Talking Behind Your Back

This talk will present the outcomes of the first comprehensive security study on the ultrasound tracking ecosystem. This ecosystem remained almost unknown to the general public until recently, when a newly-founded company faced the nemesis of the security community and the regulators (e.g., the Federal Trade Commission) for its controversial tracking techniques. However, there are many more “traditional players” using ultrasound tracking techniques for various purposes, raising a number of levels of security and privacy issues with different security and privacy models. In general, the main advantage of the ultrasound technology compared to already existing solutions is that it does not require any specialized equipment (unlike wifi and bluetooth), while it remains inaudible to humans. For this reason, the technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking. From a technical perspective, ultrasound tracking is based an ecosystem featuring multiple participating entities (e.g., the users, the advertisers, the content providers, the tracking provider). In this talk, we will present the first comprehensive and in-depth security analysis of ultrasound tracking technology and the surrounding ecosystem. More specifically, we will provide visibility within the ecosystem’s walled garden, examine the different facets of the ultrasound technology, explain how it is currently used in the real world, and subsequently evaluate the privacy and security of the technology itself and the existing deployments. Based on our findings, we will then introduce a new class of attacks against ultrasound tracking mechanisms, along with analysis of real-world Android apps featuring ultrasound frameworks. In particular, we will show how an ultrasound cross-device tracking framework can be abused to perform stealthy de-anonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak users’ private information. In the mitigation part of our talk, we will outline immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we will release a browser extension and an Android permission module that enable users to selectively suppress frequencies falling within the ultrasonic spectrum. In the last part of our talk, we would like to engage in discussion with the audience regarding the standardization of ultrasound beacons, and share our design of a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications and the existing privacy and security problems.