SoylentNews

"exec" writes:

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [HackerNews]

Time: 2017-01-06 15:21:53 UTC

Original URL: https://www.bleepingcomputer.com/news/security/ultrasound-tracking-could-be-used-to-deanonymize-tor-users/ [bleepingcomputer.com] using ISO-8859-1 encoding.

Title: Ultrasound Tracking Could Be Used to Deanonymize Tor Users

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
 
 

Ultrasound Tracking Could Be Used to Deanonymize Tor Users

Arthur T Knackerbracket has found the following story [bleepingcomputer.com]:

Browser Autofill Profiles Can Be Abused for Phishing Attacks

Number of Hijacked MongoDB Databases Is Going Up as More Hackers Are Flocking In

Plone Developers Call "Hoax" on Alleged FBI Hack

FireCrypt Ransomware Comes With a DDoS Component

Google Patches Security Holes in Android Bootloader for Nexus Devices

The Week in Ransomware - January 6th 2017 - FSociety, MongoDB, Pseudo-Darkleech, and More

Browser Autofill Profiles Can Be Abused for Phishing Attacks

FTC Takes D-Link to Court Because of Insecure Routers and Cameras

PotPlayer

Rainmeter Desktop Customization Tool

Chrome Cleanup Tool

Crypt38Decrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Remove the Easychrome Adware Extension (Removal Guide)

Remove the Qtipr.com Browser Hijacker (Removal Guide)

How to Remove Antivirus 10 (Removal Guide)

Microsoft Office Activation Wizard Tech Support Scam Removal Guide

Remove Security Tool and SecurityTool (Uninstall Guide)

How to remove Antivirus 2009 (Uninstall Instructions)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

How to close a program using Task Manager

How to find the License Agreement for the Installed version of Windows

How to recover files and folders using Shadow Volume Copies

How to show and hide line numbers in Notepad++

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

IT Security & Ethical Hacking Certification Training

eLearning

IT Certification Courses

Gear + Gadgets

Security

Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena.

This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe [blackhat.com] 2016 security conference in November and the 33rd Chaos Communication Congress [c3subtitles.de] held last week.

Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014 [arstechnica.com].

uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones.

These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.

Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future.

Speaking at last week's 33rd Chaos Communication Congress, Vasilios Mavroudis, one of the six researchers, detailed a deanonymization attack on Tor users that leaks their real IP and a few other details.

The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.

If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back one or more advertisers with details about his device, so the advertiser can build an advertising profile on the user, linking his computer with his phone.

According to Mavroudis, the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT.

At this stage, the state-sponsored actor can simply subpoena a short list of advertisers that engage in this practice and get details about the user's real-world identity.

In tests carried out by Mavroudis, the researcher has intercepted some of the traffic these ultrasound beacons trigger on behalf of the phone, traffic which contains details such as the user's real IP address, geo-location coordinates, telephone number, Android ID, IMEI code, and device MAC address.

According to Mavroudis, there are multiple ways to deliver these attacks other than social-engineering Tor users to access certain URLs, where these ultrasound beacons can be served.

Researchers say that an attacker can use XSS (cross-site scripting) vulnerabilities to inject the malicious JavaScript code on websites that contain XSS flaws.

Similarly, the attackers could also run a malicious Tor exit node and perform a Man-in-the-Middle attack, forcibly injecting the malicious code that triggers uDXT beacons in all Tor traffic going through that Tor node.

A simpler attack method would also be to hide the ultrasounds, which are inaudible to human ears, inside videos or audio files that certain Tor users might be opening.

The FBI might be very interested in this method and could deploy it to track viewers of child pornography videos on the Tor network, just like it previously did in Operation Playpen [eff.org], where it used a Flash exploit.

Currently, the practice of uXDT is not under any regulation. While the FTC is currently evaluating the impact of uXDT ads [ftc.gov], the research team has proposed a series of mitigations that could restrict the free reign this type of advertising currently enjoys.

First and foremost, the team created a Chrome browser extension named SilverDog [ubeacsec.org] that filters all the HTML5 audio played through the browser and removes ultrasounds.

Unfortunately, this extension doesn't work with sounds played back via Flash, and can't protect Tor Browser users, a browser based on Firefox.

The researchers also propose a medium-term solution such as the introduction of a new query in the Android permissions model that explicitly informs users that an app might listen to ultrasounds.

This permission would allow users to revoke or deny this right from existing or new Android apps they're installing on their smartphone.

For long-term solutions, the research team advocates for a standardized format for these ultrasound advertising beacons, and OS-level APIs for discovering and managing ultrasound beacons. The Tor Project has also been notified [torproject.org] of this issue a few months back.

Below is Mavroudis presenting his findings at the 33rd Chaos Communication Congress held last week in Germany.

Ultrasound Cross-Device tracking (uXDT):

When looking at this kind of exploitware - think "Camouflage"!!

Obfuscate the ultrasound signals by filling the air with random ultrasound signals - the random sounds could be designed to include things like bogus personal info, or things to lure advertisers and researchers to honeypot servers where they will waste their time & resources.

lol ah yes good one, that made my day.

My self i don't use smart phones because i know they can spy on people my listening to what around them and for other reasons as well, so no problems here.

Just one more reasons why no one should use a smart phone.

Smartphones, what about Echo/Alexa, Google Home, Xbox One, PS4, WiiU or anything else with a microphone, processor and network connection to the Internet?

So if your dog starts going crazy for no reason while you are on Tor, you might be getting a visit from a 3-letter agency.

Time to unplug, at every turn we are being spied on, UGH!

Not a member yet? Register Now [bleepingcomputer.com]

I know i have malware infected programs.

Windows 10 seems terribly slow

How long does frst fix

To receive periodic updates and news from BleepingComputer [soylentnews.org], please use the form below.

Copyright @2003 - 2017 Bleeping Computer^® LLC [bleepingcomputer.com] - All Rights Reserved

Not a member yet? Register Now [bleepingcomputer.com]

-- submitted from IRC

Original Submission