TALKING BEHIND YOUR BACK: ATTACKS AND COUNTERMEASURES OF ULTRASONIC CROSS-DEVICE TRACKING presented at BlackHatEU 2016

by Christopher Kruegel, Giovanni Vigna, Shuang Hao, Federico Maggi, Yanick Fratantonio, Vasilios Mavroudis,

Summary : Cross-device tracking (XDT) technologies are currently the "Holy Grail" for marketers because they allow to track the user's visited content across different devices to then push relevant, more targeted content. For example, if a user clicks on a particular advertisement while browsing the web at home, the advertisers are very interested in collecting this information to display, later on, related advertisements on other devices belonging to the same user (e.g., phone, tablet).
Currently, the most recent innovation in this area is ultrasonic cross-device tracking (uXDT), which is the use of the ultrasonic spectrum as a communication channel to "pair" devices for the aforementioned tracking purposes. Technically, this pairing happens through a receiver application installed on the phone or tablet. The business model is that users will receive rewards or useful services for keeping those apps active, pretty much like it happens for proximity-marketing apps (e.g., Shopkick), where users receive deals for walk-ins recorded by their indoor-localizing apps.
This talk will describe and demonstrate the practical security and privacy risks that arise with the adoption of uXDT-enabled systems. The uXDT technology has caught the attention of major companies (e.g., IDG Ventures, Google, Nestle, Dominos), many of which either invested in uXDT providers (e.g., SilverPush, Signal360, Audible Magic), or approached such companies as clients. Unfortunately, unbeknownst to the users, we found that numerous mobile applications, some with millions of downloads, include uXDT advertising frameworks that actively listen for ultrasounds, with no opt-out option for the users! Security experts and the authorities (e.g., the Federal Trade Commission) have promptly raised concerns about uXDT, but until now no comprehensive security analysis of the technology has been released.
In this talk, we will explore the uXDT ecosystem, dig into the inner workings of popular uXDT frameworks, and perform an in-depth technical analysis of the underlying technology, exposing both implementation , design vulnerabilities, and critical security , privacy shortcomings that we discovered. In the offensive part of our talk, we will demonstrate (through practical demo sessions) how an attacker can exploit uXDT frameworks to reveal the true IP addresses of users who browse the Internet through anonymity networks (e.g., VPNs or Tor). Moreover, we will describe how an attacker can tamper with the "pairing" process or affect the results of the advertising/bidding algorithms. For example, an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps.
In the defensive part of our talk, we will introduce three countermeasures that we designed, implemented, and will publicly release. These include (1) a mobile application that detects ultrasound beacons "in the air" with the goal of raising awareness, (2) a browser extension that acts as a personal firewall by selectively filtering ultrasonic beacons, and (3) an brand-new OS permission control in Android that allows applications to declaratively ask access to the ultrasound spectrum. We will go into the technical details and provide remediation advice useful both for the users and developers.