Tor users at risk of being unmasked by ultrasound tracking

A new type of attack should make Tor users – and countless dogs around the world – prick up their ears. The attack, revealed at BlackHat Europe in November and at the 33rd Chaos Computer Congress the following month, uses ultrasounds to track users, even if they are communicating over anonymous networks.

The attack uses a technique called ultrasound cross-device tracking (uXDT), which made its way into advertising circles as early as 2012. Marketing companies running uXDT campaigns will play an ultrasonic sound, inaudible to the human ear, in a TV or radio ad, or even in an ad delivered via a computer browser.

Although the user won’t hear it, other devices such as smartphones using uXDT-enabled apps will be listening. When the app hears the signal, it will ping the advertising network with details about itself. What details? Anything it asks for the phone for, such as its IP address, geolocation Coleman’s, telephone number and IMEI (SIM card) code.

That’s creepy enough in marketing. Now, advertisers can tell what TV or radio ads you’ve been listening to, matching them with the universe of other information they have about you from your web searches, social media activity and emails.

It’s a short step from there to find out what websites you surfed on your phone afterwards and flesh out your profile. Oh? You saw that TV ad for our dating site and then you went to visit it? Good to know. Thanks ever so much for your phone number and location, by the way.

Marketers could perhaps even tell what physical locations you visited, because uXDT is also used for proximity marketing, in which beacons are played in locations such as stores, for example.

Tor blimey

It gets creepier still when you see the demo from Vasilios Mavroudis, one of a six-person team researching this topic. He worked out how to use the technique to unmask Tor users. Here’s the full video. The money shot where he pwns the anonymous user begins at 19:05.

How did he do it? An adversary creates a campaign with a uXDT service provider and obtains an ultrasonic signal file, known as a beacon. They then create an site on the Tor network that secretly plays the beacon. When the victim visits the site anonymously using the Tor browser, a uXTD-enabled app running on their nearby smartphone picks up the signal and phones home to the uXTD service provider, which then relays all its details to the adversary. Suddenly, the Tor user isn’t anonymous any more.

This is a significant threat to online anonymity. The attack could unmask more than just Tor users. Any other anonymous network user could be targeted by luring them to a site with a beacon on it – or by using a cross-site scripting attack to play Javascript on someone else’s site.

Attack scenarios

The beacon could be injected into more than just a website, so how might law enforcement use it? Playing it in online videos would enable authorities to find out who was listening to them, where, and when. BleepingComputer points out that authorities could use this to track people watching child sex abuse content rather than simply infecting them with malware via compromised sites, as it has done in the past.

Companies might also have a need for this technology outside marketing. Presumably, tailored files on peer-to-peer networks could also track folks illegally downloading copyrighted movies.

State actors could also use the tech to track dissidents in oppressed countries. Simply delivering a voicemail played on a speakerphone might be enough to give away a person’s location and identity. Presumably, playing such signals over loudspeakers would make it relatively easy to identify large numbers of people at public gatherings, too.

Bad apps

Of course, all this relies on you having the listening software on your phone in the first place, but that might not be as difficult as you’d think. It is typically provided as a development framework, meaning that the code finds its way into third-party applications.

The only clue that you’re running the software might be when the app containing it asks for access to your microphone. But then, lots of apps such as voice messaging or music discovery apps legitimately use microphones. And let’s face it, many users simply don’t pay attention to what they’re giving up when all they want to do is install the latest dodgy ripoff of Crossy Road or Flappy Bird.

This is not the first time that people have proposed evil audio tinkering with smart phones. French hackers demonstrated how to control Siri using nearby radio waves two years ago, but a favourite is still the use of human-audible video to manipulate voice activated assistants on phones and tablets, which could be used to open websites or call numbers. We’re still waiting for infected YouTube videos to appear, or for someone to get enough live broadcast airtime to wreak havoc.

It all goes to show that however secure you think you are, there’s always another step. Zuck had it right when he taped over his computer’s webcam, but perhaps he just didn’t go far enough.