Skip to content
Naked Security Naked Security

BadBIOS is back – this time on your TV

What do you think about an ultrasonic "data cookie" embedded in TV ads? The idea is that your phone can listen out for it and call home to report that you saw the commercial.

The Federal Trade Commission (FTC) is the offical consumer watchdog in the USA.

As you can imagine, the FTC is particularly interested in dodgy marketing practices.

These days, that doesn’t only involve accuracy and fairness, but also covers issues such as how personal information about potential customers is collected and used.

For example, in recent months, the FTC has acted against a range of online activities that it has deemed devious, deceptive or dishonest, such as:

Where next?

Today, the FTC is holding a workshop in Washington DC entitled Cross-Device Tracking.

Tracking you via your browser, or by means of a mobile app, is fairly straightforward, for example by setting a browser cookie, or using a unique identifier in the app.

Even if marketers don’t know who you are, they can target you more effectively with ads (or so that say, at any rate) if they know something about your interests and your product preferences.

And if they can feed you ads that are more likely to work, they can charge their customers more, and everyone is happier, including you (or so they say).

But tying together those identifiers between different devices is altogether more difficult.

You might have a cookie code of LNT67QT­ABZID in Firefox on your Windows laptop, but an advertising identifier of 13N5TSD­FFYHT on your mobile phone.

To an online marketing company, that’s effectively two people – unless and until they figure out that the same person is denoted by both those codes.

Once they’ve done that, each code can stand in for the other, so both your laptop and your mobile activities can be tied back to you from then on.

Obviously, if you login to the same service as the same user on two different devices, that lets a service provider associate both those devices to you.

Likewise, a company might offer you a free service such as Wi-Fi, redemeed via a code that is SMSed to your phone, which lets them tie your laptop and phone together in future.

The FTC refers to this as deterministic tracking, because there is an explicit element to it, and there is at least some opportunity for you to give informed consent.

Probabilistic tracking

More worrying is so-called probabilistic tracking, where what you do and how you do it – such as device type, operating system version, screen resolution and IP number – is used to infer which devices probably have a common user.

As the FTC points out:

Such "probabilistic" tracking is generally invisible to consumers and, unlike tracking through cookies, the consumer has no ability to control it. Accordingly, this practice raises a number of privacy concerns and questions.

Inaccuracy is perhaps as much of an issue in systems of this sort.

A company could use all sorts of measurements, such as how you move your mouse, the way you type, and many other digital flourishes, as if they offered identification, not merely supposition.

And then, of course, they could sell on these unreliable “identifications” to third-party companies, where they might end up working against you in an almost Kafkaesque way.

BadBIOS is back

One of the most intriguing – and perhaps the most outlandish – technique for cross-device tracking is mentioned in the public comment submitted to the FTC’s workshop by the DC-based Center for Democracy and Technology (CDT).

The CDT makes reference to an Indian company that claims to offer a TV-to-smartphone tracking system that works, if you can believe it, using ultrasound.

Just like the BadBIOS controversy from late 2013, which was supposed to be hardware-level malware that could steal data even across a so-called network “air gap,” such as the one that exists between the average TV and smartphone.

The idea is that you can use regular audio waves to transmit data between two computers that have no other sort of network connection.

In the early days of modems, this technique was quite common, using an acoustic coupler that played modem tones directly into the mouthpiece of a regular telephone to transmit data from a remote site.

But BadBIOS introduced a new twist: unlike a landline voice telephone, modern devices have loudspeakers and microphones that are capable of producing and recording sounds at frequencies beyond the range of a normal human ear.

In theory, then, or at least in the laboratory, a even a computer (or a TV) with no LAN connection, no Bluetooth and no Wi-Fi, could produce sounds that a co-operating device nearby could receive and interpret as data, and you wouldn’t be able to tell.

Unlike the telltale tones of a modem connection, such as you can hear in the jingle at the start of every Sophos Security Chet Chat podcast, high-frequency sounds may be “audible” to a mobile phone’s microphone, but undetectable to the human ear.

Ultrasound tracking

The company described in the CDT’s documents claims that its mobile app framework can detect ultrasonic data codes that you embed in the soundtrack of your TV ads.

The idea is that if a viewer’s phone is turned on, and in range of the TV, and they have one of your apps installed and running, you will be able to tell whether they saw your commercial.

You’ll even be able to tell whether they switched channels during the commercial, or fast-forwarded through it.

If they didn’t skip the commercial, of course, you still won’t know whether they actually watched it or not.

