
Ultrasound Tracking Could Be Used to Deanonymize Tor Users - anshumanf
https://www.bleepingcomputer.com/news/security/ultrasound-tracking-could-be-used-to-deanonymize-tor-users/
======
niftich
This is mostly an awareness article that summarizes previously deployed
techniques, and illustrates a situation where those techniques can cause
maximum harm.

For background, a HN submission a year ago about these kinds of ads linking to
phones, from Ars Technica [1], which some choice comments being one naming
such an ad company [2] while a different subthread explores another [3][4].

Prior art in this space includes the work of Boris Smus [5], who then went on
to develop the guest pairing mode for Chromecast using this technique. There
have been other efforts over the years, some before, but certainly after, and
of course the use of sound to transmit digital information is an old trick
that makes modems possible, but in those days the lines didn't have the
bandwidth to carry ultrasound.

[1]
[https://news.ycombinator.com/item?id=10562207](https://news.ycombinator.com/item?id=10562207)
[2]
[https://news.ycombinator.com/item?id=10563384](https://news.ycombinator.com/item?id=10563384)
[3]
[https://news.ycombinator.com/item?id=10563369](https://news.ycombinator.com/item?id=10563369)
[4]
[https://news.ycombinator.com/item?id=10563031](https://news.ycombinator.com/item?id=10563031)
[5]
[https://news.ycombinator.com/item?id=10562787](https://news.ycombinator.com/item?id=10562787)

------
jbob2000
Wait what? How can a webpage play a sound if my speakers are muted? How do
they bypass the little sound notification on my tabs?

>If the Tor user has his phone somewhere nearby and if certain types of apps
are on his phone, then his mobile device will ping back one or more
advertisers with details about his device, so the advertiser can build an
advertising profile on the user, linking his computer with his phone.

This is pretty contrived...

~~~
joncrocks
> How can a webpage play a sound if my speakers are muted?

Well it can't obviously, but lots of people (although maybe not the types of
people who use tor) browse the internet with their speakers on and active.
Most people don't unmute their speakers just before they're about to listen to
something.

> How do they bypass the little sound notification on my tabs?

Admittedly they probably can't, but are you sure you're going to notice a
flicker as a short sound is played and then stops?

I think the most contrived part is your mobile being always-on/always
listening, given that you're likely to notice this due to reduced battery
life. But given that certain hardware now has support for always-on keyword
detection, you can see a future when this could happen.

~~~
jcl
FWIW, there was a BBC article about always-on audio detector apps. Describing
an Android proof-of-concept app: "The battery drain during our experiments was
minimal and, using wi-fi, there was no data plan spike."

[http://www.bbc.com/news/technology-35639549](http://www.bbc.com/news/technology-35639549)

~~~
bastawhiz
They don't give much information on what "minimal" battery drain means. I'm
skeptical. Keeping an app running in the background and keeping a stream of
audio data piped into it to be processed on the CPU is not cheap. Google has a
dedicated DSP on phones to do hotword detection (among other things), and IIRC
that's not exposed to unprivileged apps. Hell, even iOS needs to be charging
to get "hey siri" support (not sure about now; it was like this in previous
versions, though).

Either way, it doesn't sound like that's what the article describes: they're
talking about collecting and sending all audio wholesale. Sending that much
audio data over 3g or LTE would be expensive (transcoding it to decrease
payload would be expensive, too), and would surely be noticeable looking at
data usage charts.

> using wi-fi, there was no data plan spike

Uh, yeah. Because it's using wifi. Phones are on wifi far less often than
you'd imagine.

It's certainly possible, but it's just not plausible.

~~~
joncrocks
You're right, the article is talking about seems to be talking about sending
the audio wholesale, which would be cheaper from a CPU perspective, but
sending the data would probably be noticeable both from a data use and battery
perspective.

Having said that, quite a few people have their phones connected to wifi at
home, which could mitigate these issues due to both less conspicuous data and
power usage.

