Of late, we have been seeing a growing nexus between the companies that offer “always-on” devices that listen for our voice commands, and advertisers or marketers that unknowingly follow us around the web to create personalized user profiles. The symbiotic relationship between the two is beneficial in some ways. The advertisers, for example, manage to get valuable information about our behavioral patterns and the device manufacturers in return get a share from the revenue generated in the process. But all this is done at the cost of your privacy!
Ultrasonic Cross-Device Tracking
Now a new technique has been developed where such tracking takes place with the help of ultrasonic sounds and is called – Ultrasonic Cross-Device Tracking. Using this technique, advertisers embed high-frequency tones that are not audible to human ears in advertisements and web pages. These tones or ultrasound “Beacons” as they are referred to, in general, emit their audio sequences with speakers or microphone—like those used by certain apps on a smartphone, tablet, TV, PC or any device connected to the Internet, which detects the signal and reveal information about the ads you have been watching and time duration for the same.
What is Ultrasonic Tracking
The technique allows advertisers to track the user’s visited content across different IoT devices and help them push relevant or precisely, more targeted content. For example, if a user clicks on an advertisement while browsing the web at home/office, the advertisers readily collect this information to display, later on, related advertisements on other devices belonging to the same user, along with other information that adds to the profile of each user that is linked to various devices.
SilverPush, Drawbridge, Adobe, and Flurry are known to be working on ways to pair a given user to specific devices.
Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it.
The use of this ultrasonic spectrum as a communication channel to “pair” devices for the aforementioned tracking purposes can have other repercussions too. For instance, in-depth technical analysis of the underlying technology exposes both implementation & design vulnerabilities, and therefore, critical security & privacy shortcomings.
If an attacker manages to get access to this network he can exploit uXDT (Ultrasonic Tracking) frameworks to reveal true IP addresses of users who browse the Internet through anonymity networks (e.g., VPNs or TOR).
FTC had also issued a warning about this:
Silverpush has represented that its audio beacons are not currently embedded into any television programming aimed at U.S. households. However, if your application enabled third parties to monitor television-viewing habits of U.S. consumers and your statements or user interface stated or implied otherwise, this could constitute a violation of the Federal Trade Commission Act.
As a precautionary measure, you can follow certain countermeasures that have been designed, implemented, and released publicly to overcome this threat. These include:
- Using a mobile application that detects ultrasound beacons “in the air”.
- Using a browser extension that is capable of functioning as a personal firewall by selectively filtering ultrasonic beacons. We’ll cover this part in detail in an upcoming post.
- Use a VPN. For this, you should have complete control over your network. If your network features this capability, you can put your mobile device on a good VPN that blocks malvertising and tracking domains.
- Users of Chrome browser can make use of Silverdog Chrome Extension, which we will take a look at tomorrow.
- You can even try to jam an ultrasonic tracking signal with other ultrasonic sounds, but that will drive the pets in and around your home insane since the ultrasonic sound is audible to them.
Although the use of technology has simplified our life much, the larger worrying factor about it remains its potential misuse for personal benefits!
Download and read this PDF guide which talks of Attacks & Countermeasures of Ultrasonic Cross-Device Tracking.
Stay safe, and alert … always! The Internet is becoming worse by the day!