Spy State Hide Signals In TV Ads

Ordering Smartphones To Spy on

You

219

Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper.

As of January, there were 234 Android apps that were created using SilverPush’s publicly available software developer kit, according to the paper, which was published by researchers from Technische Universitat Braunschweig in Germany. That represents a dramatic increase in the number of Android apps known to use the creepy audio tracking scheme. In April 2015, there were only five such apps.

The apps silently listen for ultrasonic sounds that marketers use as high-tech beacons to indicate when a phone user is viewing a TV commercial or other type of targeted audio. A representative sample of just five of the 234 apps have been downloaded from 2.25 million to 11.1 million times, according to the researchers, citing official Google Play figures. None of them discloses the tracking capabilities in their privacy policies.

“The example of SilverPush highlights how easily this technology can be used to spy on users,” Erwin Quiring, one of the researchers, wrote in an e-mail. “In this way, they can track the TV viewing habits of users precisely even with traditional broadcasting technologies. In our research paper, we identified three further privacy risks that can occur with this technology, e.g., tracking locations, behavior devices, and even the de-anonymization of Tor users.”

SilverPush founder Hitesh Chawla said the finding surprised him because his company abandoned the ad-tracking business in late 2015.

“We respect consumer privacy and would not want to build our business foundation where the privacy is questionable,” he told Ars. “Even when we were live, our SDK was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible. Every time a new handset gets activated with our SDK, we get a ping on our server. We have not received any activation for six months now.”

The researchers, however, stand by the figure and say that all 234 apps positively contain the SilverPush SDK. That means phones that have the apps installed are silently listening for ultrasonic sounds without the knowledge or consent of their owners. While the researchers were unable to find any beacons in TV audio, they compared successful detections with finding a needle in a hay stack and left open the possibility such beacons are actively being embedded into TV audio. Even if they’re not actively used, the growth in apps signals the practice could become widespread in the near future. The results were drawn from a corpus of 1.3 million Android apps submitted to the VirusTotal file scanning service, and as a result they shed no light on how prevalent audio beaconing may be in apps running on iOS devices from Apple.

A Google representative said that the privacy policies enforced on all apps available in the Play market require developers to “comprehensively disclose how an app collects, uses and shares user data, including the types of parties with whom it’s shared.” The representative didn’t respond to a follow-up question asking why none of five apps cited in the research findings disclosed the SilverPush functions. At the time this post went live, all five apps remained available in Play.

The beacons are frequencies from 18kHz to 20kHz, a range that is inaudible to most humans but can be reliably detected by most phone microphones. By embedding them into audio, marketers can track the whereabouts of shoppers as they move throughout a large department store. Promoters using other companies’ audio-beacon technologies can also use them to push ads or coupons to people who are near a certain store or service. The researchers said two services—Shopkick and Lisnr—use ultrasonic beaconing for legitimate purposes such as these, and they disclose the tracking prominently.

The tracking can also be used for purposes that are decidedly less ethical. Advertisers, for example, may use the beacons with no disclosure at all to measure how often a particular TV ad is viewed. The technology can also be covertly used to perform cross-device tracking that allows marketers to tie a single person to the multiple media devices she uses. The researchers said the beacons could similarly be used to identify people using the Tor anonymity service.

This paper was published at the 2nd annual IEEE European Symposium on Security and Privacy and was presented last week in Paris, France. In the paper, the researchers wrote:

In summary, an adversary is able to obtain a detailed, comprehensive user profile by creating an ultrasonic side channel between the mobile device and an audio sender. Our case study on three commercial ultrasonic tracking technologies reveals that the outlined tracking mechanisms are not a theoretical threat, but actively deployed (e.g. Shopkick and Lisnr) or at least in the process of being deployed (e.g. SilverPush).

The 234 detected apps contain SilverPush functionality alongside their normal content. Many were developed for large companies such as McDonald’s and Krispy Kreme. At the moment, there are a limited set of countermeasures to prevent such tracking. For people using version 6.0 or higher, they can disable an app’s access to the device microphone. This is a good practice to follow in general, although it may prevent useful features such as voice-to-text from working. It’s also a good idea to limit the number of installed apps.

Longer term, antivirus providers may be able to add features that detect the tracking during routine scans of installed apps. Another long-term solution is to lobby government regulators, Google, Apple, and other companies to strictly enforce clear and prominent disclosure of all ultrasonic-based tracking.

Post updated to add sentences in last paragraph about Android app permissions.

Security

How TV ads silently ping commands

to phones: Sneaky SilverPush code

reverse-engineered

Near-ultrasonic sound system drives pets, and users, crazy

Earlier this week the Center for Democracy and Technology (CDT) warned that an Indian firm called SilverPush has technology that allows adverts to ping inaudible commands to smartphones and tablets.

Now someone has reverse-engineered the code and published it for everyone to check.

SilverPush’s software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software.

An application that uses SilverPush’s code can pick up these messages from the phone or tablet’s builtin microphone, and be directed to send information such as the handheld’s IMEI number, location, operating system version, and potentially the identity of the owner, to the application’s backend servers.

Imagine sitting in front of the telly with your smartphone nearby. An advert comes on during the show you’re watching, and it has a SilverPush ultrasonic message embedded in it. This is picked up by an app on your mobile, which pings a media network with information about you, and could even display followup ads and links on your handheld.

“This kind of technology is fundamentally surreptitious in that it doesn’t require consent; if it did require it then the number of users would drop,” Joe Hall, chief technologist at CDT told The Register on Thursday. “It lacks the ability to have consumers say that they don’t want this and not be associated by the software.”

Hall pointed out that very few of the applications that include the SilverPush SDK tell users about it, so there was no informed consent. This makes such software technically illegal in Europe and possibly in the US.

There are similar systems in use already. Ratings agency Nielsen has an audio system that does just this to measure the size of radio station audiences, but it’s something people have to agree to use and get paid to do so.

In addition, this sort of thing doesn’t just need to be used for advertising. What if a repressive regime decided to use it to track the phones of dissidents, he posited.

Of course, none of this matters if you don’t have an app listening out for the sounds of SilverPush. But initial research found almost 30 applications using the SilverPush SDK, predominantly shopping apps run by Indian or Far Eastern firms.

As the news about SilverPush spread, Kevin Finisterre of security consultancy Digital Munition decided to take a look at the code. He has since published his findings on GitHub.

He found that the software assigned letters of the alphabet to high-pitch tones, eg: an 18kHz sound translates into an ‘A’, and 19.125kHz is a ‘P’. Pairs of these characters are used to identify TV ads: ‘AP’ is used to recognize a Geico ad and display an image and link to the insurance biz, we’re told. Sound-playing online adverts appear to use a fingerprint of five characters.

The logical next step is to see if these signals can be disrupted. Finisterre played around with trying to spoof the sounds the apps are looking for and send them junk data. It would also be possible to write a program that randomly sent out ultrasonic tones to disrupt the system, although this would “probably piss your dog and a bunch of other animals off,” he told The Reg.

“I would try to block this at the audio driver level, not at the browser level. Any other app can implement the same type of tech,” he said.

“There are lots of possibilities. It really depends on which aspect of it you are trying to protect against. The audible beacon triggers themselves (audio driver-based protections, spoofing tones, etc), or the data collection process (think blocking the IPs of the servers), or the monetization of the data collection (think spoofing randomized invalid data at the backend).” ®

——————————————————————————————————————————————–