/home/voxx-vindictae/blog/001_they-can-hear-you.html


guest:~/blog]$ htmlview 001_they-can-hear-you.html

>

In case you weren't yet convinced that we're living in a Dystopia: advertisers can send ads directly from your TV to your phone via audio too high to hear.

>

Smart devices are capable of communication via ultrasonic frequencies around 18-22 KhZ. They have been for awhile. Now, we could have used this to allow for smartphones to have a distress beacon that alerts people in the area of a kidnapping, or for interactive games, exhibits, and displays. Instead, companies like silverpush and listnr use it to track and market you, adding to the ever-growing net of corporate surveilance.

>

I won't get into the specifics of how it all works, because there are a number of articles that I've linked that do it better. I will, however, share my own research on the phenomenon.


>

First off: a research paper done by the Institute of System Security in Braunschweig, Germany reveals startling findings in their studies of ultrasonic Cross-device tracking:

>

“By analyzing prominent examples of commercial tracking technologies, we gained in- sights about their current state of the art and the underlying communication concepts. The case of SilverPush emphasizes that the step between spying and legitimately tracking is rather small. SilverPush and Lisnr share essential similarities in their communication protocol and signal processing. While the user is aware about Lisnr’s location tracking, SilverPush does not reveal the application names with the tracking functionality.”

>

“Throughout our empirical study, we confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously. Moreover, we spot ultrasonic beacons from Lisnr in music and Shopkick beacons in 4 of 35 stores in two European cities. While we do not find indication of ultrasonic tracking in TV media, the receiver side looks more alarming in this case. At the time of writing, we are aware of 223 Silverpush Android applications that are listening in the background for inaudible beacons in TV without the user’s knowledge. Several among them have millions of downloads or are part of reputable companies, such as McDonald’s and Krispy Kreme.”

>

“Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences.”

>

(Emphasis Mine.)

>

Here's a list of companies that make these beacons (non-exhaustive):

  • Silverpush
  • Listnr
  • Signal360
  • Shopkick
>

Until as recently as august 2021, Google used these audio beacons. They have removed that capability for android devices. They’re likely still used by apple, according to the “trusted” brands section on the silverpush site.

>

Sources: Google nearby API page for Android (2022), the overview page of the same site, but as it was on November 2nd, 2020.

>

Additional sources:

  • github repository where google is storing the example code for the API.
  • Example project repository, which contains a startling number of projects related to advertising.
>

While the Google source linked to previously states that they will “cease supporting ultrasonic advertising and discovery beginning August 1, 2021,” the Google play services documentation page still lists code dealing with ultrasonic communication.

>

It is very concerning to see that this code is just... out there, as it could be modified to allow someone to perform malicious attacks on user’s devices, similar to the “surfing attack” demonstrated during February of 2020.

>

And the worst part of all this: the side channel through ultrasonic codes makes de-anonymization of Tor users possible.

>

THIS IS BAD.

>

Audio beacons, like all things, are tools. They cannot be inherently good or bad; they can be used to both ends. Unfortunately, they seem to be used mostly for marketing statistics blatant spying. That doesn't mean that We cannot use them to do some good.

>

After a bit of digging, I found a few projects dedicated to investigating this technology and preventing them from working, and im sure many more could be found utilize the technology for good.

  • SilverpushUnmasked (general testing and research regarding audio beacons from the company Silverpush)
  • NoUBeacon (an audio beacon jammer. No idea if it works, I don’t think I have hardware to support it.)
>

Go ahead. Make something. Cause some chaos.

>

Weaponize your creativity.

>

It will either annoy the companies using the services that provide this tracking, or it will reveal a security issue so glaring that no one will use those services. Either way, we win.

>

In addition, I would urge you to speak out. This has actually been going on for awhile, and has the potential to set a precedent, if it hasn’t already. Do you want companies thinking that they can get away with this?

>

No?

>

Then don’t let them.

guest:~/blog]$ _