The great thing about computer security is that it is so easy to be “right”: your most paranoid fears are frequently true. If you assume that every system can be attacked, that all software is vulnerable and that a determined adversary can see everything, including where you are and who you are with; you will probably be correct, even if you don’t really know for sure.
This paranoid stance gives you a clear-eyed view of the mess that is contemporary IT, although the only logical conclusion is to avoid computers and networks entirely—which is pretty much impossible.
And then you learn that there are whole new categories of weird “attacks” that you never even thought of!
This week brings yet another incredible but true phone hack. Most mobile devices can emit and detect sounds outside the range of human hearing. In many phones, this capability has been used as sonar to detect when you hold your phone up to your ear, which disables accidental button presses by your cheek.
But this capability can also be used to include a hidden tag in content sent to the phone. When a page or an ad is displayed, it can emit a coded chirp. This chirp can be heard by another device nearby, which can return a message to the sender, confirming where, when, and by who the page was displayed. This mechanism is used by advertisers as a way to know when an advert is viewed.
Vasilios Mavroudis and his colleagues report that this mechanism can be used to identify users’ devices even when otherwise cloaked by Tor  [slides]. This sneaky attack depends on the phone having an advertising enabled app (there are many), which will hear the chirp and report to the advertiser details of the device. The chirp can be generated by a page, or embedded in video or other content, which can be used as bait.
Yuck! Yet one more reason to loathe mobile ads!
There isn’t any simple way to prevent or block this snooping, so everyone should beware. Do not assume that your identity and location cannot be tracked, no matter what clever obfuscation you might employ.
The main good news is that this attack is executed via an online advertising campaign, which means that some adversaries will not have the time and resources to run it. On the other hand, if you are using Tor or other serious obsfuscation, then you are worried about significant adversaries who can certainly set up fake advertising campaigns and infected YouTube videos.
The researchers propose some countermeasures, but these are only partial blocks until Android and other operating systems are modified.
- Catalin Cimpanu, Ultrasound Tracking Could Be Used to Deanonymize Tor Users, in BleepingComputer. 2017. https://www.bleepingcomputer.com/news/security/ultrasound-tracking-could-be-used-to-deanonymize-tor-users/
- Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel., Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-device Tracking, in Blackhat Europe. 2016: London. https://www.blackhat.com/docs/eu-16/materials/eu-16-Mavroudis-Talking-Behind-Your-Back-Attacks-And-Countermeasures-Of-Ultrasonic-Cross-Device-Tracking.pdf