Black Hat EU Marketeers are coming up with ways to invade our privacy in the interests of serving us ads in a way that goes far beyond the dire predictions of films such as Minority Report. Security researchers are already thinking about countermeasures.
Cross-device tracking (XDT) technologies allow marketeers to track the user's visited content across different devices to then push relevant, more targeted ads. For example, if a user clicks on an ad while browsing the web at home, advertisers are interested in displaying related advertisements on the user's phone when they visit a shopping centre.
One technology aiming to achieve this is ultrasonic cross-device tracking (uXDT), which uses the ultrasonic spectrum as a communication channel to "pair" devices for tracking and ad serving. Pairing happens through a receiver application. Users would consent to this, as in current proximity-marketing apps such as Shopkick, via discounts and other incentives.
Firms including Google, Nestlé and Dominos are either investing in uXDT or using providers such as SilverPush, Signal360 and Audible Magic.
Researchers at UC Santa Barbara and security firm Lastline have discovered that numerous mobile applications include uXDT advertising frameworks which actively listen for ultrasounds without the informed consent of users, and in some cases without an opt-out option for users.
The team further discovered that an attacker can exploit uXDT frameworks to reveal the true IP addresses of users who browse the internet through anonymity networks (for example VPNs or Tor). Hackers might also be able to tamper with the pairing process or affect the results of the advertising/bidding algorithms. For example, an attacker equipped with a simple smartphone could walk into a Starbucks and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps.
The security researchers have developed a browser extension that acts as a personal firewall by selectively filtering ultrasonic beacons and other mitigation tools. It was unveiled during a presentation at Black Hat EU on Thursday. The same team also developed an operating system permission control for Android as part of their research.
On a similar theme, former NSA analyst David Venable, now vice president of Masergy, gave a presentation on the advertising industry's use of the Big Data technologies pioneered by intelligence agencies and governments.
Venable outlined techniques to prevent selected activities from being associated with someone's true persona, with a focus on making the true persona blend in with the masses. Going off the grid need not be the answer, and in any case might make someone stand out more, Venable told El Reg.
“Bad data can lead to bad decisions,” he said. “Biased algorithms reflect the biases of creators, which is why you might want to avoid them.”
Venable’s idea is to rethink operational security principles, which normally involve staying under the radar of government agencies and the police, to avoid motor insurance providers and credit reference agencies. “It’s about choosing what information you reveal and mindfulness,” he said.
Part of this involves thinking about the apps installed on a smartphone, as well as more subtle defences such as keeping a phone in another room in case an app is recording audio. Venable does not, however, advocate keeping smartphones in the refrigerator before taking meetings, as per Edward Snowden. ®