Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena.
This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week.
Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014.
uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones.
These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.
-- submitted from IRC
Related Stories
Bunnie Huang has published a reference design for a near-ultrasound data link.
We were requested to investigate “near ultrasound” (NUS) links as part of our research on developing the Simmel reference design for a privacy-preserving COVID-19 contact tracing device. After a month of poking at it, the TL;DR is that, as suspected, the physics of NUS is not conducive to reliable contact tracing. While BLE has the problem that you have too many false positive contacts, NUS has the problem of too many false negatives: pockets, purses, and your own body can effectively block the signal.
That being said, we did develop a pretty decent-performing NUS data link, so we’ve packed up what we did into an open source reference design that you can clone and use in your own projects.
Previously:
(2020) Your Apps Can Pick Up Ultrasonic Signals You Can't Hear
(2017) Ultrasound Tracking Could be Used to Deanonymize Tor Users
(Score: 2, Funny) by Anonymous Coward on Monday January 09 2017, @12:17PM
What if I wrap my smart phone thingy in aluminum foil? Can the revenuers read my mind through it now?
(Score: 2) by maxwell demon on Monday January 09 2017, @07:01PM
If you are browsing from a public spot (e.g. sitting in a cafe using their public hot spot), you can be sure that a dozen smartphones you cannot control are in hearing range.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Monday January 09 2017, @08:10PM
That gets you location but not user.
Tin foil actually *might* work. But only because it *might* distort the sound so echos wrong? However, if it is the only device in range it would do nothing.
(Score: 2) by maxwell demon on Monday January 09 2017, @08:56PM
After getting location, just check which phone was closest to the location, whether it responded to the sound or not. Chances are good that was your phone.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Monday January 09 2017, @12:21PM
Just disable it. There you go.
(Score: 4, Insightful) by MrGuy on Monday January 09 2017, @01:45PM
This is both true, and an answer that really pisses me off. (note: not slamming parent poster - just expressing frustration this is the "stock" answer to this problem) I mean, if I really don't want online surveillance, I could always disable my network card entirely, which is an even more effective "problem solved." It just makes my computer largely useless for what I want it to do.
Why should I have to deal with a huge swath of the useful functionality of most websites being disabled, just because some @sshole can use the same functionality to run what's effectively malware using the same functionality? Why is deliberate delivery of malware considered OK, even normal practice? Why is corporate surveillance of individuals ok, at a level that's way more intrusive than the level we actively fear from governments?
And why isn't there some equivalent to anti-virus software that could disable individual scripts (or at least disable them by default unless explicitly re-enabled) that match certain heuristic patterns (e.g. canvas fingerprinting, accessing camera or microphone, accessing third-party domain cookies, accessing files on hard drive, etc.) that seem associated with bad actions?
"Either forgo a ton of functionality or accept massive surveillance" should not be the only options.
(Score: 2, Informative) by Anonymous Coward on Monday January 09 2017, @03:08PM
There's no technical reason why disabling javascript should result in disabling functionality. Maybe if more people disabled it, then more websites would work correctly without it, to the benefit people using TOR to avoid censorship.
Because this method can only find old threats after they have successfully attacked many people.
(Score: 0) by Anonymous Coward on Monday January 09 2017, @03:21PM
That's his point, the problem here is that advertisers feel entitled to do whatever the hell they want to track people and generally behave like amoral crackpots. You should have to disable ads in order to have a reasonably safe visit to a website. But, so many websites use ads that aren't simple GIFS and JPGs or god forbid text, that disabling them becomes more or less necessary to avoid malware.
Going online is never going to be completely safe, but it's ridiculous that advertisers seem to feel the need to spy. It's bad enough when alphabet soup agencies do it, we don't also need advertisers doing it for them.
(Score: 2) by canopic jug on Monday January 09 2017, @03:27PM
It can't be done because you can't patch fast enough. Every time there is enough data accumulated to create a profile or signature for the malware, it is too late.
Money is not free speech. Elections should not be auctions.
(Score: 2) by MrGuy on Monday January 09 2017, @03:42PM
Tell me why this same argument doesn't imply antivirus in general is useless.
(Score: 3, Informative) by canopic jug on Monday January 09 2017, @04:04PM
Money is not free speech. Elections should not be auctions.
(Score: 2) by MrGuy on Monday January 09 2017, @05:02PM
Life would be better if everyone was on a well-administered linux system and running a browser that perfectly sandboxed content and data (by the way, if you know of one, let me know).
Fine. Point taken. But IMO it's not a terrible helpful suggestion in the real world.
