FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

High-frequency audio could be used to stealthily track netizens

Technical folks looking to improve web privacy haven't been able to decide whether sound beyond the range of human hearing poses enough of a privacy risk to merit restriction.

People can generally hear audio frequencies ranging from 20 Hz and 20,000 Hz, though individual hearing ranges vary. Audio frequencies below and above the threshold of human hearing are known as infrasound and ultrasound, respectively.

A few years ago, digital ad companies began using ultrasonic signals to track people's interests across devices: if a TV advert, for example, emits a sneaky inaudible signal, a nearby smartphone could pick it up and pass it to an app, which updates the owner's ad-targeting profile with details of what they were watching and when. Now you know when someone's into cooking shows on the telly, or is a news junkie, or likes crime documentaries, and so on.

A warning from America's trade watchdog, the FTC, in 2016 and research published the following year identifying 234 Android apps listening covertly for ultrasound beacons, helped discourage inaudible tracking.

Several of the companies called out for these privacy-invading practices, such as SilverPush, have moved on to other sorts of services. But the ability to craft code that communicates silently with mobile devices through inaudible sound remains a possibility, both for native apps and web apps. Computer security researchers continue to find novel ways to use inaudible audio for data exfiltration. And ultrasound is still used for legitimate operations – Google's Cast app, for example, relies on an ultrasonic token when pairing with a nearby Chromecast.

Samuel Weiler, a web security engineer with MIT CSAIL and a member of the W3C's Privacy Interest Group (PING), recently pushed to re-open a discussion about limiting the Web Audio API so that it cannot be used to generate or listen for ultrasonic signals without permission.


Your phone wakes up. Its assistant starts reading out your text messages. To everyone around. You panic. How? Ultrasonic waves


Weiler suggested that internet users might be explicitly prompted to enable Web Audio API usage to process sound that can't be heard. His concern is that undetectable audio transmissions could be used for device fingerprinting, for identifying when two different devices are in proximity of each other, and for violating context boundaries that prevent different apps on the same device from talking secretly to one another.

He also asked about masked sounds within the audible spectrum that might be abused for covert communication, though that's a separate technical challenge.

Weiler raised the subject three weeks ago – one element in a larger debate about reducing the fingerprinting surface of the Web Audio API. And last week, the discussion thread was closed by Raymond Toy, a Google software engineer and co-chair of the W3C's Audio Working Group.

Toy argued that if a developer is allowed to use a specific audio sampling rate, no additional permission should be required – few users enjoy dealing with permission prompts, after all. And other web developers participating in the debate expressed concern that limiting available frequency ranges could introduce phase shifting or latency and that there's no sensible lower or upper threshold suitable for everyone.

In an email to The Register, Peter E. Snyder, privacy researcher at Brave software and co-chair of the PING, said he shared Weiler's concerns about the privacy implications of inaudible sound.

"[With regard] to Web Audio and super-audible sounds, we're concerned because audio beyond human perception can be used for a variety of privacy harming purposes," said Snyder. "Companies like SilverPush have commercialized such techniques, and others have documented them being used in the wild.

"Such techniques could also be used to do cross-domain tracking; sites could transmit super-audible sounds that other open pages could listen for, allowing for the kind of cross-site tracking Brave (and other privacy-focused browsers) try to protect users against."

On a related note, the Brave browser recently added a small amount of randomization to various Web Audio APIs to reduce their utility for browser fingerprinting.

Whether or not the Web Audio Working Group decides to revisit the possibility of audio frequency-based permissions, those involved will have their hands full dealing with all other other unaddressed browser privacy worries. ®

Broader topics

Other stories you might like

  • Big Tech silent on data privacy in post-Roe America
    We asked what they will do to prevent cases being built against women. So far: Nothing

    Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.

    These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.

    Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022