Slashdot Mirror
Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com)
New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
ads couldn't be any fucking worse...
The only microphone I have is the microphone in my Nokia N900 and I doubt the N900 and its ancient web browser could run any of whatever backend code has to listen for the special sound.
I doubt my crappy speakers can emit anything in that frequency. Even then, my phone's mic is not probably up to the task.
Besides, I'm sure those who are worried could buy/build a filter to remove audio in that frequency.
Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.
Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.
Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?
What devices/apps listen, and how do I disable them?
This requires both speakers and microphone that are capable of using that frequency range. How many actually are?
I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.
Custom electronics and digital signage for your business: www.evcircuits.com
explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?
The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.
To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)
and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...
this is bullshit. a cop / law enforcement could use this to walk around and receive identity information without even needing to interferometry scan your brain/DNA/pocket book full of ID/credit cards/cellphone etc.
this also enables low tech citizens to perform the same feat. often times once a low tech person has info about you such as tracking ID, IP address, phone number, address, name, social security number, date of birth+location information, or email address they can take that to databases and find out mounds of information about you- basically all that data the companies have amassed about you, is retrievable with any identifiable information. NSA databases work the same way.
obamasweapon.com
I understand how ads could emit these sounds, but how do advertisers install apps on your device to pick them up and phone home? Is this capability built into iOS and Android, or do they work with handset manufacturers?
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
They're installing software I don't know about on my phone/laptop, then using that software to send personal ID details to unknown servers. This has to fall under at least one of the myriad hacking laws we already have on the books.
Oh, I forgot. They donate more to congressclowns than I do.
You're our only hope :(
This attack model assumes there is an app on the phone able to listen all time for ultrasounds. Obviously granting microphone access to an app is dangerious and should not be taken lightly.
Why is ultrasound being preserved in compressed audio? Unless they are hinging on uncompressed au or wav formats?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.
Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)
So now Google and Amazon know even more of what is going on in the house and can link your devices. Furthermore, they can link you to PEOPLE who come within range of the microphone. Your associations can be analyzed which means the NSA is going to use it (do you really believe they haven't forced their way into these systems somehow already?)
Google watch could notify where you are moving around which could provide their assistant context information to better understand your speech. They might have some useful things to do with it, I can't think of any so far where bluetooth couldn't do it better and more likely with our knowledge..... but would something less covert really matter if they did the same stuff? people don't seem to care.
Democracy Now! - uncensored, anti-establishment news
JavaScript code
Stop right there. That's all you have to say.
If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.
Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.
I Tor with javascript disabled, and I'm not even a pedophile / drug dealer.
Certainly the ads have no idea if there is a device listening for them and will broadcast anyway. I suppose ultrasound detectors could detect the activity. Maybe you could spam with some conventional source of ultrasound to drown these devices with indecipherable noise. Or just the network approach, whatever.
That relies on people being stupid enough to leave compromised apps running on a machine with a microphone, and only tells you what broadcast coverage area the user is in... it's not like it narrows the location down that much! If you've got a compromised app constantly sending data over the internet, wouldn't it be easier to just trace the IP packets back to the source?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
That's the other restriction: it relies on ads being played on audio systems capable of generating frequencies higher than 30KHz at energy levels high enough to be detected by a device with a microphone capable of accurately picking up and digitizing frequencies above 30KHz. Possible, but not really the global norm yet. In fact, pretty much only works on rich people, doesn't it?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
That is what you think. Actually it will be something like 6dB/octave dampening, so it still puts out about 12% of maximum volume at 24kHz. Receiving ultrasound is easier than normal sound, as there is less of it around in a normal environment. And in this application there is no need to worry about signal quality, a straight rectangle signal will do just fine, because of the dampening. The next generation of this malware will probably use ultra-wideband audio-pulses and be even more resilient.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Can't do that because you are on a laptop? Too bad, you are screwed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So that's why Apple is killing the headphone jack!
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
What are these ads or javascripts that run on my machine without me knowing about them? Do people actually surf the web without crippling the sites that attempt to do so?
That's like web aids, or web gonorrhea .For gods sake, strap on some protection!
