Serious Hacks Possible Through Inaudible Ultrasound

An anonymous reader writes: "High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device...Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers' phones as they shop."

But now Fortune reports that some apps "often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking." In addition, security researchers "have already found ways to mine cloaked IP addresses. Speaking to New Scientist, team member Vasilios Mavroudis suggests that an app's always-on microphone access could be leveraged to monitor conversations (and, if you're not paranoid already, to decipher what you're typing). The 'beacons' that transmit ultrasound data can also be spoofed to manipulate apps' user data."

Atomic Controls.

[0100010001010011]

Program LudditeApp wants access to the microphone?

Approve / Deny.

Re:

[Joce640k]

I guess anybody who:
a) Installs an app called "Shopkick".
and,
b) Doesn't uninstall it instantly after the very first shopping-aisle-related advert beeps at them.

deserves all they get.

Re:Atomic Controls.

[AmiMoJo]

Seems like it wouldn't work on many phones anyway. The last two versions of Android have doze, which prevents apps listening all the time (the "OK Google" detection is hardware based and inaccessible to apps). Many phones have the mic input designed to cut ultrasound too, for better recording quality.

Reminds me of those Bluetooth spamming devices you can buy. They claim to be effective but actually 99% of phones don't broadcast Bluetooth pairing requests it accept unrequested connections.

XPrivacy deny sensors permission

[emil]

For the moments that your phone is on, YOU decide [github.com] if your apps can use the microphone.

This should be standard in the Android OS. Tells you something about Google that it's not.

Re:

[Dutch Gun]

Several ways to get "shopkick" or whatever onto phones:
* embed into a popular game
* pay carriers/phone sellers to preload it

Have you heard about any of these nefarious methods being used in practice, or is that just hypothetical? Because I'm reasonably sure that unless I give an app explicit permissions, a normal app can't simply install random adware to run in the background and listen to the microphone. Smartphone OSes silo apps pretty well, unlike traditional PC-based OS permission models.

Besides, it would be difficult to hide something like this, and would likely kick off a massive shitstorm once it was inevitably discover

Re:

[Dutch Gun]

Good point. Still, there are two parts to this story - first, that app makers will try to get away with anything and everything, and second, that Google (and certainly Apple) will step in when they're perceived as crossing the line, as they don't want to damage their own ecosystem's reputation.

Also, finding apps that don't ask for every permission under the sun is certainly possible if you're willing to dig a bit. Unfortunately, my guess is that most people don't pay attention to this, or really don't und

Re:

[plover]

That doesn't make sense. If you can deny it access, what's the problem?

There are legitimate features that apps and devices might be able to offer by using your contact list. A printer could make use of fax numbers or email addresses, for example. If you deny it access to your contacts, it'll still print, but it won't automatically offer to fax documents to your recipients. That's no reason to avoid the printer.

Now, if it grabbed your contacts without asking, that would be a problem.

Re:

[haruchai]

"A user installs some generic fleshlight app from the Play"

Er, I think you mean flAshlight. And I don't think I need to know where your phone has been.

Re:

[mSparks43]

Archos phones seem to come with all sorts of malware either preloaded or pushed over the air. You cant even turn off "other sources ". The settings app which obviously cant be removed keeps switching it back on. Sophos even detects it as malicious but cant do anything about it.

Real shame because in the early days of Android it looked like Archos were doing everything right.

Re:

[Dutch Gun]

Another point I haven't heard anyone mentioning. It's possible these ultrasound beacons might be very uncomfortable for animals that have exceptional hearing range and sensitivity, such as seeing-eye dogs. If so, this sort of thing might actually run afoul of ADA laws.

Re:

[Solandri]

Program NameThatSongApp wants access to the microphone.

Approve

(Unbeknownst to the user, the app also constantly listens for secret ultrasonic commands)

Functions which are invisible to the user should always have a master on/off switch, preferably physical, or some sort of non-defeatable indicator that they are in use. The two main culprits here are the camera and microphone. It's also the rationale for things like a light to indicate hard drive activity which oh so many laptop vendors seem anxiou

Re:

[AK Marc]

Doesn't let it run in the background, and that's easily controllable.

Re:

[0100010001010011]

(There's a Don't Ask Again checkbox on the same dialog)

What?

[Joce640k]

"High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device..

Only in the dreams of the most tinfoil hatted idiots on the planet.

