USB. No sound, whether audible, ultra, subsonic, or whatever. None.
Further, there is no camera attached to my computers. My most frequent need for a camera is for a "magnifying glass". I saw this USB microscope advertised, and bought it - works pretty good, and when I unplug it, it can't be turned on remotely. In the case of a laptop, I suppose you could snip a wire to the camera, then rely on USB.
The bad guys need to be pretty slick to make my hardware spy for them.
(Score: 2) by tangomargarine on Monday January 09 2017, @04:05PM
and when I unplug it, it can't be turned on remotely.
Cutting off its power source usually works pretty well. Unless of course it's physically built into the device and/or has a battery.
Wrapping stuff in tin foil is sounding less crazy every day. How much of a barrier do you have to put around a cell phone to block the signal anyway? Considering that basically going into a room in any random house without windows is often enough to do it :P
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Monday January 09 2017, @04:13PM
anecdata of potato chip bag blocking [ubuntuforums.org]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Arik on Monday January 09 2017, @04:43PM
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Osamabobama on Tuesday January 10 2017, @12:43AM
If you're just trying to block the ultrasonic audio tags, the faraday bags aren't the best option. A pillow would be a good low-pass filter, but a shoebox might work just as well. Ultrasonic audio is easily attenuated.
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Tuesday January 10 2017, @07:42PM
in BIOS = in software. So in principle a malware could silently enable it. Not having any suitable hardware attached is, of course, a hurdle even the most sophisticated software is unlikely to circumvent ;-)
(Score: 2) by Scruffy Beard 2 on Monday January 09 2017, @02:30PM
I suspect that this whole thing is made possible by "HD Audio". There is no reason for supporting ultrasonics other that traitor tracing and inter-species communication.
(Score: 4, Funny) by bob_super on Monday January 09 2017, @06:21PM
Our neighborhood got a lot quieter after cell phones added enough ultrasound range for the dogs to just call each other.
We had tried to teach them to text, but not everyone has an IP68 phone.
(Score: 2) by Bot on Tuesday January 10 2017, @02:50AM
NO don't teach them to text, they will be prank messaged by cats if you do.
Account abandoned.
(Score: 1, Informative) by Anonymous Coward on Monday January 09 2017, @08:59PM
They're usually not so much ultrasonic as so high that most people don't notice them or think it's just a hardware whine. A large part of why that's possible is that the manufacturer needs to be able to output all the possible frequencies in the spec and the people writing the spec years ago, weren't planning on these more obscure eventualities.
Personally, I don't have a microphone attached to my computer except when I'm actually wanting to use it. The bigger problem is devices like tablets and smart phones that have it built in.