Slashdot Mirror
Serious Hacks Possible Through Inaudible Ultrasound (newscientist.com)
An anonymous reader writes:
"High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device...Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers' phones as they shop."
But now Fortune reports that some apps "often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking." In addition, security researchers "have already found ways to mine cloaked IP addresses. Speaking to New Scientist, team member Vasilios Mavroudis suggests that an app's always-on microphone access could be leveraged to monitor conversations (and, if you're not paranoid already, to decipher what you're typing). The 'beacons' that transmit ultrasound data can also be spoofed to manipulate apps' user data."
But now Fortune reports that some apps "often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking." In addition, security researchers "have already found ways to mine cloaked IP addresses. Speaking to New Scientist, team member Vasilios Mavroudis suggests that an app's always-on microphone access could be leveraged to monitor conversations (and, if you're not paranoid already, to decipher what you're typing). The 'beacons' that transmit ultrasound data can also be spoofed to manipulate apps' user data."
There are lots of things that seem stupid until it is proven to work, and is being done.
Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away, coincidence? Maybe I'm just being paranoid - but sometimes these questions are worth raising so we don't just accept everything blindly.
What this world is coming to - is for you and me to decide.
Seems like it wouldn't work on many phones anyway. The last two versions of Android have doze, which prevents apps listening all the time (the "OK Google" detection is hardware based and inaccessible to apps). Many phones have the mic input designed to cut ultrasound too, for better recording quality.
Reminds me of those Bluetooth spamming devices you can buy. They claim to be effective but actually 99% of phones don't broadcast Bluetooth pairing requests it accept unrequested connections.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
There are lots of things that seem stupid until it is proven to work, and is being done.
But not this. Not ultrasound. Perhaps they use "signature sounds", but not in the ultrasound range:
Audio equipment is designed for human use. We hear up to about 20 kHz - ultrasound is above that. To avoid wasting bandwith, nobody sample above 20kHz. (well, sometimes they sample higher frequencies for quality reasons and to allow simpler filter technology. But the higher frequencies are then removed before distribution.) Similiarly, equipment does not play back beyond 20kHz either.
Any scheme using ultrasound would fail, due to most equipment failing to handle it. So no truly silent manipulation. They may, however, take advantage of how most people don't notice much above 16kHz or so - especially not if normal noise/music is playing at the same time.