Ultrasonic wireless technology allows you to monitor Internet users

Probably, many people have come across a situation where you are looking for a suitable model of sneakers on the net, close your browser and go to work or walk with peace of mind. And then, on your return, you open a browser where you see contextual advertising with sneakers. And all week or even a month advertising banners show you only sports shoes or clothes. This was written many times, so there is no point in repeating. Many users are accustomed to this behavior of contextual advertising.

But advertising technologies are developing, and soon a situation may arise when the user is looking for something on one device, and then intrusive advertising will chase the user on all his devices. How is this possible? Thanks to the ultrasound technology that Vasilios Mavroudis recently told from University College London . In addition to advertising, the method can be used to eavesdrop on user conversations. Mavrodius with colleagues made a presentation on the potential dangers of ultrasound technology on the web at the Black Hat conference.

Interestingly, ultrasound has been used by marketers and advertisers for a long time to identify and track users who are interested in promotional materials. Ultrasound works here as “multiplatform cookies”. Audio files are embedded in some of the advertisements on TV or in advertisements on the web. These sounds, inaudible by the human ear, are recorded by the microphones of almost all devices. Ultrasound can be used as a trigger to run any function on the user gadget.
')
An example is the SilverPush technology of an Indian company that can detect ultrasounds embedded in TV ads or browser ads. The application with the SilverPush code without any problems intercepts messages from the built-in microphone on a smartphone or tablet, and sends to the IMEI company’s servers, the user's location, his OS version and the owner’s data. How it works? Relatively easy. For example, a TV viewer is watching a television show. An advertisement with the built-in SilverPush ultrasound message appears on the TV screen. The message is received by the application on the smartphone, and the user data goes to the network, to the advertiser’s server. On the phone display at this time may well be shown ads, including links or a web page. The Indians have developed their own SDK, which helps to integrate technology into any of their applications without any problems.

Mavrodius argues that the technology described has a much broader scope. Some apps, including Shopkick, use ultrasound to show ads and promotions to users of mobile devices while the user buys something. This application helps in some cases to get a discount.

“No special method is needed here. If you are in a supermarket, there are enough regular speakers, ”says Mavrodius.

Who can eavesdrop?

Ultrasonic technology used by marketers and advertisers can also be used by intruders whose goals are far from the intention to help the user buy something they need. Already, the developers of some applications add ultrasonic inserts to their software to help collect user data even when the application itself is turned off. The US Federal Trade Commission (FTC) has punished 12 developers of such programs, who followed the user without any notification. The commission has punished only developers whose applications have been analyzed. How many such mobile programs are actually in the markets is unknown. The warning was also received by SilverPush.

A FTC spokeswoman said the regulator continues to monitor the situation, and will severely punish anyone who uses ultrasound to spy on application users. And this is only one of the problems described by Mavrodius and his colleagues, and not the most dangerous one.

It is worth worrying about programs that can use ultrasound to listen in on all conversations of a user who is within the range of the microphones of their devices (in the home, office or on the street). It is theoretically possible to create an ultrasound tag (as in stores) that sends a malicious message to the user's phone.



Vulnerability and technology, which are described above, are not yet very common. But the ease of use of ultrasound technology attracts many developers, both respectable and not so good. Ultrasound can be used, for example, when working with IoT applications, which are also becoming more common.

Google uses ultrasound to connect a mobile phone to a chromecast. Synchronization of this type (Google has other developments from this sphere) is a potential information leakage channel that can be used by attackers. Of course, the ultrasound itself will not give a lot of data to cybercriminals. “But if you know what to do, then you can hack the system just by sending a few bytes. After you get the opportunity to manage the hacked system. Not always in order to do something bad, you need to send or receive arrays of information, ”says Professor Mu (Mu), a specialist from the University of Northampton (United Kingdom).

The problem is aggravated by the fact that the rules for the use of ultrasound inserts in applications and advertising have not yet been developed. There are simply no rules and regulations.

Mavrodius says ultrasound technology needs to develop the same specifications as were developed for other wireless technologies, including Bluetooth. In addition, application developers should already start creating security programs. For example, an ultrasound filter for Google Chrome, blocking any site that contains ultrasonic inserts. Another way to protect is to create a patch for mobile devices, which will show users which sites or applications contain ultrasound inserts and warn of potential danger.

Experts believe that if you do not begin to control ultrasound technology now, over time the problem will only get worse.