Talking Behind Your Back: On the Privacy & Security of the Ultrasound Tracking Ecosystem

Presented at 33C3 (2016), Dec. 29, 2016, 5:15 p.m. (60 minutes)

In the last two years, the marketing industry started to show a fast increasing interest in technologies for user cross-device tracking, proximity tracking, and their derivative monetization schemes. To meet these demands, a new ultrasound-based technology has recently emerged and is already utilized in a number of different real-world applications. Ultrasound tracking comes with a number of desirable features (e.g., easy to deploy, inaudible to humans), but alarmingly until now no comprehensive security analysis of the technology has been conducted. In this talk, we will publish the results of our security analysis of the ultrasound tracking ecosystem, and demonstrate the practical security and privacy risks that arise with its adoption. Subsequently, we will introduce some immediately deployable defense mechanisms for practitioners, researchers, and everyday users. Finally, we will initiate the discussion for the standardization of ultrasound beacons, and outline our proposed OS-level API that enables both secure and effortless deployment for ultrasound-enabled applications. This talk will present the outcomes of the first comprehensive security study on the ultrasound tracking ecosystem. This ecosystem remained almost unknown to the general public until recently, when a newly-founded company faced the nemesis of the security community and the regulators (e.g., the Federal Trade Commission) for its controversial tracking techniques. However, there are many more “traditional players” using ultrasound tracking techniques for various purposes, raising a number of levels of security and privacy issues with different security and privacy models. In general, the main advantage of the ultrasound technology compared to already existing solutions is that it does not require any specialized equipment (unlike wifi and bluetooth), while it remains inaudible to humans. For this reason, the technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking. From a technical perspective, ultrasound tracking is based an ecosystem featuring multiple participating entities (e.g., the users, the advertisers, the content providers, the tracking provider). In this talk, we will present the first comprehensive and in-depth security analysis of ultrasound tracking technology and the surrounding ecosystem. More specifically, we will provide visibility within the ecosystem’s walled garden, examine the different facets of the ultrasound technology, explain how it is currently used in the real world, and subsequently evaluate the privacy and security of the technology itself and the existing deployments. Based on our findings, we will then introduce a new class of attacks against ultrasound tracking mechanisms, along with analysis of real-world Android apps featuring ultrasound frameworks. In particular, we will show how an ultrasound cross-device tracking framework can be abused to perform stealthy de-anonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak users’ private information. In the mitigation part of our talk, we will outline immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we will release a browser extension and an Android permission module that enable users to selectively suppress frequencies falling within the ultrasonic spectrum. In the last part of our talk, we would like to engage in discussion with the audience regarding the standardization of ultrasound beacons, and share our design of a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications and the existing privacy and security problems.


  • Federico Maggi
    I am a Senior Threat Researcher with Trend Micro’s Forward-Looking Threat Research (FTR) team, an elite team of researchers whose mission is to fighting against cyber criminals and scouting the future of emerging technologies, striving to predict and prevent emerging security risks and threats. My research interests, mainly developed during my MSc and PhD, revolve around various topics under the “cyber security” and “cyber crime” umbrella terms, including threat analysis, malware analysis, mobile security, financial fraud analysis and detection, web- and social-network security and data analysis. Before joining Trend Micro, I was an Assistant Professor at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy, where I co-directed the system-security group at the NECST Laboratory. In my career, I collaborate(d) with several research groups (e.g., UCSB, FORTH, NEU, Stony Brook, KU Leven, and RHUL), and I have given several lectures and talks as an invited speaker at international venues and research schools. I also serve in the review or organizing committees of well-known conferences.
  • Vasilios Mavroudis
    Vasilios Mavroudis is a doctoral researcher in the Information Security Group at the University College London, working with George Danezis. He enjoys doing practically applicable research on the intersection of systems security, anonymity and privacy. Recent work has focused on "secure computations on untrusted hardware", and "privacy-preserving computations as a service". In the past, he has worked on various projects including building systems to study evasive web-malware, and to detect attacks against telecommunication networks. He also maintains a number of side-projects, aiming to shed light on the security of often overlooked ecosystems.


Similar Presentations: