Smartphones and laptops having microphone can be hacked to carry out commands via high-frequency audio beacons
Have you been ever followed by adverts of items that you may have randomly checked in one of the shopping websites across all the online websites that you visit thereafter? Ever wondered how does this happen?
According to cybersecurity researchers from University College London, University of California, Santa Barbara and Politecnico di Milano, this is the power of the inaudible ultrasound technology which is commonly used by advertisers. This can easily be misused by cyber criminals in order to hack into nearby devices.
This kind of ultrasound technology has mainly been used as a way for marketers and advertisers to identify and track people exposed to their messages, like a cross-device cookie, by inserting inaudible, high-frequency sounds in TV commercials and web browser ads. These sounds can be picked up by any nearby device that has a microphone when the ads play and browser cookies can couple with a single user to all their devices and then track what adverts they watch.
Known as ultrasounic cross-device tracking (uXDT), the technology is also used in local proximity shopping reward apps that offer customers promotions and discounts as they walk past a shop in a mall or specific shopping passages.
However, the technology violates consumer privacy rights. In March, the U.S. Federal Trade Commission (FTC) were sent warning letters to 12 app developers who used ultrasound for cross-device tracking even when the apps were not turned on. This means that the apps could gather information about users without their awareness.
“Any app that wants to use ultrasound needs access to the full range of the microphone,” Vasilios Mavroudis, a doctoral researcher at UCL and UC Santa Barbara, told New Scientist magazine. “Ultrasound beacons don’t have specs yet. There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.”
The researchers say that it becomes worse as an attacker could very easily exploit uXDT frameworks to determine the actual IP addresses of users who are trying to keep their web traffic private by using the Tor anonymity network or virtual private networks (VPN).
The researchers will be presenting their work at the Black Hat Europe 2016 security conference in London on November 3 where they plan to demonstrate how it is possible for a hacker to walk into a popular coffee shop when it is busy and hijack the devices of all customers who have uXDT-based shopping reward apps installed on their smartphones with just a single ultrasound-emitting beacon.
To date, the researchers say that no extensive security analysis of uXDT has ever been released. They advise that developers and consumers implement countermeasures to avoid being spied on via ultrasound. The first is an ultrasound-filtering browser extension for Google Chrome that blocks any website-embedded beacons from sounding. The second is a patch for Android devices that means users have to opt in to pick up ultrasound beacons and audible sound separately when they give an app permission to use their microphone.
Consumers can also protect themselves by downloading a mobile app that targets to smell out any ultrasound beacons and warn the user that they could be being snooped upon, or adding a browser extension that acts as a personal firewall to clean out ultrasonic beacons unless they have been clearly approved.