And slashdot editors, apparently.

Re:What?

[MindPrison]

There are lots of things that seem stupid until it is proven to work, and is being done.

Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away, coincidence? Maybe I'm just being paranoid - but sometimes these questions are worth raising so we don't just accept everything blindly.

Re:

[Joce640k]

Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away.

Have you tried wrapping it in tinfoil?

Re:What?

[Anonymous Coward]

There are lots of things that seem stupid until it is proven to work, and is being done.

But not this. Not ultrasound. Perhaps they use "signature sounds", but not in the ultrasound range:

Audio equipment is designed for human use. We hear up to about 20 kHz - ultrasound is above that. To avoid wasting bandwith, nobody sample above 20kHz. (well, sometimes they sample higher frequencies for quality reasons and to allow simpler filter technology. But the higher frequencies are then removed before distribution.) Similiarly, equipment does not play back beyond 20kHz either.

Any scheme using ultrasound would fail, due to most equipment failing to handle it. So no truly silent manipulation. They may, however, take advantage of how most people don't notice much above 16kHz or so - especially not if normal noise/music is playing at the same time.

Re:

[jrumney]

Forget about the analog audio path. Ultrasonic will get through that, albeit at attenuated levels, as analog audio reproduction equipment doesn't have sharp cutoffs at the edge of the limits of human hearing, it just doesn't have any guaranteed performance outside that range, and most likely falls off gradually. More convincing would be an analysis of how the perceptual coding of AC-3 treats audio between 16kHz and 24kHz when the maximum sample rate of 48kHz is in use, since that is the lossy codec used for

Also some other issues

[Sycraft-fu]

One is your pocket acts as a low-pass filter. The higher frequency the sound, the smaller the wavelength, the smaller the wavelength, the less material you need to interfere with the sound wave. Try recording something with the phone sitting in your pocket sometime. Among other issues, you'll notice things are more "muffled" that the high frequency definition to them is not as good. That's because the high frequency sounds get messed with more than the low frequency ones by living in a pocket.

Also there's t

Re:

[Gussington]

But not this. Not ultrasound. Perhaps they use "signature sounds", but not in the ultrasound range:

Audio equipment is designed for human use. We hear up to about 20 kHz - ultrasound is above that.

I have a frequency generator app I use to annoy teenagers. I can only hear up to about 11kHz, and my kids say about 16kHz is their limit. There's a lot of room between 16Khz and 20Khz to add some signal if you wanted to.

Re:

[yaznaz]

Google Chromecast already uses ultrasonic sounds via TV speakers to pair with your smartphone in absence of wifi. Also audio filters (analog) do not implement sharp cutoff at exactly 20KHz. Nearly every production quality content is sampled higher then 20KHz. Even speakers rated at upto 20KHz are capable of producing higher frequencies, although the volume tapers off. This does not have to be absolutely reliable. Even if the hacks work for some of the devices then it is better then no hack.

Re:

[RenderSeven]

http://gizmodo.com/chromecast-... [gizmodo.com]

I thought this was pretty unlikely too until I Googled it

Re:

[Thelasko]

We hear up to about 20 kHz - ultrasound is above that. To avoid wasting bandwith, nobody sample above 20kHz.

CD audio quality is defined as a sampling rate of 44.1kHz. [wikipedia.org] That Nyquist frequency [wikipedia.org] solves for a reproduceable sound of 22.05kHz. That would provide a very narrow band at which humans wouldn't be able to hear. Furthermore, most audio compression algorithms [wikipedia.org] currently in use filter out sounds that aren't audible to humans even further.

I'm calling this story bogus.

Re:What?

[AK Marc]

What happens when these "ultrasound" sounds try to pass through high end speakers with bandfilters? My ribbon tweeters can destroy themselves with ultrasound, so they have low-pass bandfilters (and high-pass bandfilters, where the mids take over). So what speaker is passing these sounds, and why are they getting past my bandfilters? How about the crappy sound system in my car? The speakers are rated to 15 kHz, so how are they passing 20+ kHz sounds?

The reason this sounds absurd is because it is.

Re:

[AK Marc]

Too bad so many people think they know something but aren't actually audio engineers....

Yes,we know, yet the ignorant ACs keep posting irrelevant (and wrong) corrections.

Re:

[lars_stefan_axelsson]

No, he's right. People in general won't hear above about 12k, 16k or so if they're young (kids). Above that, but well within the hi-fi spec, there's a lot of room.

