A new type of attack should make Tor users – and countless dogs around the world – prick up their ears. The attack, revealed at BlackHat Europe in November and at the 33rd Chaos Computer Congress the following month, uses ultrasounds to track users, even if they are communicating over anonymous networks.
The attack uses a technique called ultrasound cross-device tracking (uXDT), which made its way into advertising circles as early as 2012. Marketing companies running uXDT campaigns will play an ultrasonic sound, inaudible to the human ear, in a TV or radio ad, or even in an ad delivered via a computer browser.
Although the user won’t hear it, other devices such as smartphones using uXDT-enabled apps will be listening. When the app hears the signal, it will ping the advertising network with details about itself. What details? Anything it asks for the phone for, such as its IP address, geolocation Coleman’s, telephone number and IMEI (SIM card) code.
That’s creepy enough in marketing. Now, advertisers can tell what TV or radio ads you’ve been listening to, matching them with the universe of other information they have about you from your web searches, social media activity and emails.
It’s a short step from there to find out what websites you surfed on your phone afterwards and flesh out your profile. Oh? You saw that TV ad for our dating site and then you went to visit it? Good to know. Thanks ever so much for your phone number and location, by the way.
Marketers could perhaps even tell what physical locations you visited, because uXDT is also used for proximity marketing, in which beacons are played in locations such as stores, for example.
Tor blimey
It gets creepier still when you see the demo from Vasilios Mavroudis, one of a six-person team researching this topic. He worked out how to use the technique to unmask Tor users. Here’s the full video. The money shot where he pwns the anonymous user begins at 19:05.
How did he do it? An adversary creates a campaign with a uXDT service provider and obtains an ultrasonic signal file, known as a beacon. They then create an site on the Tor network that secretly plays the beacon. When the victim visits the site anonymously using the Tor browser, a uXTD-enabled app running on their nearby smartphone picks up the signal and phones home to the uXTD service provider, which then relays all its details to the adversary. Suddenly, the Tor user isn’t anonymous any more.
This is a significant threat to online anonymity. The attack could unmask more than just Tor users. Any other anonymous network user could be targeted by luring them to a site with a beacon on it – or by using a cross-site scripting attack to play Javascript on someone else’s site.
Attack scenarios
The beacon could be injected into more than just a website, so how might law enforcement use it? Playing it in online videos would enable authorities to find out who was listening to them, where, and when. BleepingComputer points out that authorities could use this to track people watching child sex abuse content rather than simply infecting them with malware via compromised sites, as it has done in the past.
Companies might also have a need for this technology outside marketing. Presumably, tailored files on peer-to-peer networks could also track folks illegally downloading copyrighted movies.
State actors could also use the tech to track dissidents in oppressed countries. Simply delivering a voicemail played on a speakerphone might be enough to give away a person’s location and identity. Presumably, playing such signals over loudspeakers would make it relatively easy to identify large numbers of people at public gatherings, too.
Bad apps
Of course, all this relies on you having the listening software on your phone in the first place, but that might not be as difficult as you’d think. It is typically provided as a development framework, meaning that the code finds its way into third-party applications.
The only clue that you’re running the software might be when the app containing it asks for access to your microphone. But then, lots of apps such as voice messaging or music discovery apps legitimately use microphones. And let’s face it, many users simply don’t pay attention to what they’re giving up when all they want to do is install the latest dodgy ripoff of Crossy Road or Flappy Bird.
This is not the first time that people have proposed evil audio tinkering with smart phones. French hackers demonstrated how to control Siri using nearby radio waves two years ago, but a favourite is still the use of human-audible video to manipulate voice activated assistants on phones and tablets, which could be used to open websites or call numbers. We’re still waiting for infected YouTube videos to appear, or for someone to get enough live broadcast airtime to wreak havoc.
It all goes to show that however secure you think you are, there’s always another step. Zuck had it right when he taped over his computer’s webcam, but perhaps he just didn’t go far enough.
Andrew Ludgate
There’s a few things to keep in mind with this attack:
1) The user must be using a uXDT-enabled app on their phone
2) The user must have given the app access to the microphone
3) The user must have their phone somewhere where it can pick up the signal
4) The beacon must be embedded such that it will play when the user visits the site. Or in the case of content with audio played back later, that audio must include the beacon.
5) The user must have audio enabled, and playing through their speakers (not headphones)
With all of these restrictions, the attack is possible, but also guaranteed not to work most of the time. So if the attacker wants a sampling of usage, it works quite well (as in advertising). If the attacker is trying to get specific information out of specific people, they’re going to have to ensure quire a number of variables are in place — by which point, they’ve probably got enough control over the situation to not need this attack in the first place.
Stephen
https://www.google.com/amp/s/www.theregister.co.uk/AMP/2016/11/04/marketing_privacy/
Any plans to add anti uXDT into sophos at the network level?
They have done it via browser plugins… would ve nice if sophos could block both signals and call home attempts from devices.
cyberviking
A dissident could simply turn off his phone and put it in locker in another room. Or if real paranoid, take out the phone’s battery to be safe. I do not think “Joe Does” does this, but smart terrorists and smart crooks will do, now when they now know this thanks to the media and the researcher which is so proud having found out this and can’t keep their mouths shut about it ;)
Clemens
I don’t agree to this attitude. It is the same as prohibiting or weakening encryption because the bad guys could use it. And we know that this is bad idea.
Chuck
I guess you could disable your mic and speakers but that’s not much fun…..Or wrap your phone in aluminum foil, haha! But how about other cell phones around the house? I didn’t know that this was being used to identify people already in normal browsers. It is amazing the lengths that advertisers will go to track you. And I thought browser fingerprinting was pretty sneaky!