Spyware, whether distributed by criminals, advertisers or even states, is a constant nuisance. Yet, some types have the technician in me marvel. Why? Because they’re innovative and intelligently designed. Recently, I came upon an approach that might interest web users, supermarket shoppers and whistleblowers alike. A single sound can betray them all (with a little bad luck).
If you regularly read the news from the world of technology, you’ll eventually develop a thicker skin. They found another security hole in Windows? That’s barely enough to elicit a shrug these days. Over 230 Android apps are listening for an inaudible sound to track me? Now that’s interesting. The principle behind this approach is easily explained yet hard to implement. A sound source (TV or PC speaker, speakers in a supermarket etc.) sends out a very high-frequency sound which gets picked up by the microphone in your cell phone (or laptop) and is then processed by an already installed spyware app. The app then phones home to report on your current activity, e.g. which website you’re viewing, and this data stream can include anything that might be of interest like your device ID, phone number, MAC address and more.
But why wait for a signal? Simple, it’s not about the listening device but the sender. These ultrasonic beacons help spyware authors link multiple devices together across physical boundaries, e.g. to find out what you’re viewing on your PC, not just your cell phone, and to aggregate this data to form a bigger picture. Different contents will simply trigger slightly different sounds. This may sound like science fiction but the concept has already been used by Asian fast food restaurants with apps that saw millions of downloads.
For all of this to work, a big infrastructure is required. First, the spyware has to be distributed either by bundling it with a big name app or by disguising it as a small useful tool. Next, the ultrasonic beacons have to be rolled out. This process is quite straightforward as sounds can easily be embedded into page ads. Once users visit the affected pages, the sounds get played and the aforementioned process triggered. It’s tracking heaven for advertisers eager to personalize their ads! There are also other use cases.
Fast food restaurants could play a sound at regular intervals through their store speakers to figure out who their regular customers are. Department stores could play different sounds for their various departments to determine how long customers are staying in each section. Once multiple businesses start to cooperate, it’ll be possible to reconstruct the path each customer took as they moved through the city. I know marketers who would pay a lot of money to get this data!
Is your cell phone listening to your TV?
It’s also feasible that this technology could be used to locate users who are using anonymization services on the web. Picture a guy that is being persecuted and heavily relies on Tor and VPN to stay hidden. The persecutors could simply create a website they know their target will be interested in and put it on the public Internet or the Darknet. Once their target visits the page, an ultrasonic sound gets played, is then picked up by the target’s cellphone (and the installed spyware app) – and the hunt has just become a lot easier.
Currently, this technology is still in its infancy it seems and there is an ongoing debate about whether this type of software is illegal and should be considered malware. If it were to be implemented as part of a shopping app, e.g. to enable discounts, it might be perfectly legal even if severe restrictions may apply. There have been no confirmed cases of it being used in television programs yet but it’s doable. Once again, legislators are venturing into unknown territory and will have to come up with an adequate response. Another good reason to only install apps from trusted sources and developers and to pay more attention to your pets as living spyware detectors. “Found another one, Fido?” “Woof!”
What I would like to know: do you play close attention to what apps you’re installing on your cellphone or do you blindly trust in Apple’s, Google’s and other distributors’ abilities to reliably detect and filter out spyware?