Ultrasound is supposed to be our friend. However, the security world was made aware last week of a technology being used by an outfit named “SilverPush” that is utilizing a new and unusual method for tracking mobile phone users with ultrasound signals. The basic story is that the company is embedding a tracking beacon in advertisement audio using ultrasound frequencies that are outside of the range of human hearing. The microphone on a cell phone picks up the ultrasonic sound, and an app on the phone that’s built to listen for that kind of tone decodes it and sends it on to the company doing the tracking.
This all sounds a little bit creepy, which even the CEO of SilverPush admitted when the story originally came out last year. Ultrasound tracking happens in a way that most consumers would not notice unless they have a cat or dog that suddenly starts acting strange during certain commercials or when they visit certain sites, because their more-sensitive ears can pick up the tones of the attempted data transmission while human ears cannot. This scenario is not science-fiction, but actual reality.
How this works
News stories about ultrasound tracking almost all quote the same sound bite [1].
When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.
This explanation might be a little on the obscure side, but to folks who remember the good old days of telecommunications, it may seem familiar: ultrasound tracking functions in a manner that is very similar to old-school modems, especially those that used an acoustic coupler.
For these modems to work, a computer would modulate (that is, vary in frequency) an audio tone, which would be played into a speaker in the half of the coupler that was connected to the telephone handset’s microphone. The receiving computer would receive the tones via its coupler’s microphone, underneath the speaker of the receiving phone’s handset. That computer would then demodulate the tones and convert them back into the original data.
Old-school modems used audio-frequency tones, the sounds you’d hear if you picked up a phone extension when someone was on the line back in the old days. This was done mostly out of convenience; because telephone lines and handsets were optimized for human voice frequencies, noises that were outside of that band were likely to be dampened and less able to be transmitted.
Ultrasound tracking technology operates along very similar lines, except that the modulation of the information takes place at the time the ad is created, and its demodulation happens in your phone.
Given that even early modems were capable of transmitting information at 300 bits per second – while later, more advanced ones got as fast as 56,000 bits per second – the amount of data that can be sent in a couple of seconds of ad time is more than enough time to transmit some unique, trackable values. For instance, advertisers could use 128-bit universally unique identifiers (UUID) and transmit a series of them over the course of a TV spot to see how many of these are picked up by the receiving app on a phone. This can allow them to identify how long the phone (and by extension, the viewer) was “watching” the ad before they changed the channel.
Similarly, encoding a unique value into a web ad would tie an individual ad impression to a specific mobile device that is close to the computer that the ad was displayed on. Site-to-site tracking could be enabled by displaying similar ads on other sites, and then matching the entries with the phone that picked them up. In addition, if the ad’s audio repeats, then the time a user spends on individual website pages can also be measured.
Central Dependency
However, this all depends on an appropriate app being installed on a smartphone, one that contains SilverPush’s libraries that listen for such ultrasonic tone sequences and decode them.
While at this time I’ve not found a list of SilverPush’s specific clients, there are various companies out there that do admit to affiliation with them. For instance, “mobyaffiliates” has a page that talks about their capabilities as part of their affiliate network. In addition, the Google Play store has a test app provided by SilverPush directly: https://play.google.com/store/apps/details?id=com.silverpush.democrossdevice&hl=en
If your phone does not have an app that contains SilverPush’s code, then they won’t be able to track you through this method. However, finding out which apps have that code may prove to be difficult, since it’s not likely that SilverPush will publicize which apps have this type of listening code embedded.
How To Stop It
First, if at all possible, avoid installing any apps that request microphone permission as part of their installation. Preventing apps from accessing the microphone on your Smartphone nullifies this avenue of tracking entirely. You can check the permissions each app has on Android by going to the Setup menu, selecting ‘Apps’, and then looking down the list of each app you have installed; there’s a section at the bottom for permissions. Similarly, on iOS, you can check these via the Settings menu, and checking ‘Privacy’.
Second, blocking ads on your computer would prevent them from playing audio over your computer’s speakers. Wearing headphones or keeping a computer’s sound off when you’re not specifically using it would also prevent the tracking; if the speakers are off, they can’t transmit ultrasonic information. TVs are a little harder to mitigate, but muting the sound when ads come on would help.
Third, if you have the capability, put your mobile device on a VPN that blocks advertising and tracking domains. If you have control over the network, then you can prevent it from being used to track your phone. My previous blog entries here talk a bit about how to accomplish this, using general adblocking via DNS. There’s other ways to go about it as well, and a good network administrator can shape traffic any number of ways to discourage tracking.
Trying to jam an ultrasonic tracking signal with other ultrasonic sounds might work, but it’s likely to drive all the cats and dogs in the neighborhood crazy with the noise, so this tactic would probably not be the best idea.
Future Developments
As you might have realized, ultrasonic tracking is something that’s likely to recur in other ways in the future. The technology in question is not all that innovative. In fact, there have been several talks on the notion (for instance, https://www.usenix.org/conference/woot14/workshop-program/presentation/deshotels) as well as some discussion about how malware can be used to exfiltrate information from air-gapped networks in the same way. And, of course, there is the example of the 20th-century modem, which we discussed earlier.
Becoming aware that microphones and speakers are potential threats to our privacy is a good first step, as is taking control of the networks to which your computers and phones are attached. The more of your systems and networks that you explicitly control, the fewer of them will be available for other people to track without your knowledge.
Remember, tracking can only happen with your cooperation, whether you realize it or not. By refusing to cooperate with those who are trying to track you, you can greatly hamper the amount and kind of information that they are able to collect about you, your behavior, and your assets.
About the Author
Eric is a consultant at Brown Hat Security and guest blogger at AlienVault.