A new privacy-busting technique that tracks consumers through the use of ultrasonic tones may have once sounded like the stuff of science fiction novels, but today it’s reality.
These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited.
The technology is still in its infancy but it’s growing in popularity.
In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,” one paper said.
The researchers note that some apps use the beacons to display location-specific advertising content on user’s phones, like tickets and vouchers for festivals. Several stores in two unnamed European cities have already installed these ultrasonic beacons.
Many of these apps have been downloaded thousands of millions of times, such as games — like Pinoy Henyo, which was named in the research as one of the apps that opens up the microphone to listen to ultrasonic tones. Other app makers were named in the paper — including McDonalds and Krispy Kreme, though it’s not known how either company utilizes their ad-tracking technology. We’ve reached out for comment.
The researchers criticize the technique as a “threat to the privacy of a user,” as they “enable unnoticeably tracking locations, behavior and devices.”
Using this ad-tracking technology allows ad companies to link media-consuming habits to a person’s identity by picking up ultrasonic tones from websites, and radio and television broadcasts.
“An adversary can precisely link the watching of even sensitive content such as adult movies or political documentations to a single individual — even at varying locations,” they say.
The ultrasonic tones can also be used to track locations, behavior, and purchase habits across different devices, which allows the advertiser to serve more specific and tailored advertisements based on where you’ve been.
Worse of all, the researchers say that this ultrasonic tracking technology can deanonymize users of bitcoin, which is designed to be used without the need for a name.
A similar technique can be used for those who are browsing the web using the Tor anonymity network, which prevents eavesdroppers from monitoring your web traffic and browsing history.
How big of an issue is it? For one, it’s not immediately known if an app contains this ad-tracking technology — but if it asks for your microphone, that might be a dead giveaway.
“The user just needs to install a regular mobile application that is listening to ultrasonic signals through the microphone in the background,” said the researchers.
“Once the user has installed these applications on her phone, she neither knows when the microphone is activated nor is she able to see which information is sent to the company servers,” they said.
It’s not as easy to know if an app has the ultrasonic technology built-in, but it’s always wise to check your app permissions. If there’s no reason for an app, like a game or a news app, to have access to your microphone, switch it off.
Source: SANS ISC SecNewsFeed @ May 3, 2017 at 10:42AM