This is illustrated by the standard hearing test (audiogram) that cuts of at 8k. Even the high frequency one only goes to 16k.

So unless you're interested in a nit-picky semantic of what "ultra sound" really means (which I'm not BTW), the truth of the matter is that even though you've been told 20-20k, that's not really the truth at all. That's a v

Re:

[Plus1Entropy]

Sometimes I wonder why my remote control refuse to obey my commands when the commercials on TV are running and I try to quicky zap away, coincidence? Maybe I'm just being paranoid - but sometimes these questions are worth raising so we don't just accept everything blindly.

So don't accept it blindly. But also don't start spouting random anecdotal conjecture. You could easily test whether this is true by performing some simple experiments and recording the data. Otherwise, yes, you are just being paranoid.

Re:

[Anonymous Coward]

Where are you located? In some countries the cable company ToS can force you to watch the commercials if you were watching the channel when they started (or sometimes even a few minutes before). If you use the official box provided by them it can and does enforce that restriction.

Re:

[Joce640k]

Yeah, your phone's microphone and TV's speakers are totally designed for ultrasound broadcast/reception.

Re: What?

[Zero__Kelvin]

Sorry to burst your bubble buddy, but those of us who are laughing know what a band pass filter is, and what the typical microphone frequency response is on a Smartphone.

Re:

[Anonymous Coward]

Well, it isn't like it isn't anything new

https://yro.slashdot.org/story... [slashdot.org]

Lets not also forget about badbios malware that reportedly transfers similarly.

http://arstechnica.com/securit... [arstechnica.com]

And no, you do not install "let me send you some ads" app that needs permission to use your microphone, you install some other app that uses an ad package for advertisement and payments to support it's development which in turn has the app. This is why some apps want to have access to your microphone, camera, contacts, media

Re:

[pellik]

Proof of concept of ultra high frequency audio malware dates to 2013. There is even an (unconfirmed) report of it being spotted in the wild during that time. It may sound crazy, but it's actually a proven method already.

Re:

[gl4ss]

well they can do, if you install and run some stupid app like shopkick.

also if you keep bluetooth on, then such commands could be sent through bluetooth! or camera! or gyroscope! or the touchscreen!!!!!

basically.. this article is one of those where they see something use an input and then they write that said input can be used for blabla, if you first install sw to do that. like.. make an app that detects if the user is driving via gps and gyroscope information - and boom you can now write an article about

Re:

[Sir Holo]

"High-frequency audio 'beacons' are embedded into TV commercials or browser ads," reports New Scientist. "These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device..

Only in the dreams of the most tinfoil hatted idiots on the planet.

And slashdot editors, apparently.

Isn't all audio put through a notch frequency-filter during compression? The MP3 and even the age-old Red Book CD applied a notch filter – cutting off frequencies below XXX Hz and above YYY kHz – and CDs were not even compressed audio. Modern TVs and smartphones can generate these "outside-audible range" frequencies, but they must be added into the audio stream, and are not retained by the popular CODECS. Ultrasonic is also strictly line-of-sight, just like TV remotes in the 1980s.

The point

HA!

[Gravis Zero]

And people wonder why I don't have a "smart"phone.

Re:

[antdude]

Ditto. What about a dummy phone or any phone? ;)

Re:

[Gussington]

And people wonder why I don't have a "smart"phone.

Because of non-permitted Ultrasound signals being sent between your TV and phone? Do you also have a hat made of tin foil?

Re:

[Gravis Zero]

no because of a lack of security.

Re:

[Gussington]

no because of a lack of security.

So don't install apps that ask for unusual privileges. The security is there, but you have to participate if you want to benefit.

Re:

[Gravis Zero]

So don't install apps that ask for unusual privileges. The security is there, but you have to participate if you want to benefit.

the perception of security is there. actual security, not so much.

Inaudible ultrasound?

[OneHundredAndTen]

Isn't ultrasound, by definition, inaudible to humans?

Re: Inaudible ultrasound?

[oobayly]

I've heard that there are plans on using inaudible ultrasound on ATM machines as it's more secure than using PIN numbers.

Re:

[JustAnotherOldGuy]

Isn't ultrasound, by definition, inaudible to humans?

Well, yes, but let's not get all "facty" and stuff.

Tape over the mic too?

