PINDROP BLOG

Silently Tracking Users With Ultrasonic Beacons

As consumers have begun using ad blockers in greater numbers, skipping TV ads with DVRs, and generally looking for any possible way to avoid advertising, technology providers and marketers have been trying to find new methods to get their messages in front of potential buyers. One of the newer methods uses ultrasonic signals in ads to track users across multiple devices, and security researchers are working on innovative methods to defeat this system.

The ultrasonic tracking method relies on inaudible signals embedded in TV commercials or other ads that can then be picked up by code in an app on a user’s phone, tablet, or other device. The idea is to match users with their devices and ensure that the advertisers’ messages are finding them, wherever they are. There are several companies using this technology, including SilverPush, an Indian firm whose code is in a number of mobile apps. The FTC in March sent letters to several developers warning them that they need to disclose to users that their apps include the audio beacon technology.

“For example, the code is configured to access the device’s microphone to collect audio information even when the application is not in use. Moreover, your application requires permission to access the mobile device’s microphone prior to install, despite no evident functionality in the application that would require such access,” the letter says.

“Upon downloading and installing your mobile application that embeds Silverpush, we received no disclosures about the included audio beacon functionality — either contextually as part of the setup flow, in a dedicated standalone privacy policy, or anywhere else.”

This week, researchers from University College London will present new research on ultrasonic cross-device tracking that will show how an attacker can exploit problems with the tracking frameworks to de-anonymize users on VPNs or Tor and find their IP addresses.

“For example, an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps,” the researchers’ abstract for Black Hat Europe says.

Vasilios Mavroudis, one of the researchers who did the work, and a PhD student at UCL, said in an email that the attack they outline in the paper would involve poisoning a victim’s profile maintained by one of the advertisers who use ultrasonic tracking.

“The idea is based on the fact that most advertising companies are maintaining interest (and usually behavioral) profiles for users. These profiles are built based on a variety of factors often including the ads that the user has previously seen. Given that the attacker can push beacons to the victim’s device, it can consequently influence the profile corresponding to the user. The degree that the attacker can “corrupt” this profile and what he can do with it, depends on how each company has implemented this mechanism,” Mavroudis said.

One of the issues that the FTC and privacy advocates have with the use of ultrasonic tracking is that users generally have no idea that it’s occurring. The signals are inaudible and some of the apps that use it don’t disclose its presence, making it nearly impossible for users to understand the risks or potential privacy issues. The UCL researchers plan to present some defensive measures that can help users, as well, including a browser extension that will detect and filter ultrasonic beacons. They also developed a fix for Android that can force apps to ask for permission to use the ultrasonic spectrum.

“Unfortunately, the patch cannot be easily applied by “everyday” users, but the open source community and google can use it to incorporate this new permission to the operating system by default,” Mavroudis said.

This story was updated on Oct. 31 to add comments from Mavroudis.

Image: Brett Jordan, CC By 2.0 license.

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS