Ultrasound Tracking Could Be Used To Deanonymize Tor Users

New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.

Just when you thought

[waspleg]

ads couldn't be any fucking worse...

Re:Just when you thought

[simplypeachy]

When I use other people's computers to use the Internet...good god it's like I'm in some sort of fledgling Total Recall. So many of the adverts have reached past the threshold of being parodies of themselves, they seem like their own self-satire. The relevancy or attention span of any amount of text is reduced to almost nil by pictures of mostly-naked people on diet pill adverts, shiny shiny motor vehicles with angry-looking grilles or hilarious gambling animations. There is a massive joke that you and I are not seeing, and that's because we're not suffering the expense of being the butt of the joke that is Internet advertising.

Re: Just when you thought

[TheRaven64]

Another variant of this attack used several other mechanisms for generating the sound. If you're doing a very targeted attack, spiking the CPU to 100% until the fans come on and then letting the machine cool gives you a good idea who it is. For a lot of machines, various different operation sequences can make some components emit high-frequency sound that a reasonable microphone can pick up. There was a really neat attack on Tor in data centres about a decade ago that monitored the ambient temperature (using a co-located box's own temperature monitors) to correlate Tor traffic from a particular node with warming of the room, so that (after a lot of samples) you could tell if traffic for a particular user was flowing through the data centre that you were looking at.

Lots of sophistication required here

Anyone who's paranoid enough to use Tor should also be blocking ads and trackers in order to make this difficult. Tor isn't a magic bullet for privacy. you have to take other measures, too.

Also, this requires that other devices be listening and possibly compromised. It doesn't seem like other devices should be listening for ultrasonic signals and sending data based on them unless they've already been compromised.

Yes, it's been established that, with extreme skill, malware can jump the air gap. However, this requires a large degree of sophistication. Furthermore, even if people can't hear those signals, wouldn't they attract the attention of animals like dogs? And of they're of a high enough frequency that dogs can't hear them, shouldn't it be possible to generate enough ultrasonic noise to block out the signals? If this is a real threat, shouldn't someone be writing programs that produce garbage ultrasonic noise or devices that are designed specifically to look for these signals?

Is this theoretical?

[guruevi]

I understand this is theoretically possible but what speakers in these devices have powerful ultrasonic blasters? Unless they're doing some form of distance measuring, the majority of speakers is limited well under 18kHz with the response curve dropping sharply after that.

Re:Is this theoretical?

[Midnight_Falcon]

This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?

Re:Is this theoretical?

[F.Ultra]

And isn't there a cut-off filter in the DACs used by phones/computers to filter out anything above the Nyquist sampling rate? Or is that frequency so high now a days due to oversampling that it's in the ultrasound range?

Re:Is this theoretical?

[EvilSS]

This! As somewhat of an audio engineer I know various speaker drivers very well, and laptop speakers essentially never have advertised frequency responses above 20KHz. And you're right, realistically, it's more like 18Khz with a steep drop off after 16KHz. Many people can hear 20KHz -- I've done tone tests and found I can hear up to 22KHz. So what speakers is this person using and what manner of computer has this kind of built in tweeters?

You guys realize this is not some theoretical flight of fancy, right? It's being used today for ad tracking: http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

Apps using SilverPush

Re:Is this theoretical?

[AmiMoJo]

According to TFA the range is 18-20kHz, with 75Hz bands that represent individual symbols. Most TVs can produce 20kHz sounds, and you probably wouldn't hear them. Even if you can hear a 20kHz tone over headphones in a quiet room, with the noise of a commercial mixed in and the audio played at low volume you won't notice.

I'm more sceptical that typical laptop speakers could produce such high pitch noises, but I guess for Tor attacks you could use lower frequencies. The TV ads need to work at a few metres range with background noise. Someone using Tor on a laptop is likely in a quiet room with their smartphone near by, and the main source of noise will be the laptop's fan and HDD.

Re:Is this theoretical?

[sociocapitalist]

"The inaudible code is recognized and received on the other smart device by the software development kit installed on it."

So the other device has to be compromised as well which at least complicates delivery of this attack to targets.

Although they claim:
As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

Maybe true, maybe marketing.

I've never got a good answer as to WHY...

explain to me why we even have browsers that allow javascipt to 'play audio' without permission in the first F***ing place?

The entire reason I started to use adblock in the first place (I 'theoretically' highly approve (both morally and economically, etc.) of ad-supported content) was because I worked phone support and could browse the internet while telling people to plug the cable back in and try rebooting.... and then I started to get NOTHING but flash ads that would play audio (while I was on the call) so I got firefox 0.x.x.x when it was released and got adblock plugin as soon as it was released.