Unless – and who can say? – you have another app that can keep track of the viewer’s smart home devices and monitor water usage (e.g. a toilet flush) or power consumption (e.g. a kettle activation) to help you guess whether they used the commercial break for other households tasks.

As the CDT notes, the insidious aspects of this sort of tracking are that:

[The tracking company's] policy is to not "divulge the names of the apps the technology is embedded," meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice.

There’s nothing fundamentally wrong with tracking TV viewers’ habits, whether by explicit network feedback from a smart TV, or by audio feedback from a non-networked TV, provided that they know it’s happening, have agreed to it, and know they can withdraw that agreement at any time.

But just the mention of ultrasound, even without its memories of the BadBIOS story, and of mobile apps that secretly use your microphone to detect inaudible content, does have a whiff of deceit about it.

If mainstream apps – we’re thinking of Skype, Facebook and others – are willing to come clean about whether they use this sort of technology or not, we’ll be able to defeat this sort of tracking by deciding which apps we trust with our microphone.

So we await the outcome of the FTC’s workshop with interest!

Will it actually work? Can inaudible ultrasonic frequencies make it to a viewer via the compression used by digital TV, for example? Audio compression relies on saving bandwidth by throwing out parts of the audio signal that don’t affect its clarity much, or even at all. Obviously, ultrasonic frequencies can unexceptionally be discarded altogether, because they have no effect on what a listener will hear. So broadcasters would, presumably, need to co-operate by using non-standard transmission encodings. We’re sceptical about the practicability of this system, but it is at least theoretically possible, and thus well worth considering at the FTC’s workshop, if only because it raises important issues about consent.

💡 LEARN MORE: BadBIOS malware explained ►

💡 LEARN MORE: Security and privacy on your phone ►

💡 FREE TRIAL: Sophos Mobile Control ►

Horror TV image courtesy of Shutterstock.


Know which apps you have installed, and which permissions you have assigned them.

But even that won’t work if your listening app has a bona fide reason for needing access to the mic.

If someone could build a wireshark-esque firewall into Android (albeit a rooted Android) to let us see which apps were sending what information back to where, that would be a fascinating story.


But if an app you liked that needed the microphone was up front about whether it used this particular “sneaky sonic surveillance” library…

…it would at least help you decide about trusting it.

Sniffing what goes back where is something security researchers do all the time (you can man-in-the-middle yourself with a tool like Burp, for example) but it’s still doesn’t tell you everything easily. If the traffic looks like garbage even after decryption and parsing with known tools, you may still need to reverse engineer the offending app to find out what it’s packaging and how.


Shazaam does not need ultrasound, so the above is also plausable without ultrasound.


Shazam listens to *audible* sound – the same audible sound you’re listening to – and matches it against a database of known audible sounds. The technology mentioned in the article is, by the vendor’s own admission, based on an “inaudible audio beacon”. That’s the sum total of tecnical information from the company’s website. My presumption that it is ultrasonic is based on the CDT’s document and various PR-type articles in the media that call it “ultrasonic” and have never been corrected by the vendor.

My remarks about audio compression being based around discarding components of the sound that don’t contribute much to what the average human ear would hear still holds even if these sounds aren’t ultrasonic. If they are indeed inaudible so you can’t hear that they’re there, a conventional, lossy audio codec would typically discard them from the data stream to save bandwidth.


All you need to sniff for an “inaudible audio beacon” is a microphone and an oscilloscope, something that would take me about five minutes to set up. Once I noticed a correlation between certain apps and presence of a signal, I would have to determine whether the signal was an analog sample of the background sounds or a digital packet identifying the background sound.

The analog case is easier. It’s simply the analog signal on an ultrasound carrier–exactly the same as a 1950s tape recorder. It’s instantly recognizable on the oscilloscope. Trivial to make a detection circuit and play it back audibly.

If the signal were digital, it would also be easily recognizable on an oscilloscope. It would take a few minutesto build a circuit to demodulate the signal–probably simple frequency-shift keying. Then capture the binary digital signal and figure out its meaning. That latter sentence is the only hard part.


You’ll just feel unsecure nowadays. With all of this applications that you can see everywhere like facebook, twitter, etc. They can easily track of your personal data and social media accounts to target you for their advertisement. Good to know that not only computers but mobile phones are being used for this kind of marketing. So this ultrasound tracking can be done with an application now giving us the hint of what a TV Viewer is watching at the moment? Quite impressive but scary at the same time. That only means we don’t have privacy on this world anymore.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!