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
A relatively simple, if not 100% secure solution. Download your favourite anonymizing live USB distribution and run it under a virtual machine with only the bare minimum of media support (e.g. disable any virtual sound card option). Enable at most a generic VGA video driver using a resolution different from your default monitor aspect or resolution. Run the browser with ad-blockading software and JavaScript white-listing only. The attacker will of course realize of course that you're using a VM.
. . . to just station an observer within line of sight of your monitor? Or tap the stray EM coming off of monitor, keyboard and mouse? Or physically tap your hardware? Or ensure you've bought pre-compromised hardware? Or . . .
Alternatively you could just have an ad that screams "hey, this evil hacker is using evil hacking tools!" at full volume.
I certainly leave the volume on my computer turned up nice and high when I'm browsing questionable content in public.
... dogs bark during that goddam Weight Watchers commercial!
It little behooves the best of us to comment on the rest of us.
Plug headphones into laptop. Alternatively, get some old headphones, chop the jack off and plug that in.
My ism, it's full of beliefs.
Didn't I see this in the last Bourne movie? And here I thought that was just they typical Hollywood tech cluelessness.
Javascript on Tor ?
Or turn off JavaScript if yow want to remain anonymous on Tor.
I wonder, though: how many people surf with their sound on? Most people I see (granted, not a representative sample) either have headphones or have the sound off, so as not to disturb everyone around them. If I were surfing something via Tor, i.e., sensitive, then I'd be double sure not to have publicly audible sound.
Enjoy life! This is not a dress rehearsal.
"Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future"
If any citizen were caught deploying this kind of tech to electronically profile the masses, they would be labeled a terrorist and locked up for life. But hey, spend a few hundred and file your questionable activities under a corporation, and it's ALL good! What a fucking joke of a loophole.
I swear, reading about shit like this makes me wonder what power privacy advocate groups really wield anymore.
And why? It'll just be ads and auto-start-playing videos, and who wants them?
Also the XBone.
Other than that how many other apps keep microphones open and recording?
And not so much hackers as they are paranoid. But it would be a good tactic for finding and tracking Journalists.
Journalists can be quite dim; just look at the one that released his key for the the Manning data in a book.
For most people, the disadvantages of wearing a tinfoil hat all the time outweigh the benefits. Believe it or not they actually like being able to use web sites without them being horribly broken. Crazy, I know.
What really is hard to understand is why the Tor browser, at least on Tails, seems to have Javascript enabled by default. If the user has gone to the effort of using Tor, it seems reasonable to require them to whitelist manually.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
My crappy Dell laptop speakers are limited to about 3 kHz.
I have some fairly decent speakers but they still don't do anything outside human range hearing, probably don't go above 16k. How do they think they are going to get it to do ultrasound?
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
as there is less [ultrasound] around in a normal environment.
Is that true? How do you know?
I hope this claim isn't based on the fact that you normally don't hear any ultrasound in your normal environment...
I for one can think of a crapton of stuff in my 'normal environment' that likely emits ultrasound, first and foremost every switching PSU (except the crappy ones that switch in the audible spectrum, producing a sound like a muted TV....)
CLI paste? paste.pr0.tips!
Maybe you should watch the presentation recording.
The browser isn't the only attack vector. Imagine, you download a message from snowden as video via tor (okay okay ...) and watch it with sound on your pc. The NSA inserted a ultrasound-id in YOUR download and your phone receives the id and reports its IMEI to the advertiser, which cooperates with the NSA.
Could you not just create a program to run that pumps out a bunch of random ultrasounds? It could flood the environment and make the original ultrasound signal impossible to discover, no?
I was surprised by this the first time I installed Tor Browser as well.
I don't have speakers on my computer, and the external amp is only on when I want to listen to music.
I would have thought that anyone serious about using Tor, would also be savvy and suspicious enough to have data turned off on their smartphones and tablets when it's not being used. I don't even use Tor, but WiFi and cellular data on my phone are turned on only when I'm browsing or emailing. As for computers, any cameras are taped over, and microphones are unplugged, or, in the case of a laptop, muted.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
I read a similar article several days ago and came to the same conclusion that you did - this is very sophisticated. Maybe too sophisticated. Which made me wonder whether this is theoretical "in the lab" by researchers or actually out in the wild. As for dogs hearing it? sure - maybe. There are lots of noises. My furnace fan makes a blowing air sound. I don't howl because of it - it's just annoying white noise that I ignore.