(Score: 2) by canopic jug on Monday January 09 2017, @05:39PM
It depends. People didn't used to wash their hands, not even surgeons. People didn't used to handle and store food in ways now known to be safe, not even after serving. For a period there were even radioactive products on the market, some for human consumption. Things change. It's just taking a while to get around to treating computing like any other industry. Gates and his minions have a lot of people bamboozled but that may come to a turning point due to the political crisis in the US. It could turn for the better or the worse, but even if it turns for the worse, it is likely to push the rest of the world in the right direction that much harder.
Browsers suck but a lot of the problems go away, or ameliorate slightly at least, by moving to dedicated client applications. Smartphones are already kind of pretending to go in that direction and although their "apps" are mostly wrappers for web pages it wouldn't take much to step over to making proper, dedicated applications. There are enough portable frameworks that it is not just possible but relatively easy. Statefullness and proper encryption are the first obvious improvements. There are even distribution channels (repositories, stores) with various levels of vetting for OS X, Chrome/Linux, Android/Linux, and the various GNU/Linux distros. Any of that is a step up from the situation we have now.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by Scruffy Beard 2 on Monday January 09 2017, @09:53PM
I have stopped suggesting anti-viruses for the average user.
If you tell the average user that they have an anti-virus installed, they become complacent and assume it will catch anything bad.
The Sony-BMG rootkit [wikipedia.org] scandal (never forget!) was probably my wake-up call that anti-virus software is kind of useless.
(Score: 3, Interesting) by LoRdTAW on Monday January 09 2017, @03:30PM
This was my argument the other day. Java script isn't evil by default. The problem is web standards which force browser designs to be insecure by default. We need a browser that respects privacy and security by removing the ability to access files, devices, cookies outside of its domain, and disable auto playing of audio and video. Another thing to nuke is the lock-the-browser dialogue box (are you sure you want to leave this site?) If a page wants to use javascript for the basics like DOM manipulation, fine. Just disable all of the bullshit like camera access, file system access, and audio/video playing.
Though a better fix would be to use minimalist browsers like Dillo and NetSurf which do not support most of the problematic stuff like javascript and HTML 5 extensions.
(Score: 2) by Arik on Monday January 09 2017, @07:04PM
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Monday January 09 2017, @09:06PM
Well. Actually, no. HTML5, flash, silverlight, java browser plug-in also have to be disabled, not just ECMAScript. And apps on nearby devices are also suspect.
(Score: 2, Insightful) by DmT on Tuesday January 10 2017, @09:55AM
Have you actually read the privacy statement of anti-virus software? They send back a lot of data, some even all the URL-s you have visited - for advertising purposes! So be careful with them ...
(Score: 1) by Oakenshield on Monday January 09 2017, @12:30PM
Run you Tor in a VM and don't configure a sound device.
(Score: 2) by Runaway1956 on Monday January 09 2017, @01:43PM
Heh - I don't even turn on the sound device on my hardware. It's turned off in BIOS. The only sound I ever need is provided via USB, and that's unplugged most of the time. There is no camera attached to my computers, either. You say "paranoia", I say "better safe than sorry".
ICE is having a Pretti Good season.
(Score: 0) by Anonymous Coward on Monday January 09 2017, @04:56PM
You should generally never browse without a VM anyway.
(Score: 1, Funny) by Anonymous Coward on Monday January 09 2017, @12:50PM
"Alexa, enter Tor drug mode."
(Score: 3, Interesting) by jmoschner on Monday January 09 2017, @12:52PM
Can most cheap speakers even produce audio in that range?
Even if they could, can't you add a software or hardware filter to remove ultrasonic sounds from the line to the speakers?
(Score: 4, Insightful) by physicsmajor on Monday January 09 2017, @01:45PM
Not a bad thought, but the issue is that for a huge part of the population the audible range is a fantasy - most adults can't hear above 12-15kHz. But speakers are almost uniformly able to produce up through 20 kHz. And unlike adult ears, your phone can hear up there no problem.
(Score: 1, Insightful) by Anonymous Coward on Tuesday January 10 2017, @12:07AM
That is why god created band-pass filters.
(Score: 2) by Osamabobama on Tuesday January 10 2017, @12:23AM
A few days ago I was trying to explain to my young daughter what a millisecond was. I searched YouTube for the sound of a 1kHz square wave and then explained that there is a click every millisecond. Of course, the sound was a tone, but I digress...
The video went on to play higher frequencies, and at 12KHz I could barely discern any sound while she heard it clearly. Wear your earplugs, kids.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by inertnet on Monday January 09 2017, @03:40PM
And while you're at it, create a warning system that beeps (...) when a browser or other non whitelisted software tries to make those sounds. So we can take action against the creators.
(Score: 2, Insightful) by Anonymous Coward on Monday January 09 2017, @12:53PM
If you have untrusted programs accessing microphone, your security has bigger problems than someone snooping just tor.
(Score: 1) by nitehawk214 on Monday January 09 2017, @01:04PM
Why would my phone or laptop just send information to this tracking site on it's own.
