FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

High-frequency audio could be used to stealthily track netizens


Technical folks looking to improve web privacy haven't been able to decide whether sound beyond the range of human hearing poses enough of a privacy risk to merit restriction.

People can generally hear audio frequencies ranging from 20 Hz and 20,000 Hz, though individual hearing ranges vary. Audio frequencies below and above the threshold of human hearing are known as infrasound and ultrasound, respectively.

A few years ago, digital ad companies began using ultrasonic signals to track people's interests across devices: if a TV advert, for example, emits a sneaky inaudible signal, a nearby smartphone could pick it up and pass it to an app, which updates the owner's ad-targeting profile with details of what they were watching and when. Now you know when someone's into cooking shows on the telly, or is a news junkie, or likes crime documentaries, and so on.

A warning from America's trade watchdog, the FTC, in 2016 and research published the following year identifying 234 Android apps listening covertly for ultrasound beacons, helped discourage inaudible tracking.

Several of the companies called out for these privacy-invading practices, such as SilverPush, have moved on to other sorts of services. But the ability to craft code that communicates silently with mobile devices through inaudible sound remains a possibility, both for native apps and web apps. Computer security researchers continue to find novel ways to use inaudible audio for data exfiltration. And ultrasound is still used for legitimate operations – Google's Cast app, for example, relies on an ultrasonic token when pairing with a nearby Chromecast.

Samuel Weiler, a web security engineer with MIT CSAIL and a member of the W3C's Privacy Interest Group (PING), recently pushed to re-open a discussion about limiting the Web Audio API so that it cannot be used to generate or listen for ultrasonic signals without permission.

siri

Your phone wakes up. Its assistant starts reading out your text messages. To everyone around. You panic. How? Ultrasonic waves

READ MORE

Weiler suggested that internet users might be explicitly prompted to enable Web Audio API usage to process sound that can't be heard. His concern is that undetectable audio transmissions could be used for device fingerprinting, for identifying when two different devices are in proximity of each other, and for violating context boundaries that prevent different apps on the same device from talking secretly to one another.

He also asked about masked sounds within the audible spectrum that might be abused for covert communication, though that's a separate technical challenge.

Weiler raised the subject three weeks ago – one element in a larger debate about reducing the fingerprinting surface of the Web Audio API. And last week, the discussion thread was closed by Raymond Toy, a Google software engineer and co-chair of the W3C's Audio Working Group.

Toy argued that if a developer is allowed to use a specific audio sampling rate, no additional permission should be required – few users enjoy dealing with permission prompts, after all. And other web developers participating in the debate expressed concern that limiting available frequency ranges could introduce phase shifting or latency and that there's no sensible lower or upper threshold suitable for everyone.

In an email to The Register, Peter E. Snyder, privacy researcher at Brave software and co-chair of the PING, said he shared Weiler's concerns about the privacy implications of inaudible sound.

"[With regard] to Web Audio and super-audible sounds, we're concerned because audio beyond human perception can be used for a variety of privacy harming purposes," said Snyder. "Companies like SilverPush have commercialized such techniques, and others have documented them being used in the wild.

"Such techniques could also be used to do cross-domain tracking; sites could transmit super-audible sounds that other open pages could listen for, allowing for the kind of cross-site tracking Brave (and other privacy-focused browsers) try to protect users against."

On a related note, the Brave browser recently added a small amount of randomization to various Web Audio APIs to reduce their utility for browser fingerprinting.

Whether or not the Web Audio Working Group decides to revisit the possibility of audio frequency-based permissions, those involved will have their hands full dealing with all other other unaddressed browser privacy worries. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021