Need a Raspberry Pi project to listen for this. Then becomes a keyfob that you carry with you that blinks when these secret US signals are detected.
At the time I wasn't able to find links to the actual work - just blog posts that circularly reported on this subject from each other. The quote "ultrasound cross-device tracking (uXDT), [..]. deployed in modern-day advertising platforms" -- really? like what and who?
The link to c3subtitle.de has vague statements in it too "newly-founded company faced the nemesis of the security community and the regulators (e.g., the Federal Trade Commission)" Really? Who?
The underlying premise that I have a phone near my computer that is listening to a beacon played by Ads seems incredulous. The idea that an ad agency would go to these lengths for such a brittle system is surprising. It would have to work "often" to pay off --- and for what gain that GeoIP doesn't provide today? What is that extra 1% that they are after? Plus in this day of auto-playing videos I have my audio muted (or headphones plugged in) - which I think many others do as well - or at least the volume is low. This again closes the door from an ad viability perspective. I get that advertisers want to link my laptop to phone to tablet together so that they can track Me! But there are other ways to do this already (FB beacons for example) that aren't as brittle.
While I appreciate Raising the Alarm - I doubt that (say) Google Ads is doing this. Sure -- maybe some govt spy agency is using this technique to spy on people (i.e. break through Tor). Yes I believe that. If I was a criminal I'd wrap my head and devices in tinfoil.
I'd like to see more evidence that advertising networks are actually doing this.
These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.
Why are people not in prison for this?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I would love a legal requirement that any device that comes with a camera or microphone have a physical switch to disconnect them.
I am TheRaven on Soylent News
Even if some pages emit ultrasound - others will play sound and remind me to always mute.
And the default behaviour in firefox is to display a small "speaker" icon next the title of any tab that plays audio.
You can cut the audio off simply by clicking on the icon.
On android, the non-focused tabs don't even play audio by default (it's not possible to listen to music in a background tab).
Even if some PCs emits ultrasound, who will leave a mic on and run receiving sw? Not me, for sure.If this gets popular, muting the mic will be standard . . .
The thing is : YOU might not be in control of the mic (that does the recording).
The whole point is locating YOUR laptop. So by definition, the mic that is doing the recording is on some other hardware.
- That could be hardware purposefully left to record.
- That could be the smartphone of some other user who's a lot less carefully than you (has a mic and location service both available, and currently abused by some random JS ad)
- That could be the government. (In some phone, the portion of the radio chipset that is not under your personal control is able to record audio and position. Happens in some Qualcom SoC, where the radio chips works as a kind of "north bridge" to the rest.
If mandated correctly, the information services of a country could remotely start to eavesdrop on whatever the phone is hearing around - as long as the radio chip is within range of a cell tower).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is a ridiculous over thought bond movie gimmick of a threat.
And you know this because you tried it and didn't hear anything?
If I have been able to see further than others, it is because I bought a pair of binoculars.
It's not that hard by software means. Misconfigure your ALSA or Pulseaudio, or try to install OSS to replace them.
No, because that's what they're rated at and it's pointless to make speakers that go over 20k unless you're specifically looking to make an ultrasound device.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Sigh. Disabling scripting does not magically remove the uXDT covert channel.
The HTML5 Audio API does not require Javascript. A server is perfectly capable of sending a unique uXDT audio signature to each user agent, and tracking using session cookies, hidden form fields, query-string parameters, "ultracookies", and other mechanisms.
Yes, if you put bars on your windows, you make it harder for burglars to enter that way. And if you leave the door open, they won't have to.
And, as other people have already noted, many sites don't work at all if scripting is disabled. Sure, that's obnoxious, and the people responsible will no doubt end up in a special new circle of Hell. And sure, some users can get by without any of those sites. But others - including, say, people who are trying to anonymously use social-networking sites to report on the activities of repressive regimes - may have good reasons for needing to enable some scripts (which, with typical whitelisting blockers like NoScript, means "scripts served by some domains"). That gets technically complex quite quickly. Not everyone who needs online anonymity has the opportunity to become a web security expert.