Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com)

Posted by BeauHD on from the nobody-is-safe dept.

New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.

6 of 207 comments (clear)

  1. Just when you thought by waspleg · · Score: 5, Insightful

    ads couldn't be any fucking worse...

  2. Lots of sophistication required here by Anonymous Coward · · Score: 5, Insightful

    Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.

    Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.

    Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?

  3. I've never got a good answer as to WHY... by Anonymous Coward · · Score: 3, Insightful

    explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?

    The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.

    To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)

    and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...

  4. javascript. fully stop. details don't matter. by Anonymous Coward · · Score: 4, Insightful

    JavaScript code

    Stop right there. That's all you have to say.

    If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.

    Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.

  5. Re:Is this theoretical? by F.Ultra · · Score: 3, Insightful

    And isn't there a cut-off filter in the DACs used by phones/computers to filter out anything above the Nyquist sampling rate? Or is that frequency so high now a days due to oversampling that it's in the ultrasound range?

  6. Re:Jokes on them by the_Bionic_lemming · · Score: 3, Insightful

    What are these ads or javascripts that run on my machine without me knowing about them? Do people actually surf the web without crippling the sites that attempt to do so?

    That's like web aids, or web gonorrhea .For gods sake, strap on some protection!

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!