Hacker News new | comments | show | ask | jobs | submit login
Ultrasound Tracking Could Be Used to Deanonymize Tor Users (bleepingcomputer.com)
111 points by anshumanf 93 days ago | hide | past | web | 63 comments | favorite



This is mostly an awareness article that summarizes previously deployed techniques, and illustrates a situation where those techniques can cause maximum harm.

For background, a HN submission a year ago about these kinds of ads linking to phones, from Ars Technica [1], which some choice comments being one naming such an ad company [2] while a different subthread explores another [3][4].

Prior art in this space includes the work of Boris Smus [5], who then went on to develop the guest pairing mode for Chromecast using this technique. There have been other efforts over the years, some before, but certainly after, and of course the use of sound to transmit digital information is an old trick that makes modems possible, but in those days the lines didn't have the bandwidth to carry ultrasound.

[1] https://news.ycombinator.com/item?id=10562207 [2] https://news.ycombinator.com/item?id=10563384 [3] https://news.ycombinator.com/item?id=10563369 [4] https://news.ycombinator.com/item?id=10563031 [5] https://news.ycombinator.com/item?id=10562787


Wait what? How can a webpage play a sound if my speakers are muted? How do they bypass the little sound notification on my tabs?

>If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back one or more advertisers with details about his device, so the advertiser can build an advertising profile on the user, linking his computer with his phone.

This is pretty contrived...


> How can a webpage play a sound if my speakers are muted?

Well it can't obviously, but lots of people (although maybe not the types of people who use tor) browse the internet with their speakers on and active. Most people don't unmute their speakers just before they're about to listen to something.

> How do they bypass the little sound notification on my tabs?

Admittedly they probably can't, but are you sure you're going to notice a flicker as a short sound is played and then stops?

I think the most contrived part is your mobile being always-on/always listening, given that you're likely to notice this due to reduced battery life. But given that certain hardware now has support for always-on keyword detection, you can see a future when this could happen.


FWIW, there was a BBC article about always-on audio detector apps. Describing an Android proof-of-concept app: "The battery drain during our experiments was minimal and, using wi-fi, there was no data plan spike."

http://www.bbc.com/news/technology-35639549


They don't give much information on what "minimal" battery drain means. I'm skeptical. Keeping an app running in the background and keeping a stream of audio data piped into it to be processed on the CPU is not cheap. Google has a dedicated DSP on phones to do hotword detection (among other things), and IIRC that's not exposed to unprivileged apps. Hell, even iOS needs to be charging to get "hey siri" support (not sure about now; it was like this in previous versions, though).

Either way, it doesn't sound like that's what the article describes: they're talking about collecting and sending all audio wholesale. Sending that much audio data over 3g or LTE would be expensive (transcoding it to decrease payload would be expensive, too), and would surely be noticeable looking at data usage charts.

> using wi-fi, there was no data plan spike

Uh, yeah. Because it's using wifi. Phones are on wifi far less often than you'd imagine.

It's certainly possible, but it's just not plausible.


You're right, the article is talking about seems to be talking about sending the audio wholesale, which would be cheaper from a CPU perspective, but sending the data would probably be noticeable both from a data use and battery perspective.

Having said that, quite a few people have their phones connected to wifi at home, which could mitigate these issues due to both less conspicuous data and power usage.


This example is about people using TOR on a computer, so your phone is more likely to be connected to wifi than the general case.


Are you sure? I would guess that a huge amount of perfectly mainstream and popular apps have a ton of advertising SDKs bundled with them, and you never know what the fuck those SDKs are going to be doing half the time.


Not even just mainstream and popular apps, but also pre-installed and unremovable apps.


Adblock that! This is pretty alarming actually - that advertisers are willing to go to such lengths, perhaps excuse my naïveté. The receiver could be someone else's device eg next door. Sure it has implications for an activist in London using tor but what about the rest of us? How can I easily tell whether a page is listening? Feedback maybe?


This is great! It's like bugtesting the anonymity cloak. Keep the bug reports coming and we will keep patching it :)


It's also pretty exceptional to think that there are apps constantly listening for ultrasonic cues, even when not being actively used. This would be a huge battery drain, so I can't imagine any manufacturer bundling such a thing with a device.

Even if it was the case, I can't imagine such apps would give granular enough information to be enormously useful. You'd get one, maybe two people to actually get their computers to play the audio and have it picked up by a device that's actually listening for it. What then? How many advertising companies with legitimate marketing businesses actually sell the user identities? You'd get what, a UUID, maybe some aggregate demographic information, and a rough location. It seems unlikely that such a platform would actually give out specific PII for individuals.


