This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.
But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.
So far, this kind of ultrasound technology has mainly been used as a way for marketers and advertisers to identify and track people exposed to their messages, like a cross-device cookie. High-frequency audio “beacons” are embedded into TV commercials or browser ads. These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device. But the technology has many more applications. Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.
“It doesn’t require any special technology,” Mavroudis says. “If you’re a supermarket, all you need are regular speakers.”
Who is listening?
But the technology has been identified as a privacy risk. In March, the US Federal Trade Commission (FTC) rapped the knuckles of 12 app developers who used ultrasound for cross-device tracking – even when the apps weren’t turned on. This means that the apps could collect information about users without their awareness.
The software developer providing this code quickly withdrew it, but an FTC spokesperson says that the commission continues to be interested in cross-device tracking: “We’re continuing to look at the ways that can be achieved.”
And this is just one of the problems Mavroudis and his colleagues discovered when examining the vulnerabilities of ultrasound-based technologies.
One worry is that these programs may not just be picking up ultrasound. “Any app that wants to use ultrasound needs access to the full range of the microphone,” says Mavroudis. That means it would be possible, in theory, for the app to spy on your conversation.
The ultrasonic audio beacons that these apps pick up can also be imitated. This means that hackers could create fake beacons to send unwanted or malicious messages to your device, like malware. Mavroudis and his team realised that this would be possible when they found evidence of people trying to cheat a shopping rewards app by recording the ‘silent’ beacons (or just downloading recordings from the Internet) and then playing them to the app to supercharge their reward points. “That was when we realised how easy it would be to spoof these,” he says.
Mavroudis says that these vulnerabilities do not affect many people yet, as ultrasound apps are still niche. But the simplicity of ultrasound could make it an attractive technology for use in applications across the Internet of Things (IoT), says Mu Mu, a lecturer at the University of Northampton, UK.
As more IoT devices become connected and interlinked, they could overwhelm a home’s Wi-Fi channel, and different technologies will need to step in. Ultrasound is a good candidate for pairing home-connected devices that have a speaker and microphone. For example, Google’s Chromecast app uses ultrasound to pair your mobile phone with its streaming dongle.
This creates a potential new channel for hacking attacks. Ultrasound can’t carry a lot of data, says Mu. “But if you know what you’re doing, just by sending a few bytes, you can hack a system and instruct it to do a lot of things. It doesn’t always take a lot of data to make something bad happen.”
Before ultrasound goes mainstream, Mavroudis says that it’s time to work out how to regulate it and keep it from being hijacked for malicious purposes. “Ultrasound beacons don’t have specs yet,” he says. “There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.”
He and his co-authors are agitating for standards similar to those that exist for Bluetooth. But that will take a while, so they have also developed countermeasures you can use in the meantime. The first is an ultrasound-filtering browser extension for Google Chrome that blocks any website-embedded beacons from sounding. The second is a patch for Android devices that means users have to opt in to pick up ultrasound beacons and audible sound separately when they give an app permission to use their microphone.
“It’s going to get worse unless we fix it,” says Mavroudis.