Serious Hacks Possible Through Inaudible Ultrasound

An anonymous reader writes: "High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device...Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers' phones as they shop."

But now Fortune reports that some apps "often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking." In addition, security researchers "have already found ways to mine cloaked IP addresses. Speaking to New Scientist, team member Vasilios Mavroudis suggests that an app's always-on microphone access could be leveraged to monitor conversations (and, if you're not paranoid already, to decipher what you're typing). The 'beacons' that transmit ultrasound data can also be spoofed to manipulate apps' user data."

What?

[Joce640k]

"High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device..

Only in the dreams of the most tinfoil hatted idiots on the planet.

And slashdot editors, apparently.

Re:What?

[MindPrison]

There are lots of things that seem stupid until it is proven to work, and is being done.

Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away, coincidence? Maybe I'm just being paranoid - but sometimes these questions are worth raising so we don't just accept everything blindly.

Re:What?

[Joce640k]

Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away.

Have you tried wrapping it in tinfoil?

Re:What?

There are lots of things that seem stupid until it is proven to work, and is being done.

But not this. Not ultrasound. Perhaps they use "signature sounds", but not in the ultrasound range:

Audio equipment is designed for human use. We hear up to about 20 kHz - ultrasound is above that. To avoid wasting bandwith, nobody sample above 20kHz. (well, sometimes they sample higher frequencies for quality reasons and to allow simpler filter technology. But the higher frequencies are then removed before distribution.) Similiarly, equipment does not play back beyond 20kHz either.

Any scheme using ultrasound would fail, due to most equipment failing to handle it. So no truly silent manipulation. They may, however, take advantage of how most people don't notice much above 16kHz or so - especially not if normal noise/music is playing at the same time.

Re:What?

[AK+Marc]

What happens when these "ultrasound" sounds try to pass through high end speakers with bandfilters? My ribbon tweeters can destroy themselves with ultrasound, so they have low-pass bandfilters (and high-pass bandfilters, where the mids take over). So what speaker is passing these sounds, and why are they getting past my bandfilters? How about the crappy sound system in my car? The speakers are rated to 15 kHz, so how are they passing 20+ kHz sounds?

The reason this sounds absurd is because it is.

Re:Atomic Controls.

[AmiMoJo]

Seems like it wouldn't work on many phones anyway. The last two versions of Android have doze, which prevents apps listening all the time (the "OK Google" detection is hardware based and inaccessible to apps). Many phones have the mic input designed to cut ultrasound too, for better recording quality.

Reminds me of those Bluetooth spamming devices you can buy. They claim to be effective but actually 99% of phones don't broadcast Bluetooth pairing requests it accept unrequested connections.

Re:Atomic Controls.

[Dutch+Gun]

Another point I haven't heard anyone mentioning. It's possible these ultrasound beacons might be very uncomfortable for animals that have exceptional hearing range and sensitivity, such as seeing-eye dogs. If so, this sort of thing might actually run afoul of ADA laws.

Re:simple solution

[brantondaveperson]

have all the hardware manufuacturers of audio input & output chipsets filter out supersonic & subsonic frequencies before the rest of the machine even sees them?

As has already been mentioned, this is exactly what all existing audio recording hardware does. Anti-aliasing filters are placed in the analog path, before digitization, and they're normally set to cut off around 20Khz, since that's the upper limit of human hearing. Leaving these filters out results in unusable audio, they are an essential component of any analog-to-digital conversion of any sort. Unless you're talking about pro-level audio recording hardware, there is no way consumer cellphones can pick up actual "ultrasound". They can pick up signals encoded in audible audio in other ways, but that couldn't be filtered out, and it isn't ultrasound.

XPrivacy deny sensors permission

[emil]

For the moments that your phone is on, YOU decide if your apps can use the microphone.

This should be standard in the Android OS. Tells you something about Google that it's not.