Slashdot Mirror
Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com)
New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
My crappy Dell laptop speakers are limited to about 3 kHz.
ads couldn't be any fucking worse...
Too bad I block my adds.
Turn off your speakers?
The only microphone I have is the microphone in my Nokia N900 and I doubt the N900 and its ancient web browser could run any of whatever backend code has to listen for the special sound.
I doubt my crappy speakers can emit anything in that frequency. Even then, my phone's mic is not probably up to the task.
Besides, I'm sure those who are worried could buy/build a filter to remove audio in that frequency.
Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.
Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.
Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?
What devices/apps listen, and how do I disable them?
This requires both speakers and microphone that are capable of using that frequency range. How many actually are?
I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.
Custom electronics and digital signage for your business: www.evcircuits.com
explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?
The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.
To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)
and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...
this is bullshit. a cop / law enforcement could use this to walk around and receive identity information without even needing to interferometry scan your brain/DNA/pocket book full of ID/credit cards/cellphone etc.
this also enables low tech citizens to perform the same feat. often times once a low tech person has info about you such as tracking ID, IP address, phone number, address, name, social security number, date of birth+location information, or email address they can take that to databases and find out mounds of information about you- basically all that data the companies have amassed about you, is retrievable with any identifiable information. NSA databases work the same way.
obamasweapon.com
This attack is not particularly practical in a real world setting, as it relies on other computers picking up on sounds being emitted from the anonymous computer. Knowing which computers are within listening distance of the anonymous computer implies that either the anonymous user's location is essentially already known, or else the listening program (malware?) has been deployed on an immense scale.
I understand how ads could emit these sounds, but how do advertisers install apps on your device to pick them up and phone home? Is this capability built into iOS and Android, or do they work with handset manufacturers?
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.
Oh, I forgot. They donate more to congressclowns than I do.
You're our only hope :(
This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.
Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Yesterday security boiled down to installing virus scanners, firewalls, patching applications, adding add-blockers and no-script tools to browsers and email clients.
Now I have to add a filter to my drivers for the microphone and any speakers? What about HDMI "protected" content paths? What's to keep Disney from embedding a 'display more Disney ads' to the soundtracks on their DVDs?
(Also, how does this work if you use headphones? Will the sounds make it out?)
Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.
Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)
So now Google and Amazon know even more of what is going on in the house and can link your devices. Furthermore, they can link you to PEOPLE who come within range of the microphone. Your associations can be analyzed which means the NSA is going to use it (do you really believe they haven't forced their way into these systems somehow already?)
Google watch could notify where you are moving around which could provide their assistant context information to better understand your speech. They might have some useful things to do with it, I can't think of any so far where bluetooth couldn't do it better and more likely with our knowledge..... but would something less covert really matter if they did the same stuff? people don't seem to care.
Democracy Now! - uncensored, anti-establishment news
JavaScript code
Stop right there. That's all you have to say.
If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.
Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.
I Tor with javascript disabled, and I'm not even a pedophile / drug dealer.
not to mention every device would need adaption or maleware. like a phone home and identify the unique sound signal and tie it to the individual via adoption route by tying it to the email you use and any other data they have from accounts. the malware log lots of info and phone home. ip and towers and more exact location via gps.
I guess gearing up everything to be capable of "high resolution" audio wasn't a total waste after all!
Certainly the ads have no idea if there is a device listening for them and will broadcast anyway. I suppose ultrasound detectors could detect the activity. Maybe you could spam with some conventional source of ultrasound to drown these devices with indecipherable noise. Or just the network approach, whatever.
phones' mics capture ultrasounds. This is not even nyquist at work (which of course trumps everything, but let's play along with this ULTRA! nonsense) since these transducers are not physically capable of reaching 'ULTRASOUND'.
That relies on people being stupid enough to leave compromised apps running on a machine with a microphone, and only tells you what broadcast coverage area the user is in... it's not like it narrows the location down that much! If you've got a compromised app constantly sending data over the internet, wouldn't it be easier to just trace the IP packets back to the source?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Can't do that because you are on a laptop? Too bad, you are screwed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A relatively simple, if not 100% secure solution. Download your favourite anonymizing live USB distribution and run it under a virtual machine with only the bare minimum of media support (e.g. disable any virtual sound card option). Enable at most a generic VGA video driver using a resolution different from your default monitor aspect or resolution. Run the browser with ad-blockading software and JavaScript white-listing only. The attacker will of course realize of course that you're using a VM.
Couldn't browsers defeat this fairly easily by muting tabs by default and notifying you when one wants to play a sound?