------
renaudg
>If the Tor user has his phone somewhere nearby and if certain types of apps
are on his phone, then his mobile device will ping back...

Surely the user would have had to approve microphone access for the app first,
and it'd better have a good excuse.

Even then, does e.g. iOS allow backgrounded apps to listen in on the
microphone ? Pretty sure only Siri has that level of privilege.

Has this whole ultrasound beacon thing taken off in the ad world ? Seems to
(thankfully) require quite active user involvement to be able to work.

~~~
kneel
Amazon echo just earned it's name.

~~~
shostack
And I'm not sure there is anything stopping a Tap from listening without you
knowing.

~~~
EGreg
Any device that is listening all the time can be storing and sending anything
you said. How would you know if it's encrypted?

There has GOT TO BE a better way. Such as a filter made by independent
manufacturers that opens the sound channel only when you say a specific phrase
such as "OK Google" and closes it when you press a button or stop speaking.
And an indicator would be visible when it's actually listening.

The question is, how to prevent collusion with the independent filter
companies? There has to be SOME WAY to open source hardware and prevent
companies from essentially performing their own _interdiction_ on it:

[https://www.google.com/amp/www.theverge.com/platform/amp/201...](https://www.google.com/amp/www.theverge.com/platform/amp/2013/12/29/5253226/nsa-
cia-fbi-laptop-usb-plant-spy?client=safari)

~~~
jessaustin
_How would you know if it 's encrypted?_

If outbound traffic levels are the same when you're using it as when you're
not, it's probably bugging you? Of course a smarter arrangement would
reschedule traffic to coincide with use...

------
brian-armstrong
If you're interested in trying a little data passing in ultrasonic in your
browser, try my creation [https://quiet.github.io/quiet-
js/](https://quiet.github.io/quiet-js/)

This generally doesn't work in mobile, though, or at least reception doean't.
Also, neither desktop nor mobile Safari can do mic access, and firefox's mic
won't pick up ultrasonic. So try desktop Chrome :)

------
WiseWeasel
Another reason to browse with the Mute Tab add-on enabled:

[https://addons.mozilla.org/en-us/firefox/addon/mute-
tab/](https://addons.mozilla.org/en-us/firefox/addon/mute-tab/)

All tabs default to muted, and you can selectively un-mute tabs or whitelist
sites as needed.

I've certainly appreciated the default state of pages being muted.

~~~
noir_lord
Thanks for that link, added to my list of "Plugins I didn't know I wanted
until I saw them" :).

------
adekok
How is javascript playing ultrasound _not_ seen as an attack on the user?

In what world is that _ever_ a sane thing to do?

~~~
manarth
I can think of plausible use-cases: e.g. wireless data communication with
devices that aren't networked.

I've got scuba-diving computers that need special cables to sync with my PC:
if they could sync with nothing more than a webpage and speakers, that would
be pretty neat.

------
gmarx
What frequency are these apps using? I haven't looked it up but I doubt most
computer speakers go above 15Khz (why would they?) A young person should be
able to hear really high but audible tones and an adult would rapidly lose the
ability. If this is not the case it would make sense to set a limit on the
tones such a device can send and receive.

On the other hand there might be legitimate uses for such tech so maybe better
to have it as a security option to send and receive ultrasound per individual,
i.e. if I can't hear above 10khz maybe I can set my audio to not send or
receive above that without app specific permission

~~~
brian-armstrong
It's not exactly that straightforward. In general any modern audio equipment
will run up to 20kHz since that's generally accepted as the range of human
hearing. From what I can tell, the lowpass filters built in to equipment (eg
antialiasing on ADC/DAC) attenuates starting at 19 or 20 kHz. But these are
realized as low order physical filters, meaning they roll off slowly, so you'd
have to start attenuating at something much lower to truly remove the 18-20
range. That would introduce distortion where the rolloff starts, which you
probably don't want.

------
ergot
A bit of an edge case this. I know for me I mute my speakers permanently when
using TOR in-case I encounter a shock page like Lemon Party or Goatse

[1]:
[https://en.wikipedia.org/wiki/Shock_site](https://en.wikipedia.org/wiki/Shock_site)

~~~
deletia
This hosts file is updated regularly to help prevent accidentally stumbling
upon (shock|malicious|etc) style sites:
[http://someonewhocares.org/hosts/hosts](http://someonewhocares.org/hosts/hosts)

Been using it for a few months now and have found it invaluable.

~~~
ergot
Oh thanks for that! Does TOR honor the hosts file, specifically Tor Browser
Bundle? I haven't tried.

