Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-Device Tracking

Presented at Black Hat Europe 2016, Nov. 3, 2016, 4 p.m. (60 minutes)

Cross-device tracking (XDT) technologies are currently the "Holy Grail" for marketers because they allow to track the user's visited content across different devices to then push relevant, more targeted content. For example, if a user clicks on a particular advertisement while browsing the web at home, the advertisers are very interested in collecting this information to display, later on, related advertisements on other devices belonging to the same user (e.g., phone, tablet).<br> <br> Currently, the most recent innovation in this area is ultrasonic cross-device tracking (uXDT), which is the use of the ultrasonic spectrum as a communication channel to "pair" devices for the aforementioned tracking purposes. Technically, this pairing happens through a receiver application installed on the phone or tablet. The business model is that users will receive rewards or useful services for keeping those apps active, pretty much like it happens for proximity-marketing apps (e.g., Shopkick), where users receive deals for walk-ins recorded by their indoor-localizing apps.<br> <br> This talk will describe and demonstrate the practical security and privacy risks that arise with the adoption of uXDT-enabled systems. The uXDT technology has caught the attention of major companies (e.g., IDG Ventures, Google, Nestle, Dominos), many of which either invested in uXDT providers (e.g., SilverPush, Signal360, Audible Magic), or approached such companies as clients. Unfortunately, unbeknownst to the users, we found that numerous mobile applications, some with millions of downloads, include uXDT advertising frameworks that actively listen for ultrasounds, with no opt-out option for the users! Security experts and the authorities (e.g., the Federal Trade Commission) have promptly raised concerns about uXDT, but until now no comprehensive security analysis of the technology has been released.<br> <br> In this talk, we will explore the uXDT ecosystem, dig into the inner workings of popular uXDT frameworks, and perform an in-depth technical analysis of the underlying technology, exposing both implementation & design vulnerabilities, and critical security & privacy shortcomings that we discovered. In the offensive part of our talk, we will demonstrate (through practical demo sessions) how an attacker can exploit uXDT frameworks to reveal the true IP addresses of users who browse the Internet through anonymity networks (e.g., VPNs or Tor). Moreover, we will describe how an attacker can tamper with the "pairing" process or affect the results of the advertising/bidding algorithms. For example, an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps.<br> <br> In the defensive part of our talk, we will introduce three countermeasures that we designed, implemented, and will publicly release. These include (1) a mobile application that detects ultrasound beacons "in the air" with the goal of raising awareness, (2) a browser extension that acts as a personal firewall by selectively filtering ultrasonic beacons, and (3) an brand-new OS permission control in Android that allows applications to declaratively ask access to the ultrasound spectrum. We will go into the technical details and provide remediation advice useful both for the users and developers.

Presenters:

• Yanick Fratantonio - PhD student, UC Santa Barbara
  Yanick Fratantonio is a PhD student at UC Santa Barbara, where he works with Giovanni Vigna and Christopher Kruegel. His research interests lie in the security of the mobile platform, with a particular focus on static and dynamic analysis of Android applications, and it spans different research areas, such as malware detection, vulnerability analysis, and novel protection systems. He is also passionate in building systems and making them available to the security community. For example, he is involved in the development and maintenance of Andrubis, a publicly available service to analyze Android applications. In his free time, he enjoys playing and organizing Capture The Flag competitions with the Shellphish hacking team.
• Vasilios Mavroudis - Doctoral Researcher, University College London / UC Santa Barbara
  Vasilios Mavroudis is a doctoral researcher in the Information Security Group at the University College London, working with George Danezis. He enjoys doing practically applicable research on the intersection of systems security, anonymity and privacy. Recent work has focused on "secure computations on untrusted hardware", and "privacy-preserving computations as a service". In the past, he has worked on various projects including building systems to study evasive web-malware, and to detect attacks against telecommunication networks. He also maintains a number of side-projects, aiming to shed light on the security of often overlooked ecosystems.
• Shuang Hao - Postdoctoral Researcher, UC Santa Barbara
  Shuang Hao is a postdoctoral researcher at UC Santa Barbara, working with Christopher Kruegel and Giovanni Vigna. He graduated from Georgia Institute of Technology. His research focuses on computer and network security, spam filtering, botnet detection, DNS reputation analysis, and underground economy study. His work has been recognized in press coverage, including MIT Technology Review, KrebsOnSecurity, and Slashdot.
• Giovanni Vigna - Professor, UC Santa Barbara / Lastline
  Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO at Lastline, Inc. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna is also the leader of the Shellphish hacking group, who has participated in more DefCon CTF competitions than any other group in history. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a senior member of IEEE and ACM.
• Federico Maggi - Senior Threat Researcher, Trend Micro
  Federico Maggi is a Senior Threat Researcher with Trend Micro's Forward-Looking Threat Research (FTR) team, an elite team of researchers fighting against cyber criminals and scouting the future of the Internet to predict the future evolutions of cybercrime. His research interests, mainly developed during his MSc and PhD, revolve around various topics under the "cyber security" and "cyber crime" umbrella terms, such as threat analysis and intelligence, malware analysis, mobile security, fraud analysis and detection, web- and social-network security and data visualization. Before joining Trend Micro, Federico was an Assistant Professor at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy, with which he co-authors the talk on mobile ransomware. The ultra-sonic device communication talk, instead, is the result of a fruitful collaboration with UCSB in Winter 2015. Federico has given several lectures and talks as an invited speaker at international venues and research schools. He also serves in the review or organizing committees of well-known conferences.
• Christopher Kruegel - Professor, UC Santa Barbara / Lastline
  Christopher Kruegel is professor of computer science at UC Santa Barbara, and a co-founder and chief scientist at Lastline. He previously served on the faculty of the Technical University Vienna. He has published more than 100 peer-reviewed papers in top computer security conferences, and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators and the IBM Faculty Award. Christopher was Program Committee Chair of Usenix LEET in 2011, RAID in 2007 and WORM in 2007. He also advised the European Commission on defenses to mitigate future threats against the Internet and Europe's cyber-infrastructure. He has spoken at many conferences including the RSA Conference 2015, Black Hat 2014, and the Emerging Technology Conference at MIT in 2010.

Links:

• https://www.blackhat.com/eu-16/briefings/schedule/#talking-behind-your-back-attacks-and-countermeasures-of-ultrasonic-cross-device-tracking-4864
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Talking Behind Your Back - Attacks and Countermeasures of Ultrasonic Cross-Device Tracking.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Talking Behind Your Back - Attacks and Countermeasures of Ultrasonic Cross-Device Tracking.eng.srt (subtitles)
• https://www.youtube.com/watch?v=THFOnA6m8KM

Similar Presentations:

• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• DeepSec 2018 „I like to mov &6974,%bx“ / Project Introduction: Data over Sound - Risks and Chances of an emerging Communication Channel
• 33C3 (2016) / Talking Behind Your Back: On the Privacy & Security of the Ultrasound Tracking Ecosystem