[Vegan Cyclist]

Simple, just put some tape over the mic!

Re:

[Sir Holo]

Simple, just put some tape over the mic!

Hmmn. Nice idea – using a piece of tape as a physical low-pass audio filter. What kind of tape, and how thick? I do want it to hear when I am dictating.

It's funny how often "extremely sophisticated and high-tech" things can be defeated with a simple work-around.

For example, SSDI (missile defense). Any engineer worth his/her salt will tell you that it will never work. The Russians have already implemented several work-arounds. The are ones that anyone could think of.
* Dummy decoy

Re:

[Sir Holo]

Oh, I forgot to mention another clever invention. I know (or knew) the inventor. It is not a nice thing, but was a necessity of being stuck in the US–Vietnam war. (We'll skip the philosophical aspect of soldiering and killing.)

Question: How do you throw a grenade out of a helicopter flying at 500 feet, and have it go off on the ground?

Answer: Pull the pin, stick it into an empty mayonnaise jar, and drop it. The activating lever won't set off the grenade's timed fuse until the glass jar has hit t

simple solution

[enrique556]

Is it time to maybe - just as a precaution - have all the hardware manufuacturers of audio input & output chipsets filter out supersonic & subsonic frequencies before the rest of the machine even sees them?

Is there ever a case where someone would want inaudible frequencies to be processed by their device?

How difficult/expensive would it be to put such filters in place? The filters we put on our POTS devices to protect our xDSL seem to be pretty cheap..

Re:

[brantondaveperson]

have all the hardware manufuacturers of audio input & output chipsets filter out supersonic & subsonic frequencies before the rest of the machine even sees them?

As has already been mentioned, this is exactly what all existing audio recording hardware does. Anti-aliasing filters are placed in the analog path, before digitization, and they're normally set to cut off around 20Khz, since that's the upper limit of human hearing. Leaving these filters out results in unusable audio, they are an essential component of any analog-to-digital conversion of any sort. Unless you're talking about pro-level audio recording hardware, there is no way consumer cellphones can pick up

Re:

[BlueStrat]

As has already been mentioned, this is exactly what all existing audio recording hardware does. Anti-aliasing filters are placed in the analog path, before digitization, and they're normally set to cut off around 20Khz, since that's the upper limit of human hearing. Leaving these filters out results in unusable audio, they are an essential component of any analog-to-digital conversion of any sort. Unless you're talking about pro-level audio recording hardware, there is no way consumer cellphones can pick up actual "ultrasound". They can pick up signals encoded in audible audio in other ways, but that couldn't be filtered out, and it isn't ultrasound.

I saw the TFA and that was my first thought, that the author/editor or somebody either screwed up or went for click-bait.

I may well be wrong, but IMHO it's probably some form of digital encoding riding on the normal audio at relative levels that are inaudible to humans but easily detected by an app or device software designed to detect and use it and all well within the audio bandwidth specs of the devices involved.

But, that's a lot more pedestrian and boring tech-wise, and so probably doesn't generate enou

Re: simple solution

[Zero__Kelvin]

Such features are already in place. Nobody is using ultrasonic frequencies to transfer data. It isn't possible. The article is straight bullshit.

Inaudible Ultrasound

[JustAnotherOldGuy]

"Inaudible Ultrasound"....as opposed to the other kind.

Re:

[Plus1Entropy]

Sure, if you don't mind not being able to receive any calls or texts either.

Obviously

[nospam007]

That's why we have anti-ultrasound-hacker dogs deployed.

Time for hardware on/off switches

[davidwr]

It's time for cameras, microphones, and other sensors as well as the various radios to have hardware-on/off switches.

Yes, that would require you to turn the mic on by hand when you answer the phone, but the phone should be smart enough to know "if a call is coming in and the user turns the mic ON, answer the phone" (by default of course - this behavior should be user-controlled).

Heck, I'd even want one for my speaker and "flashlight/camera flash" to make it harder for a rogue app from using sound or light t

Relax - there's no commercial application for this

[Applehu Akbar]

Would any advertiser use an app that was biologically designed to repel young people in the prime shopping years?

"ultra" sound from $0.50 TV speaker? LOL

[Anonymous Coward]

As a musician (classical pianist) the mere idea that we can even get decent sound from a TV (or phone) is LOLable.