Are they forgetting the much harder task of getting malware on every single phone and laptop in existence?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by MrGuy on Monday January 09 2017, @01:32PM
The idea is not that the phone/laptop does it "on its own." It's to secretly embed "listening" code into web pages (for example, as part of ads). If you have a page containing the javascript open AND an ultrasonic tag plays on your TV, then the javascript will report it.
If your web browser is closed, or you don't have a page containing a tracking script open, your device won't be listening or report anything. But the thing advertisers (initially) and surveillance professionals (eventually) hope is that if you can make both the "listening scripts" sufficiently ubiquitous in web pages, and the "ultrasonic tags" sufficiently widespread in broadcast media, the likelihood is eventually you'll bring A into contact with B often enough for identification to be done.
(Score: 3, Interesting) by nitehawk214 on Monday January 09 2017, @04:20PM
Web pages can activate a microphone? What the fuck?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by EvilSS on Monday January 09 2017, @05:39PM
(Score: 2) by MrGuy on Monday January 09 2017, @01:27PM
Everything has "soft" controls and "soft" indicators (if they have ANY indicators) these days. Soft controls can be bypassed. Soft indicators (e.g. a light that goes on when your camera is recording) can be programmed to lie.
What we need is hardware controls, for both the microphone and camera. I want to switch it off and have that mean it's OFF, and cannot be turned on until I re-enable it with the hard switch. And indicators that are hard wired in a way that can't be bypassed (e.g. an LED that's powered by the same power lead as the camera).
This is not hard to do. But for some reason consumers continue to not demand it, so suppliers continue to not to build these reasonable security features into their products.
(Score: 2) by Runaway1956 on Monday January 09 2017, @01:51PM
"I want to switch it off and have that mean it's OFF"
Posted above: my audio card is turned off in BIOS. No sound device is attached to my audio. All sound is provided via USB. When I want sound turned off, I simply unplug USB. No sound, whether audible, ultra, subsonic, or whatever. None.
Further, there is no camera attached to my computers. My most frequent need for a camera is for a "magnifying glass". I saw this USB microscope advertised, and bought it - works pretty good, and when I unplug it, it can't be turned on remotely. In the case of a laptop, I suppose you could snip a wire to the camera, then rely on USB.
The bad guys need to be pretty slick to make my hardware spy for them.
ICE is having a Pretti Good season.
(Score: 2) by tangomargarine on Monday January 09 2017, @04:05PM
and when I unplug it, it can't be turned on remotely.
Cutting off its power source usually works pretty well. Unless of course it's physically built into the device and/or has a battery.
Wrapping stuff in tin foil is sounding less crazy every day. How much of a barrier do you have to put around a cell phone to block the signal anyway? Considering that basically going into a room in any random house without windows is often enough to do it :P
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Monday January 09 2017, @04:13PM
anecdata of potato chip bag blocking [ubuntuforums.org]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Arik on Monday January 09 2017, @04:43PM
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Osamabobama on Tuesday January 10 2017, @12:43AM
If you're just trying to block the ultrasonic audio tags, the faraday bags aren't the best option. A pillow would be a good low-pass filter, but a shoebox might work just as well. Ultrasonic audio is easily attenuated.
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Tuesday January 10 2017, @07:42PM
in BIOS = in software. So in principle a malware could silently enable it. Not having any suitable hardware attached is, of course, a hurdle even the most sophisticated software is unlikely to circumvent ;-)
(Score: 2) by Scruffy Beard 2 on Monday January 09 2017, @02:30PM
I suspect that this whole thing is made possible by "HD Audio". There is no reason for supporting ultrasonics other that traitor tracing and inter-species communication.
(Score: 4, Funny) by bob_super on Monday January 09 2017, @06:21PM
Our neighborhood got a lot quieter after cell phones added enough ultrasound range for the dogs to just call each other.
We had tried to teach them to text, but not everyone has an IP68 phone.
(Score: 2) by Bot on Tuesday January 10 2017, @02:50AM
NO don't teach them to text, they will be prank messaged by cats if you do.
Account abandoned.
(Score: 1, Informative) by Anonymous Coward on Monday January 09 2017, @08:59PM
They're usually not so much ultrasonic as so high that most people don't notice them or think it's just a hardware whine. A large part of why that's possible is that the manufacturer needs to be able to output all the possible frequencies in the spec and the people writing the spec years ago, weren't planning on these more obscure eventualities.
Personally, I don't have a microphone attached to my computer except when I'm actually wanting to use it. The bigger problem is devices like tablets and smart phones that have it built in.
(Score: 2) by bryan on Monday January 09 2017, @06:45PM
Should only be allowed if the commercial with the normally imperceivable audio is for Fruity Oaty Bars [youtube.com]!