Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 21 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Ultrasound Tracking Beacons Making Things Sort of Creepy For Consumers

by The Gurus
November 27, 2015
in News
Share on FacebookShare on Twitter

Ultrasound is supposed to be our friend. However, the security world was made aware last week of a technology being used by an outfit named “SilverPush” that is utilizing a new and unusual method for tracking mobile phone users with ultrasound signals. The basic story is that the company is embedding a tracking beacon in advertisement audio using ultrasound frequencies that are outside of the range of human hearing. The microphone on a cell phone picks up the ultrasonic sound, and an app on the phone that’s built to listen for that kind of tone decodes it and sends it on to the company doing the tracking.
This all sounds a little bit creepy, which even the CEO of SilverPush admitted when the story originally came out last year. Ultrasound tracking happens in a way that most consumers would not notice unless they have a cat or dog that suddenly starts acting strange during certain commercials or when they visit certain sites, because their more-sensitive ears can pick up the tones of the attempted data transmission while human ears cannot. This scenario is not science-fiction, but actual reality.

How this works

News stories about ultrasound tracking almost all quote the same sound bite [1].
When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.
This explanation might be a little on the obscure side, but to folks who remember the good old days of telecommunications, it may seem familiar: ultrasound tracking functions in a manner that is very similar to old-school modems, especially those that used an acoustic coupler.
For these modems to work, a computer would modulate (that is, vary in frequency) an audio tone, which would be played into a speaker in the half of the coupler that was connected to the telephone handset’s microphone. The receiving computer would receive the tones via its coupler’s microphone, underneath the speaker of the receiving phone’s handset. That computer would then demodulate the tones and convert them back into the original data.
Old-school modems used audio-frequency tones, the sounds you’d hear if you picked up a phone extension when someone was on the line back in the old days. This was done mostly out of convenience; because telephone lines and handsets were optimized for human voice frequencies, noises that were outside of that band were likely to be dampened and less able to be transmitted.
Ultrasound tracking technology operates along very similar lines, except that the modulation of the information takes place at the time the ad is created, and its demodulation happens in your phone.
Given that even early modems were capable of transmitting information at 300 bits per second – while later, more advanced ones got as fast as 56,000 bits per second – the amount of data that can be sent in a couple of seconds of ad time is more than enough time to transmit some unique, trackable values. For instance, advertisers could use 128-bit universally unique identifiers (UUID) and transmit a series of them over the course of a TV spot to see how many of these are picked up by the receiving app on a phone. This can allow them to identify how long the phone (and by extension, the viewer) was “watching” the ad before they changed the channel.
Similarly, encoding a unique value into a web ad would tie an individual ad impression to a specific mobile device that is close to the computer that the ad was displayed on. Site-to-site tracking could be enabled by displaying similar ads on other sites, and then matching the entries with the phone that picked them up. In addition, if the ad’s audio repeats, then the time a user spends on individual website pages can also be measured.
Central Dependency
However, this all depends on an appropriate app being installed on a smartphone, one that contains SilverPush’s libraries that listen for such ultrasonic tone sequences and decode them.
While at this time I’ve not found a list of SilverPush’s specific clients, there are various companies out there that do admit to affiliation with them. For instance, “mobyaffiliates” has a page that talks about their capabilities as part of their affiliate network. In addition, the Google Play store has a test app provided by SilverPush directly: https://play.google.com/store/apps/details?id=com.silverpush.democrossdevice&hl=en
If your phone does not have an app that contains SilverPush’s code, then they won’t be able to track you through this method. However, finding out which apps have that code may prove to be difficult, since it’s not likely that SilverPush will publicize which apps have this type of listening code embedded.
How To Stop It
First, if at all possible, avoid installing any apps that request microphone permission as part of their installation. Preventing apps from accessing the microphone on your Smartphone nullifies this avenue of tracking entirely. You can check the permissions each app has on Android by going to the Setup menu, selecting ‘Apps’, and then looking down the list of each app you have installed; there’s a section at the bottom for permissions. Similarly, on iOS, you can check these via the Settings menu, and checking ‘Privacy’.
Second, blocking ads on your computer would prevent them from playing audio over your computer’s speakers. Wearing headphones or keeping a computer’s sound off when you’re not specifically using it would also prevent the tracking; if the speakers are off, they can’t transmit ultrasonic information. TVs are a little harder to mitigate, but muting the sound when ads come on would help.
Third, if you have the capability, put your mobile device on a VPN that blocks advertising and tracking domains. If you have control over the network, then you can prevent it from being used to track your phone. My previous blog entries here talk a bit about how to accomplish this, using general adblocking via DNS. There’s other ways to go about it as well, and a good network administrator can shape traffic any number of ways to discourage tracking.
Trying to jam an ultrasonic tracking signal with other ultrasonic sounds might work, but it’s likely to drive all the cats and dogs in the neighborhood crazy with the noise, so this tactic would probably not be the best idea.
Future Developments
As you might have realized, ultrasonic tracking is something that’s likely to recur in other ways in the future. The technology in question is not all that innovative. In fact, there have been several talks on the notion (for instance, https://www.usenix.org/conference/woot14/workshop-program/presentation/deshotels) as well as some discussion about how malware can be used to exfiltrate information from air-gapped networks in the same way. And, of course, there is the example of the 20th-century modem, which we discussed earlier.
Becoming aware that microphones and speakers are potential threats to our privacy is a good first step, as is taking control of the networks to which your computers and phones are attached. The more of your systems and networks that you explicitly control, the fewer of them will be available for other people to track without your knowledge.
Remember, tracking can only happen with your cooperation, whether you realize it or not. By refusing to cooperate with those who are trying to track you, you can greatly hamper the amount and kind of information that they are able to collect about you, your behavior, and your assets.
About the Author
Eric is a consultant at Brown Hat Security and guest blogger at AlienVault.

FacebookTweetLinkedIn
Tags: adadvertadvertisementAlienVaultbeaconbrownhatdatadata brechdeviceeric randexfiltrationmicrophonemobilemodemSharingsilverpushsoundSurveillancetappingtrackingtransmissionultrasoundultrasound beaconsuntrasound tracking
ShareTweet
Previous Post

Retailers Struggling to Cope with IT Complexity

Next Post

Some Raspbery Pi Devices Found to Have Weak SSH Hot Keys

Recent News

WatchGuard

WatchGuard acquires CyGlass for AI-powered network anomaly detection

September 21, 2023
'open' sign on window ledge

SME Cyber Security – Time for a New Approach?

September 21, 2023
Keeper Security Logo

Keeper Security Named a Market Leader in Privileged Access Management (PAM) by Enterprise Management Associates

September 21, 2023
Synopsys leader in AppSec

Synopsys Recognised as a Leader in Static Application Security Testing by Independent Research Firm

September 20, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information