> It's also pretty exceptional to think that there are apps constantly listening for ultrasonic cues, even when not being actively used.

It would not need to be constantly listening for it to be useful. If the point is identification, why would you leave it on after you have reasonably identified the person?


I mean, we're under the assumption here that the app that's listening isn't owned by the attacker. If it was, you already know the person's identity (and location, and probably a lot more) because you control the app on their device. It would be a lot of work to target and infect someone's phone with malware just so you could confirm that they did in fact visit a page on Tor. Probably the same amount of work to just infect their computer with malware and take a screenshot.

If we assume it's a third-party ad network, which is the only plausible explanation for why there's an app listening for ultrasonic cues on a user's device, it would need to be listening all the time. That is what the article describes.


>If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back...

Surely the user would have had to approve microphone access for the app first, and it'd better have a good excuse.

Even then, does e.g. iOS allow backgrounded apps to listen in on the microphone ? Pretty sure only Siri has that level of privilege.

Has this whole ultrasound beacon thing taken off in the ad world ? Seems to (thankfully) require quite active user involvement to be able to work.


> Surely the user would have had to approve microphone access for the app first, and it'd better have a good excuse.

Does it? Aren't people generally in the habit of signing off on any access if they want what an app offers?


Amazon echo just earned it's name.


And I'm not sure there is anything stopping a Tap from listening without you knowing.


Any device that is listening all the time can be storing and sending anything you said. How would you know if it's encrypted?

There has GOT TO BE a better way. Such as a filter made by independent manufacturers that opens the sound channel only when you say a specific phrase such as "OK Google" and closes it when you press a button or stop speaking. And an indicator would be visible when it's actually listening.

The question is, how to prevent collusion with the independent filter companies? There has to be SOME WAY to open source hardware and prevent companies from essentially performing their own interdiction on it:

https://www.google.com/amp/www.theverge.com/platform/amp/201...


How would you know if it's encrypted?

If outbound traffic levels are the same when you're using it as when you're not, it's probably bugging you? Of course a smarter arrangement would reschedule traffic to coincide with use...


Yes it's possible, but it leaves a red band on top (like the blue band of hotspot active. You can see it with Shazam (or equivalent) after you quit it for a few moment (just before the system kills it).


Does Android have a similar indicator for background apps recording audio?


If you're interested in trying a little data passing in ultrasonic in your browser, try my creation https://quiet.github.io/quiet-js/

This generally doesn't work in mobile, though, or at least reception doean't. Also, neither desktop nor mobile Safari can do mic access, and firefox's mic won't pick up ultrasonic. So try desktop Chrome :)


Another reason to browse with the Mute Tab add-on enabled:

https://addons.mozilla.org/en-us/firefox/addon/mute-tab/

All tabs default to muted, and you can selectively un-mute tabs or whitelist sites as needed.

I've certainly appreciated the default state of pages being muted.


Thanks for that link, added to my list of "Plugins I didn't know I wanted until I saw them" :).


How is javascript playing ultrasound not seen as an attack on the user?

In what world is that ever a sane thing to do?


I can think of plausible use-cases: e.g. wireless data communication with devices that aren't networked.

I've got scuba-diving computers that need special cables to sync with my PC: if they could sync with nothing more than a webpage and speakers, that would be pretty neat.


From a technical standpoint there's no difference from javascript playing sound that the user wants and a "malicious" sound. Ultrasound only differs from "audible" sound in our ears, from the browser perspective both are just bits sent to your audio DAC.


What frequency are these apps using? I haven't looked it up but I doubt most computer speakers go above 15Khz (why would they?) A young person should be able to hear really high but audible tones and an adult would rapidly lose the ability. If this is not the case it would make sense to set a limit on the tones such a device can send and receive.

On the other hand there might be legitimate uses for such tech so maybe better to have it as a security option to send and receive ultrasound per individual, i.e. if I can't hear above 10khz maybe I can set my audio to not send or receive above that without app specific permission


It's not exactly that straightforward. In general any modern audio equipment will run up to 20kHz since that's generally accepted as the range of human hearing. From what I can tell, the lowpass filters built in to equipment (eg antialiasing on ADC/DAC) attenuates starting at 19 or 20 kHz. But these are realized as low order physical filters, meaning they roll off slowly, so you'd have to start attenuating at something much lower to truly remove the 18-20 range. That would introduce distortion where the rolloff starts, which you probably don't want.


Things like Apple TV/Chromecast are serving ads and are hooked up to audio systems that are usually quite capable. And this could easily just shift to being done within the range of computer speaker production/human hearing and it would sound like a glitch at best (if audible at all).