To this day I still -want- to be able to allow ads.... but 3rd party ads are just too much of a 1) security risk 2) annoyance risk and 3) usability interruption risk (ads that redirect the page (especially on mobile)

and just wait.... HTML5 'all JS' pages will start to come soon (other than sites located in California which THANK the GODS has a law stating sites must be text browsable for usability (handicapped) reasons.... which ends up just helping everyone...

Re:I've never got a good answer as to WHY...

Since you receive desired content on web pages, it is your moral obligation to allow the ads to play. They play sounds and display video to capture and hold you attention long enough for the message to get into your brain for processing, and paying attention to this is your end of the social contract built around ad-supported content.

Allowing the tracking is also obligatory on your part.

You can protect yourself from viruses and such by running such tools as McAfee antivirus, and also by keeping your browsing focused on the web portals of professional, on the up-and-up, well-established businesses.

This is how members of a civilized society comport themselves. If you don't like this, you are free to stay off the internet.

Ad blocking undermines the social fabric that keeps the modern world functioning, and so it is morally tantamount to terrorism. The only reason it isn't illegal yet is because the wheels of politics turn too slowly to keep up with tech. But rest assured, reprobate criminal parasites that block ads will be getting the punishments they are due before too long.

Better think this over. The future has no problem leaving you behind.

Save us APK!

You're our only hope :(

/. is getting slow with actual news

[bussdriver]

Clearly, this is now a problem with all the always-on listening devices that are now becoming wide spread! Barbie dolls that listen, Google, Amazon are listening all the time.

Then you have permissions given to websites, apps on other devices plus security holes for when permission is not given. Don't forget company policy changes which can turn allowed permissions against you without your knowledge (unless you are a lawyer and read updated user agreements... many which are broad and vague already.)

So now Google and Amazon know even more of what is going on in the house and can link your devices. Furthermore, they can link you to PEOPLE who come within range of the microphone. Your associations can be analyzed which means the NSA is going to use it (do you really believe they haven't forced their way into these systems somehow already?)

Google watch could notify where you are moving around which could provide their assistant context information to better understand your speech. They might have some useful things to do with it, I can't think of any so far where bluetooth couldn't do it better and more likely with our knowledge..... but would something less covert really matter if they did the same stuff? people don't seem to care.

javascript. fully stop. details don't matter.

JavaScript code

Stop right there. That's all you have to say.

If you're trying to be anonymous and then letting unknown untrusted parties run scripts on your computer, you are (a) a colossal idiot, and (b) not actually anonymous at all. This is one of about a thousand ways to de-anonymize you. The details hardly matter: if it's not this, it's the next, or the next.

Turning javascript off by default is a good idea even if you are NOT trying to be anonymous, due to the endless stream of exploits it has enabled, but especially when you are trying to be anonymous, don't run that shit!.

Re:Jokes on them

[the_Bionic_lemming]

What are these ads or javascripts that run on my machine without me knowing about them? Do people actually surf the web without crippling the sites that attempt to do so?

That's like web aids, or web gonorrhea .For gods sake, strap on some protection!

Re: Run Tor in a VM without audio support

[Zero__Kelvin]

I just barely use 3 GB with of data in a month and I DO watch videos sometimes. You are either completely full of shit or your phone is infected.

Re: So, um, ...

[newbie_fantod]

Or turn off JavaScript if yow want to remain anonymous on Tor.

The worthless power of Privacy Advocates.

[geekmux]

"Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future"

If any citizen were caught deploying this kind of tech to electronically profile the masses, they would be labeled a terrorist and locked up for life. But hey, spend a few hundred and file your questionable activities under a corporation, and it's ALL good! What a fucking joke of a loophole.

I swear, reading about shit like this makes me wonder what power privacy advocate groups really wield anymore.

Re: Run Tor in a VM without audio support

[maxm]

It is not far fetched at all! Chromecast has already offered my phone to recognize it via sound via the chromecast app. So it is already implemented as standard practice. There is no bottom to the depths ...

Re:How to block

[stealth_finger]

What devices/apps listen, and how do I disable them?

All of them, a hammer.

Re:Wait!

[fisted]

Tor is transport.

Re:Jokes on them

[fisted]

as there is less [ultrasound] around in a normal environment.

Is that true? How do you know?
I hope this claim isn't based on the fact that you normally don't hear any ultrasound in your normal environment...

I for one can think of a crapton of stuff in my 'normal environment' that likely emits ultrasound, first and foremost every switching PSU (except the crappy ones that switch in the audible spectrum, producing a sound like a muted TV....)

Why???

[Impy+the+Impiuos+Imp]

These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device.

Why are people not in prison for this?