. . . to just station an observer within line of sight of your monitor? Or tap the stray EM coming off of monitor, keyboard and mouse? Or physically tap your hardware? Or ensure you've bought pre-compromised hardware? Or . . .
Alternatively you could just have an ad that screams "hey, this evil hacker is using evil hacking tools!" at full volume.
I certainly leave the volume on my computer turned up nice and high when I'm browsing questionable content in public.
... dogs bark during that goddam Weight Watchers commercial!
It little behooves the best of us to comment on the rest of us.
Plug headphones into laptop. Alternatively, get some old headphones, chop the jack off and plug that in.
My ism, it's full of beliefs.
Didn't I see this in the last Bourne movie? And here I thought that was just they typical Hollywood tech cluelessness.
Javascript on Tor ?
Who lets the built in microphone and speakers be in their "secure laptop" or tablet?
You open the box and remove them when you get the computer.
I wonder, though: how many people surf with their sound on? Most people I see (granted, not a representative sample) either have headphones or have the sound off, so as not to disturb everyone around them. If I were surfing something via Tor, i.e., sensitive, then I'd be double sure not to have publicly audible sound.
Enjoy life! This is not a dress rehearsal.
"Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future"
If any citizen were caught deploying this kind of tech to electronically profile the masses, they would be labeled a terrorist and locked up for life. But hey, spend a few hundred and file your questionable activities under a corporation, and it's ALL good! What a fucking joke of a loophole.
I swear, reading about shit like this makes me wonder what power privacy advocate groups really wield anymore.
And why? It'll just be ads and auto-start-playing videos, and who wants them?
The elephant in the room is a program in my computer executing arbitrary code off the 'net.
I know most of you are in denial, because you are web designers and WEB 2.0! Shiny!, but that's why Javascript, Flash, ActiveX and all that is a bad idea. We are having the typical arms race between sandboxing and exploiting of yet-uncharted crevices, no end in sight.
Granted, sometimes an image format has an exploit, but it's much more difficult to control something that is *designed* to be Turing-complete and where manufacturers are always pushing for it to "see" more and more of your computing environment: Sound? "There you go!" USB access? "But we need that to talk to cryptographic tokens!" Video hardware? "Look at this cool trick!".
Seeing even free browser folks dazzled by this, I can only weep.
"Ah, but with Rust all will be well". Thankyouverymuch.
Sometimes glad I'm so old I'll only see two more rounds of this shit. It's becoming boring.
Also the XBone.
Other than that how many other apps keep microphones open and recording?
And not so much hackers as they are paranoid. But it would be a good tactic for finding and tracking Journalists.
Journalists can be quite dim; just look at the one that released his key for the the Manning data in a book.
Nature doesn't evolve "invisible" creatures. It evolves spots and stripes, camouflage. Tor will never take off because it compromises too many useful cookies, and most people don't have time to worry about tracking. Antiphorm was a very useful program which randomized searches etc., so that your actual data became a needle in a haystack. That's what really alarmed Google and Facebook etc... False positives. Cookie Camouflage... If I appear to be interested in minivans and pickup trucks (through automated false searches), they won't know I'm actually really shopping for a motorcycle. I wonder whatever happened to antiphorm and antiphorm lite? Did Big Data kill them? Can anyone suggest an alternative?
Oh wait, Slashdot's also paid for by advertising represented as targeted to our actual interests...
Could you not just create a program to run that pumps out a bunch of random ultrasounds? It could flood the environment and make the original ultrasound signal impossible to discover, no?
I don't have speakers on my computer, and the external amp is only on when I want to listen to music.
I would have thought that anyone serious about using Tor, would also be savvy and suspicious enough to have data turned off on their smartphones and tablets when it's not being used. I don't even use Tor, but WiFi and cellular data on my phone are turned on only when I'm browsing or emailing. As for computers, any cameras are taped over, and microphones are unplugged, or, in the case of a laptop, muted.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Hey, you linked to the subtitle project, here's the actual recording
I'm all for security researchers doing their thing and exposing vulnerabilities, but things like this always seem a little far-fetched.
Anyone who's willing to go to these sorts of lengths to deanonymize someone would likely already need a specific target in mind, at which point isn't it just easier to...I dunno, lie? Any group that'd willingly pull off some of these "vulnerabilities" likely has the resources to falsify any evidence they might have hoped to collect in the first place.
Personally, stuff like this is interesting but it always comes off to me as a somewhat desperate attempt to just find literally any hole in a system, no matter how obtuse and impractical it might be.