From some quick digging I did in a Github repo attempting to reverse-engineer the 'audio beacons', the frequencies used by at least one startup using the technique are in the 18kHz range[1].

https://github.com/MAVProxyUser/SilverPushUnmasked/commit/bc...


A bit of an edge case this. I know for me I mute my speakers permanently when using TOR in-case I encounter a shock page like Lemon Party or Goatse

[1]: https://en.wikipedia.org/wiki/Shock_site


This hosts file is updated regularly to help prevent accidentally stumbling upon (shock|malicious|etc) style sites: http://someonewhocares.org/hosts/hosts

Been using it for a few months now and have found it invaluable.


Oh thanks for that! Does TOR honor the hosts file, specifically Tor Browser Bundle? I haven't tried.


https://hackaday.io/project/12985-multisite-homeofficehacker...

I don't believe so but my change in the Linux resolver daemon does honor the hosts file for all .onion entries.


Time to start selling speakers with bandpass filters built in. It's the new tape over the camera.


Technically lowpass :)


Ahh but what about subsonic messages? Slow datarate to be sure but definitely possible.

If there's any monkey business going on with my audio, I want it in the range where I can hear it!


Do you mean messages sent over infrasound (less than ~20 Hz)? That would typically not work, because most speakers cannot produce infrasound and most microphones don't pick up frequencies that low


For those looking for an app which uses this technique (so called data-over-audio technology) look no further than Chirp

https://www.chirp.io/

    Enhance your products by integrating with Chirp™
    - the world’s most trusted data-over-audio technology
    used by the leading brands in more than 90 countries


I read about a lot of you security people talking about the difference between a physical switch turning off your wifi vs a software switch, does anything like that apply to this?


A physical switch is for surety and peace of mind, whereas a software switch you have to be careful, because I don't trust my machine's OS to keep the speakers muted, no matter how much the chain of trust has not been compromised, there's always a weak link somewhere. Physical switches or death.


> A physical switch is for surety and peace of mind

Theoretically, there's no reason to trust a physical switch more than a software switch, unless you've opened the computer and verified that the physical switch breaks all circuits to all wifi radios. The physical switch could merely control software, or it might control one connection to one radio but not others.


Or death? That is a bit dramatic...


TorBrowser has Javascript disabled by default, doesn't that mean you have to first 'trick' targets into visiting the webpage, and then trick them into turning on js?


I wonder if bgsound [1] attribute is still honored by modern browsers.

It's IE-specific, though, so won't work in a Tor browser.

[1]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/bg...


<audio> and a few other HTML5 sound capable tags don't require JS enabled IIRC.


TorBrowser has JS enabled by default, with NoScript enabled. This is not the same thing.

The first thing one should do after installing the Tor Browser Bundle is open up about:config, search for javascript.enabled, and set it to false.

If an onion site doesn't work without JS, you probably don't want to be on it anyway.


TorBrowser has JS on by default I thought.


No. That would be reckless and would compromise Tor Browser Bundle from the outset. By default, the NoScript plugin disallows JS from running globally


NoScript is not enabled by default in Tor Browser (in tails).

from: https://tails.boum.org/doc/anonymous_internet/Tor_Browser/#i...

To allow more control over JavaScript, for example to disable JavaScript completely on some websites, Tor Browser includes the NoScript extension.

By default, NoScript is disabled and some JavaScript is allowed by the Torbutton extension as explained above.

So, "Yes", this is reckless and would compromise Tor Browser from the outset.


> No. That would be reckless ...

Maybe so, but I think the GP is correct. At least, it was true a year or so ago.


IIRC the rationale is that users with JS off are more "weird" so they stand out more.


I'm thinking perhaps browsers should ask for speaker permissions, much like they already do for microphones and cameras.


Is there an ultrasound scanner out there?


Do you mean something that simply listens for sound in those frequencies or decodes known signals as well? The latter would be pretty interesting to walk around dense urban and shopping centers with.


Yes, the latter. If this attack is possible ultrasound driving ought to be possible too.


Look for realtime analysis software (RTA) or spectrum analyzer software, typically used for setting up audio systems or analyzing noise sources. One example is RoomEQ wizard. Audacity can do it in non-realtime.


https://en.wikipedia.org/wiki/Bat_detector


Are cheapo mic and speakers even capable of operating at those frequencies?


Absolutely. 20kHz, from an electrical engineering perspective, isn't really a wide bandwidth. You might get some fairly strong distortion but almost always it will still work, unless we're talking about something like a piezo.


Now I just need to install this toggle switch on my phone...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: