Ultrasonic cross-device tracking – the name itself sounds disturbing and frankly this developing technology for location tracking and monitoring using mobile devices is pretty worrisome. Now uXDT, as it’s known, is becoming a reality that we should all be aware of.

The technology works by using high-frequency tones, known as Ultrasonic Beacons, that can be emitted from a wide range of sources and picked up by the microphone on your device (mobile phone, tablet etc.). This allows advertisers, for instance, to see where you are, where you’ve been, the websites you have visited and your purchasing habits.

Sound like something out of George Orwell’s 1984?

Maybe, and to make things seem even more sinister an app with the uXDT technology built into it requires no mobile data or Wi-Fi connection. It only needs microphone access to listen to beacons and so tracking works even when you have disconnected your phone from the Internet.

As you can imagine, uXDT technology has raised some serious data privacy concerns.

Location tracking and more

The beacons themselves may be delivered in various ways by both good and bad actors. Delivery mechanisms include digital adverts, web sites, in retail stores, on television or radio and other public venues.

By gathering responses from your device to any specific beacon, applications can build up a profile of your movements, location and even surfing habits.

In the paper Privacy threats through Ultrasonic Side Channels on Mobile Devices researchers from Technische Universitat Braunschweig, Brunswick, Germany found 234 Android applications in use today, with this technology built in, all specifically aimed at following your TV viewing habits by listening for beacons in TV programs.

Now you hear me, now you don’t

The beacons work in the 18 kHz – 20 kHz range, meaning human beings arn’t normally able to hear them. The researchers tested the signals on subjects ranging in age from 20 to 54 and found that none could detect the beacons, even at the highest volume levels. This frequency range can be output to almost any speaker and can be picked up easily by most mobile device microphones, so no special hardware is needed. Such speakers and microphones are almost ubiquitous nowadays, so there is a real appeal to the technology.

Who’s using uXDT right now?

Research data from April 2015 found only 6 apps using uXDT beacons at that time, while another report in December 2015 found 39 apps using the technology.

The researchers at Brunswick scanned of 1.3 million applications and unearthed 234 Android apps already using uXDT beacons. The jump from 39 to 234 is significant, to say the least, especially since some of these apps have millions of downloads and belong to reputable companies such as McDonald’s and Krispy Kreme.

On the plus side, the team found only a few of the beacons in retail stores and none were found hidden in TV broadcasts.

It’s fair to say that so far this type of tracking, which has been offered in some form by companies like Silverpush and Shopkick, has hardly exploded in adoption. But it’s persisted as more third party companies develop ultrasonic tools for a range of uses, like data transmission without Wi-Fi or other connectivity.

One further point is worth mentioning. In 2014, the Snowden revelations disclosed that spying agencies were tracking foreign travelers’ movements across the city by capturing their device’ unique MAC address at the airport and then comparing it with the data collected by free Wi-Fi hotspots installed in various coffee shops, restaurants, and retail stores. The technology used in this case was not uXDT but it’s reasonable to assume that intelligence agencies (or other actors) could use this ultrasonic cross-device tracking technology to track your movements across the country. Big Brother may indeed be watching you!

Countermeasures

Currently, Android and iOS devices require apps to request permission to use the mobile device’s microphone. However, most users are likely to be unare that, by granting that permission, apps that use ultrasonic tracking could access their microphone and everything it’s picking up.

Having identified this threat, the Brunswick researchers produced a patch that adjusts Android’s permission system so that apps have to make it clear that they’re asking for permission to receive inaudible inputs. It also allows users to choose to block anything the microphone picks up on the ultrasound spectrum. The patch isn’t an official Google release, but represents the researchers’ recommendations for a step that mobile operating systems can take to offer more transparency.

If you’re concerned about apps on your Android phone listening in, you can also check your audio permissions by opening the settings and finding your apps menu. The exact location varies by phone, but you should have a permissions submenu in there. Open that and find the listing for microphone permissions. You can go down the list and toggle them on or off.

Of course the best defense might be to simply turn your mobile phone off while you’re watching TV!

About Welford Management & Consulting

Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing  Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.

In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.