I read a similar article several days ago and came to the same conclusion that you did - this is very sophisticated. Maybe too sophisticated. Which made me wonder whether this is theoretical "in the lab" by researchers or actually out in the wild. As for dogs hearing it? sure - maybe. There are lots of noises. My furnace fan makes a blowing air sound. I don't howl because of it - it's just annoying white noise that I ignore.
Need a Raspberry Pi project to listen for this. Then becomes a keyfob that you carry with you that blinks when these secret US signals are detected.
At the time I wasn't able to find links to the actual work - just blog posts that circularly reported on this subject from each other. The quote "ultrasound cross-device tracking (uXDT), [..]. deployed in modern-day advertising platforms" -- really? like what and who?
The link to c3subtitle.de has vague statements in it too "newly-founded company faced the nemesis of the security community and the regulators (e.g., the Federal Trade Commission)" Really? Who?
The underlying premise that I have a phone near my computer that is listening to a beacon played by Ads seems incredulous. The idea that an ad agency would go to these lengths for such a brittle system is surprising. It would have to work "often" to pay off --- and for what gain that GeoIP doesn't provide today? What is that extra 1% that they are after? Plus in this day of auto-playing videos I have my audio muted (or headphones plugged in) - which I think many others do as well - or at least the volume is low. This again closes the door from an ad viability perspective. I get that advertisers want to link my laptop to phone to tablet together so that they can track Me! But there are other ways to do this already (FB beacons for example) that aren't as brittle.
While I appreciate Raising the Alarm - I doubt that (say) Google Ads is doing this. Sure -- maybe some govt spy agency is using this technique to spy on people (i.e. break through Tor). Yes I believe that. If I was a criminal I'd wrap my head and devices in tinfoil.
I'd like to see more evidence that advertising networks are actually doing this.
These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.
Why are people not in prison for this?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Even if some pages emit ultrasound - others will play sound and remind me to always mute.
And the default behaviour in firefox is to display a small "speaker" icon next the title of any tab that plays audio.
You can cut the audio off simply by clicking on the icon.
On android, the non-focused tabs don't even play audio by default (it's not possible to listen to music in a background tab).
Even if some PCs emits ultrasound, who will leave a mic on and run receiving sw? Not me, for sure.If this gets popular, muting the mic will be standard . . .
The thing is : YOU might not be in control of the mic (that does the recording).
The whole point is locating YOUR laptop. So by definition, the mic that is doing the recording is on some other hardware.
- That could be hardware purposefully left to record.
- That could be the smartphone of some other user who's a lot less carefully than you (has a mic and location service both available, and currently abused by some random JS ad)
- That could be the government. (In some phone, the portion of the radio chipset that is not under your personal control is able to record audio and position. Happens in some Qualcom SoC, where the radio chips works as a kind of "north bridge" to the rest.
If mandated correctly, the information services of a country could remotely start to eavesdrop on whatever the phone is hearing around - as long as the radio chip is within range of a cell tower).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
That is nice, but there is a trend right now to rely on javascript to render the page instead of server supplied html. Each day more and more sites become unreadable unless you turn javascript on.
Isn't that similar to illegal eavesdropping? They are recording you without your express permission. Could be a class action law suit in the making.
just have the app on the phone listen to certain phrases, jingles used in a tv-commercial.
This is a ridiculous over thought bond movie gimmick of a threat.
Wait a minute. How would an instruction to dial be sent over ultrasound frequencies to a device that doesn't have code to interpret the sound as instructions in the first place...?
AAAUUURRRGH! Now my brain hurts.
Bad science reporting. Bad! Bad! Go die in a hole.
Natively via NEW APK Hosts File Engine 9.0++ SR-5 32/64-bit https://www.google.com/search?...
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.
Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Gets data via 10 security sites.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )
I don't think I even really know how to read Slashdot at -1 with javascript off.
Sigh. Disabling scripting does not magically remove the uXDT covert channel.
The HTML5 Audio API does not require Javascript. A server is perfectly capable of sending a unique uXDT audio signature to each user agent, and tracking using session cookies, hidden form fields, query-string parameters, "ultracookies", and other mechanisms.
Yes, if you put bars on your windows, you make it harder for burglars to enter that way. And if you leave the door open, they won't have to.
And, as other people have already noted, many sites don't work at all if scripting is disabled. Sure, that's obnoxious, and the people responsible will no doubt end up in a special new circle of Hell. And sure, some users can get by without any of those sites. But others - including, say, people who are trying to anonymously use social-networking sites to report on the activities of repressive regimes - may have good reasons for needing to enable some scripts (which, with typical whitelisting blockers like NoScript, means "scripts served by some domains"). That gets technically complex quite quickly. Not everyone who needs online anonymity has the opportunity to become a web security expert.