A group of German researchers from Brunswick Technical University have discovered that at least 234 Android apps are employing ultrasonic tracking beacons to track users and their surroundings. In November of last year, British researchers from the University College London presented their findings on the privacy and security issues that plague ultrasonic tracking by advertisers, during a talk they delivered at the Black Hat Europe conference in London. Ultrasonic cross-device tracking, also known as uXDT, uses mobile speakers and microphone to emit ultrasounds (sounds which are higher in frequency than what the human ear can hear) and to listen for ultrasounds.
Advertisers use uXDT to associate and link electronic devices and advertising profiles together. Advertisers insert ultrasonic sounds into advertisements which are then detected by devices that are running software that have uXDT tracking beacons in them. The tracking beacon listens for advertisements containing the ultrasonic code, and when the device detects an ad with the ultrasonic code it reports back to the advertiser’s server. Advertisers then are able to link the advertising profiles of nearby devices and users together. For example, with uXDT advertisers are able to determine that the user of a certain TV is also likely a user of the nearby smartphone and laptop. This enables advertisers to have a new method to both track people and their devices.
The researchers from Brunswick Technical University found that Shopkick, Lisnr, and SilverPush are the three main creators of uXDT technology. The researchers found uXDT from Shopkick in four stores in two European cities. Television channels in seven different countries were monitored for uXDT signals by the researchers, but no uXDT signals were detected. While no TV advertisements seem to be deploying uXDT signals presently,, the researchers do not believe this will be the case for long. “Even if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future,” the researchers were reported as saying by BleepingComputer.
It is believed that uXDT has been being used for about three years. In that time the use of uXDT has exploded. In April of 2015 researchers only discovered six apps that were using uXDT, by December of that year the number of apps had climbed to 39. By 2017, the researchers have found that the number has risen to 234. Earlier this year the British researchers published their findings on how uXDT can be used to unmask users of Tor. The researchers delivered talks on their research into how uXDT can unmask Tor users at both Black Hat Europe 2016, and at the 33rd Chaos Communication Congress in Germany in December of 2016.
Android users can also lock down their microphone by using apps like DVasive Pro, and rooted phones can use apps that will notify the user every time an app requests permission to use the microphone. Newer versions of Android also enable users to revoke permissions for apps, and revoking an apps permission to use the microphone would also disable an apps ability to use uXDT beacons. The truly paranoid may go a step further and physically disconnect the microphone and speaker on the device, and instead use a pair of headphones with a built-in microphone when they wish to use features that require the speakers or the microphone. An extension for the Chrome Browser called SilverDog filters all ultrasonic audio from all audio played over the browser using HTML5.