The researchers who exposed the ways in which ultrasonic signals can be used to track users across devices have released a patch for Android that helps users protect themselves against the silent tracking.
The patch is designed to give users more control of which apps on their devices have access to the ultrasonic spectrum, which is what the tracking systems need. Once installed, the patch will allow users to allow or deny access to that spectrum on an app by app basis. Patching Android is a simple step to address a highly complex problem that involves advertisers, technology providers. regulators, and users.
Ultrasonic tracking is a relatively unknown issue, especially among users. A handful of technology companies have developed systems that can use code embedded in mobile apps to receive and interpret inaudible signals emitted by ads on TV. The system is designed to allow marketers to pair users with their various devices and gather data on their activities and, therefore, serve them more accurate ads.
A team of researchers from the University of California at Santa Barbara and University College London last week presented new research that shows the extent of the tracking and how attackers could exploit a tracking framework in order to essentially poison a user’s profile built by an advertiser.
“These profiles are built based on a variety of factors often including the ads that the user has previously seen. Given that the attacker can push beacons to the victim’s device, it can consequently influence the profile corresponding to the user. The degree that the attacker can ‘corrupt’ this profile and what he can do with it, depends on how each company has implemented this mechanism,” Vasilis Mavroudis, a PhD student at UCL and one of the researchers involved in the work, said.
The research team on Monday released the Android patch to the Android Open Source Project and it can be downloaded from the team’s site. However, individual users have to rely on their carriers to include the patch in their Android distributions and then send them out in updates. The researchers also are planning to release a browser extension that will prevent browsers from sending out the ultrasonic tracking signals. But they also say that there are policy level decisions that need to be made on this kind of tracking.
“Decision and policy makers should agree on what’s the next step in terms of regulations and standardization, OS vendors and developers should integrate support for ultrasound beacons to provide a transparent API (e.g., like for other physical and data layers such as Bluetooth), and finally developers should adopt such API,” the researchers said.