I recently did a search for near field monitors (flat response, for the studio only) and with a friend we put several high end speakers to the oscilloscope. Despite all of them claiming 20khz-20hz response, NONE of them achieved it. NONE. The ones I ended up buying (mackie) checked in ~16khz.

I think to really get 20khz that would have to be a 3-way speaker. Practically all TV speakers are full r

Use Android, root and XPrivacy

[allo]

For your phone:
1) Use an android phone. If you have an iPhone, forget it. There is no way to help you* on the iphone, except installing no apps at all.
2) Root your phone. I hope you thought about buying a rootable phone in step 1).
3) Install XPosed http://repo.xposed.info/ [xposed.info]
4) Install XPrivacy https://github.com/M66B/XPriva... [github.com]
5) Consider donating for XPrivacy to get a Pro-Key and to help them develop this awesome project.
6) Think about installing AFWall+ as well, to cut internet access for some apps. XPrivacy

Re:

[radish]

Simpler solution - buy an iPhone. iOS doesn't allow apps to access the mic in the background - period. Even Siri can't do it unless you specifically allow it _and_ the phone is plugged in for power. Hell with very few exception iOS doesn't allow _anything_ to run in the background - and I'm pretty sure I here Android fans bleating about that from time to time too.

Or sure, you could get an Android and spend all day installing hacks and patches.

Sometimes the willful ignorance exhibited by people who have some

Re:

[EvilSS]

You can run apps accessing the mic in the background (and Siri can do this now, if you allow it, without being plugged in on 6s and 7 devices) but it notifies you with the red status bar and flashing banner telling you that an app accessing to the microphone and which app it is. You see this with VOIP apps, for instance. I'm also pretty sure Apple has rules about what kind of applications can do this. I doubt they allow an app to constantly passively listen, if for no other reason that it would degrade bat

Re:

[allo]

You're just thinking of the mic, i am thinking of a solution to all data leaks. And there is no help on iOS, neither on most stock androids. But on android phones YOU can fix it. on iPhones ... good luck.

Re:

[EvilSS]

iOS is very forthcoming when an app access the microphone. If an app is accessing the microphone in the background, the status bar turns red and a flashing notification is placed under it showing the mic is in use and which app is using it. Also I'm pretty sure the Apple app store won't accept applications who's sole purpose is to run the mic in the background, it's only allowed for VOIP and a few other scenarios. Even the telephone app gets this notification (except in this case it's green, not red).

iOS a

Re:

[allo]

> Jailbreaking the device is the last thing you want to do if you are worried about security. The best way to get shady apps on an iPhone is to jailbreak and use a 3rd party app store to load crap on to the phone.
Just like a PC. You can use every app, without any signatures, restrictions, etc.
WHAT? Everyone can program a PC app? You can install programms, which are not verified by your OS manufacturer? This MUST be dangerous! Let's outlaw such devices!

But as said, iOS jailbreaks ARE quite shady, because

Re:

[EvilSS]

If you are concerned about security on a iOS device, which is what the OP is talking about, then yes, it's a dumb fucking idea to jailbreak it. That's the exact opposite of keeping the device secure. That way we don't end up with botnets running on iOS devices, like we are seeing with rooted Android devices.

It's a phone, not a PC.

Re:

[allo]

Jup, so first replace your iphone with an android phone. The time where the apple rights system was superior are gone with android 6.0 anyway and stuff like XPrivacy and AFWall are effective in controlling all your apps (even system apps, if you dare).

Re:

[EvilSS]

Jup, so first replace your iphone with an android phone. The time where the apple rights system was superior are gone with android 6.0 anyway and stuff like XPrivacy and AFWall are effective in controlling all your apps (even system apps, if you dare).

So replace my iOS device, with a less secure one, running an OS written by an anti-privacy advertising company (who totally isn't evil, they pinky swear), and install a bunch of apps to reign in sketchy apps that can't run on iOS to begin with? Or, you know, i could just keep my current device and not fuck with all that crap in the first place.

Re:

[allo]

i see some stockholm syndrome.
Keep your iphone and think you're secure. I do not see how to help you, if you don't want to accept help.

Re:

[EvilSS]

i see some stockholm syndrome. Keep your iphone and think you're secure. I do not see how to help you, if you don't want to accept help.

Yea I guess myself and just about every independent security researcher on the planet must have stockholm syndrome.

Is there an app for that?

[viperidaenz]

I mean, to add a low-pass filter to the mic input.