Cybersecurity researchers from University College London, University of California, Santa Barbara and Politecnico di Milano are warning that the inaudible ultrasound technology commonly used by advertisers can easily be misused in order to hack into nearby devices.
The new way for advertisers and marketers to track and identify people who watch advertisements is by embedding inaudible, high-frequency sounds in TV commercials and web browser ads. When the ads play, any nearby smartphones or tablets pick up the sound and browser cookies can pair a single user to all their devices and then track what adverts they watch.
The technology, known as ultrasounic cross-device tracking (uXDT), is also used in localised proximity shopping reward apps that offer customers promotions and discounts as they walk past a shop in a mall or specific shopping aisles.
Privacy activists are already concerned that the technology violates consumer privacy rights but spying on their TV and video streaming viewing habits, and in March the US Federal Trade Commission (FTC) sent warning letters to 12 app developers that were using ultrasound to do cross-device tracking even when apps weren't open on the device.
"Any app that wants to use ultrasound needs access to the full range of the microphone," Vasilios Mavroudis, a doctoral researcher at UCL and UC Santa Barbara, told New Scientist magazine. "Ultrasound beacons don't have specs yet. There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility."
But it gets worse – the researchers say that an attacker could very easily exploit uXDT frameworks to figure out the actual IP addresses of users who are trying to keep their web traffic private by using the Tor anonymity network or virtual private networks (VPN).
The researchers will be presenting their work at the Black Hat Europe 2016 security conference in London on 3 November and they plan to demonstrate how, with just a single ultrasound-emitting beacon, it is possible for a hacker to walk into a popular coffee shop when it is busy and hijack the devices of all customers who have uXDT-based shopping reward apps installed on their smartphones.
Until now, the researchers say that no comprehensive security analysis of uXDT has ever been released. They advise that developers and consumers implement three countermeasures to avoid being spied on via ultrasound, including getting Google to add a new permission control in the Android mobile operating system whereby apps have to ask the user for permission to connect to the ultrasound spectrum.
Consumers can also protect themselves by adding a browser extension that acts as a personal firewall to filter out ultrasonic beacons unless they have been explicitly approved, or by downloading a mobile app that aims to sniff out any ultrasound beacons and warn the user that they could be being spied on.