[Note: This item comes from friend Jen Snow. DLH]
Your home’s online gadgets could be hacked by ultrasound
By Sally Adee
Oct 28 2016
This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.
But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.
So far, this kind of ultrasound technology has mainly been used as a way for marketers and advertisers to identify and track people exposed to their messages, like a cross-device cookie. High-frequency audio “beacons” are embedded into TV commercials or browser ads. These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device. But the technology has many more applications. Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.
“It doesn’t require any special technology,” Mavroudis says. “If you’re a supermarket, all you need are regular speakers.”
Who is listening?
But the technology has been identified as a privacy risk. In March, the US Federal Trade Commission (FTC) rapped the knuckles of 12 app developers who used ultrasound for cross-device tracking – even when the apps weren’t turned on. This means that the apps could collect information about users without their awareness.
The software developer providing this code quickly withdrew it, but an FTC spokesperson says that the commission continues to be interested in cross-device tracking: “We’re continuing to look at the ways that can be achieved.”
And this is just one of the problems Mavroudis and his colleagues discovered when examining the vulnerabilities of ultrasound-based technologies.
One worry is that these programs may not just be picking up ultrasound. “Any app that wants to use ultrasound needs access to the full range of the microphone,” says Mavroudis. That means it would be possible, in theory, for the app to spy on your conversation.
The ultrasonic audio beacons that these apps pick up can also be imitated. This means that hackers could create fake beacons to send unwanted or malicious messages to your device, like malware. Mavroudis and his team realised that this would be possible when they found evidence of people trying to cheat a shopping rewards app by recording the ‘silent’ beacons (or just downloading recordings from the Internet) and then playing them to the app to supercharge their reward points. “That was when we realised how easy it would be to spoof these,” he says.
Mavroudis says that these vulnerabilities do not affect many people yet, as ultrasound apps are still niche. But the simplicity of ultrasound could make it an attractive technology for use in applications across the Internet of Things (IoT), says Mu Mu, a lecturer at the University of Northampton, UK.
As more IoT devices become connected and interlinked, they could overwhelm a home’s Wi-Fi channel, and different technologies will need to step in. Ultrasound is a good candidate for pairing home-connected devices that have a speaker and microphone. For example,Google’s Chromecast app uses ultrasound to pair your mobile phone with its streaming dongle.