PC Probe: Alexa, what are you hearing that I can’t?
Stewart Mitchell reveals how your devices’ microphones are listening out for more than your just your voice commands
We reveal how your devices’ microphones are listening for more than just voice commands.
From Amazon Echo and Google Home to Siri and Cortana, technology is increasingly listening to what we say. And as with any new technology, people are finding ways to exploit it for questionable purposes – for example, when Burger King tricked Google Home into playing an advert for its Whoppers.
That Google could be duped so easily is a surprise, but the threat was minimal. However, security researchers have discovered far more sinister means of using open microphones to snoop on consumers.
According to researchers from the Technische Universität Braunschweig in Germany, more than 230 apps on Google Play use listening technology that responds to near-ultrasonic signals broadcast from a variety of sources. Beacons can be placed in offline media content, such as TV or radio ads, to let apps know what a mobile user is watching, or in shops to pinpoint their location without having to seek permission to use GPS.
The technology originally drew criticism in 2015, when developer SilverPush publicised an SDK for audio beacons that were generally outside the range of human hearing. Yet, despite criticism from the authorities, the ultrasonic beacons appear to by spreading.
SilverPush has said it no longer uses the technology, but others have taken its place. Five of the apps identified by the German researchers have been downloaded between 2.25 million and 11.1 million times apiece, and although the study only investigated Android devices, the team said similar tactics could theoretically also apply to iOS hardware too.
None of those apps disclosed their ability to listen for beacons and the technology is expected to be rolled out further as commercial applications develop. “Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons,” Erwin Quiring, lead researcher on the report Privacy Threats through Ultrasonic Side Channels on Mobile
Devices, told PC Pro. “They embed these beacons in the ultrasonic frequency range between 18kHz and 20kHz of audio content and detect them with regular mobile applications using the device’s microphone. This side channel offers various possibilities for tracking.”
Privacy and permission
Google says it removes apps that don’t abide by its privacy policy, but the fear is that companies could create eavesdropping apps simply by seeking permission to use the microphone during installation. Once permission has been granted, it’s almost impossible to tell if the microphone is listening for prompts.
“They’ve been designed to be ambient, or in the background, and this makes it harder for people to know that they are often continuously recording,” said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology. “We might understand why audio beacons exist or how they provide functionality for some products and services, but that understanding is not the same thing as consent. Data collection is opaque by design, and audio beacons can be particularly stealthy and silent.”
Following an initial backlash, De Mooy said some companies had tried to make it clearer how customer conversations may be recorded
or used, and have offered enhanced privacy settings, “but there are always one or two companies that cross privacy boundaries… and perpetuate an atmosphere of mistrust.”
That’s not to say everyone employing the technology is doing so nefariously. “Legitimate audio beacon apps are increasingly used by companies that declare their presence and capabilities within the sign-up process,” said Quiring.
“The mobile application Shopkick provides rewards to users if they walk into stores that collaborate with Shopkick. In contrast to GPS, loudspeakers at the entrance emit an audio beacon that lets Shopkick precisely determine whether someone is in the shop or not.”
Ethical dilemma
The beacons first grabbed headlines when it was revealed they could be hidden in television or radio content – such as adverts – alerting companies to which users watched certain programmes. For the first time, the companies could get a picture of which shows were being watched by individual viewers – with or without their permission.
“Where traditional broadcasting via terrestrial, satellite or cable signals previously provided anonymity to a recipient, local media selection becomes observable,” the researchers said. “Someone using beacons can precisely link watching even sensitive content such as adult movies to a single individual – even at varying locations.”
The ultrasonic signals also enable app developers to work out which devices belong to the same individual. If two devices regularly register the same beacons, the app owner would know that the handsets likely belong to the same person. “Beacons could be used to link together private and business devices of a user, if they receive the same ultrasonic signal, thereby providing a potential infection vector for targeted attacks,” said Quiring.
The German researchers highlighted that beacons also enable an adversary to track user movement indoors without requiring GPS, revealing where and when an individual goes into a store or hotel, for example, while anyone with access to the data can learn when people are meeting or are in close proximity to one another.
Companies could get a picture of which shows were being watched by individual viewers – with or without permission
Security services
Given the capabilities of security services, there are also concerns that inaudible sound waves could prove useful for snooping on or identifying members of the public, particularly against those using VPNs or Tor to remain anonymous.
“One of the attacks we identified affects anonymous communication systems,” said Vasilios Mavroudis, doctoral researcher in the Information Security Group at the University College London. “Imagine a user uses Tor on their home computer to browse the web anonymously and has left their mobile phone nearby, and the phone features an app periodically listening for ultrasound beacons for tracking. If one of the websites has been compromised and emits ultrasound signals, that unique ultrasound beacon is picked up by the app in the phone, which reports it back to the tracking company.”
With this data, security officials could ask for a warrant demanding the tracking company provides details of the users reporting the specific beacon ID, Mavroudis says.
According to Mavroudis, who has created a Chrome extension (SilverDog) that blocks inaudible data, audio technology could also move beyond announcing “I’m here” and carry potentially dangerous data streams that would evade conventional security software. “At first, it was simply a unique identifier corresponding to the content or the location where the beacon was emitted from,” he said. “However, the ecosystem is fast evolving and full communication stacks will be soon made available.”