~~~
kefka
[https://hackaday.io/project/12985-multisite-
homeofficehacker...](https://hackaday.io/project/12985-multisite-
homeofficehackerspace-automation)

I don't believe so but my change in the Linux resolver daemon does honor the
hosts file for all .onion entries.

------
noonespecial
Time to start selling speakers with bandpass filters built in. It's the new
tape over the camera.

~~~
renaudg
Technically lowpass :)

~~~
noonespecial
Ahh but what about _sub_ sonic messages? Slow datarate to be sure but
definitely possible.

If there's any monkey business going on with my audio, I want it in the range
where I can hear it!

~~~
iverjo
Do you mean messages sent over _infrasound_ (less than ~20 Hz)? That would
typically not work, because most speakers cannot produce infrasound and most
microphones don't pick up frequencies that low

------
ergot
For those looking for an app which uses this technique (so called data-over-
audio technology) look no further than Chirp

[https://www.chirp.io/](https://www.chirp.io/)

    
    
        Enhance your products by integrating with Chirp™
        - the world’s most trusted data-over-audio technology
        used by the leading brands in more than 90 countries

------
jonwachob91
I read about a lot of you security people talking about the difference between
a physical switch turning off your wifi vs a software switch, does anything
like that apply to this?

~~~
ergot
A physical switch is for surety and peace of mind, whereas a software switch
you have to be careful, because I don't trust my machine's OS to keep the
speakers muted, no matter how much the chain of trust has not been
compromised, there's always a weak link somewhere. Physical switches or death.

~~~
hackuser
> A physical switch is for surety and peace of mind

Theoretically, there's no reason to trust a physical switch more than a
software switch, unless you've opened the computer and verified that the
physical switch breaks all circuits to all wifi radios. The physical switch
could merely control software, or it might control one connection to one radio
but not others.

------
cypherpunks01
TorBrowser has Javascript disabled by default, doesn't that mean you have to
first 'trick' targets into visiting the webpage, and then trick them into
turning on js?

~~~
nine_k
I wonder if bgsound [1] attribute is still honored by modern browsers.

It's IE-specific, though, so won't work in a Tor browser.

[1]: [https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/bg...](https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/bgsound)

~~~
dogma1138
<audio> and a few other HTML5 sound capable tags don't require JS enabled
IIRC.

------
wjh_
I'm thinking perhaps browsers should ask for speaker permissions, much like
they already do for microphones and cameras.

------
0xdeadbeefbabe
Is there an ultrasound scanner out there?

~~~
nkrisc
Do you mean something that simply listens for sound in those frequencies or
decodes known signals as well? The latter would be pretty interesting to walk
around dense urban and shopping centers with.

~~~
0xdeadbeefbabe
Yes, the latter. If this attack is possible ultrasound driving ought to be
possible too.

~~~
nitrogen
Look for realtime analysis software (RTA) or spectrum analyzer software,
typically used for setting up audio systems or analyzing noise sources. One
example is RoomEQ wizard. Audacity can do it in non-realtime.

------
lanius
Are cheapo mic and speakers even capable of operating at those frequencies?

~~~
brian-armstrong
Absolutely. 20kHz, from an electrical engineering perspective, isn't really a
wide bandwidth. You might get some fairly strong distortion but almost always
it will still work, unless we're talking about something like a piezo.

------
basicplus2
Now I just need to install this toggle switch on my phone...

