Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

On the Privacy and Security of the Ultrasound Ecosystem

On the Privacy and Security of the Ultrasound Ecosystem AbstractNowadays users often possess a variety of electronic devices for communication and entertainment. In particular, smartphones are playing an increasingly central role in users’ lives: Users carry them everywhere they go and often use them to control other devices. This trend provides incentives for the industry to tackle new challenges, such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultrasounds has recently emerged to meet these demands. Ultrasound technology has a number of desirable features: it is easy to deploy, flexible, and inaudible by humans. This technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking.This paper examines the different facets of ultrasound-based technology. Initially, we discuss how it is already used in the real world, and subsequently examine this emerging technology from the privacy and security perspectives. In particular, we first observe that the lack of OS features results in violations of the principle of least privilege: an app that wants to use this technology currently needs to require full access to the device microphone. We then analyse real-world Android apps and find that tracking techniques based on ultrasounds suffer from a number of vulnerabilities and are susceptible to various attacks. For example, we show that ultrasound cross-device tracking deployments can be abused to perform stealthy deanonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak a user’s private information.Based on our findings, we introduce several defense mechanisms. We first propose and implement immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we introduce a browser extension and an Android permission that enable the user to selectively suppress frequencies falling within the ultrasonic spectrum. We then argue for the standardization of ultrasound beacons, and we envision a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications, and the prevention of existing privacy and security problems. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Proceedings on Privacy Enhancing Technologies de Gruyter

On the Privacy and Security of the Ultrasound Ecosystem

Download PDF
18 pages

Loading next page...
 
/lp/de-gruyter/on-the-privacy-and-security-of-the-ultrasound-ecosystem-jaOHnx9fh3
Publisher
de Gruyter
Copyright
© 2017 Vasilios Mavroudis et al., published by De Gruyter Open
ISSN
2299-0984
eISSN
2299-0984
DOI
10.1515/popets-2017-0018
Publisher site
See Article on Publisher Site

Abstract

AbstractNowadays users often possess a variety of electronic devices for communication and entertainment. In particular, smartphones are playing an increasingly central role in users’ lives: Users carry them everywhere they go and often use them to control other devices. This trend provides incentives for the industry to tackle new challenges, such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultrasounds has recently emerged to meet these demands. Ultrasound technology has a number of desirable features: it is easy to deploy, flexible, and inaudible by humans. This technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking.This paper examines the different facets of ultrasound-based technology. Initially, we discuss how it is already used in the real world, and subsequently examine this emerging technology from the privacy and security perspectives. In particular, we first observe that the lack of OS features results in violations of the principle of least privilege: an app that wants to use this technology currently needs to require full access to the device microphone. We then analyse real-world Android apps and find that tracking techniques based on ultrasounds suffer from a number of vulnerabilities and are susceptible to various attacks. For example, we show that ultrasound cross-device tracking deployments can be abused to perform stealthy deanonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak a user’s private information.Based on our findings, we introduce several defense mechanisms. We first propose and implement immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we introduce a browser extension and an Android permission that enable the user to selectively suppress frequencies falling within the ultrasonic spectrum. We then argue for the standardization of ultrasound beacons, and we envision a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications, and the prevention of existing privacy and security problems.

Journal

Proceedings on Privacy Enhancing Technologiesde Gruyter

Published: Apr 1, 2017

References

  • Google Cast app on the Play Store https play google com store apps details id com google android apps chromecast app
  • https www silverpush co
    Silverpush
  • minimodem general purpose software modem
    Kamal
  • Comments for November Workshop on Cross - Device Tracking
    Calabrese
  • Betrayed by your ads InPrivacy Enhancing Technologies pages
    Castelluccia
  • Your online interests a pollution attack against targeted advertising InProceedings of the Conference on Communications pages
    Meng
  • Colts to begin using lisnr technology to reach fans mobile devices at games events http www sportsbusinessdaily com Daily Issues Franchises Colts aspx
    Silverman
  • public discussion on cross device tracking https www ftc gov news events audio video video cross device tracking part November
  • Google Proximity Beacon API https developers google com beacons proximity guides
  • Bluetooth Low API Level https developer android com guide topics connectivity bluetooth le html
  • Tor The second generation onion router Technical report Document
    Dingledine
  • Colts to begin using lisnr technology to reach fans mobile devices at games events http www sportsbusinessdaily com Daily Issues Franchises Colts aspx
    Silverman
  • Silverpush quits creeping world out ceases tracking tv habits via inaudible beacons http www forbes com sites thomasbrewster silverpush tv mobile ad tracking killed
    March
  • Silverpush quits creeping world out ceases tracking tv habits via inaudible beacons http www forbes com sites thomasbrewster silverpush tv mobile ad tracking killed
    March
  • Ultrasonic Aquatic System
    Honda
  • Transcript Part Cross Device Tracking Workshop
    Ramirez
  • https www shopkick com
    Shopkick
  • anfractuosity Ultrasound
  • Google Cast app on the Play Store https play google com store apps details id com google android apps chromecast app
  • rd generation partnership project technical specification of international mobile station equipment identities imei
  • Cam Examining the characteristics and implications of sensor side channels InCommunications International Conference on pages
    Subramanian
  • Beware of ads that use inaudible sound to link your phone TV tablet PC
    Goodin
  • On Covert Acoustical Mesh Networks in Air
    Hanspach
  • public discussion on cross device tracking https www ftc gov news events audio video video cross device tracking part November
  • Signal http www signal com solution
  • Copsonic http www copsonic com products html webtostoretracker
  • http www tchirp com theTech
    Tchirp
  • Transcript Part Cross Device Tracking Workshop
    Ramirez
  • Google Chromecast guest mode guest mode faqs https support google com chromecast answer hl en
    August
  • anfractuosity Ultrasound
  • Tor The second generation onion router Technical report Document
    Dingledine
  • leakage through mobile analytics services InProceedings of the th Workshop on Mobile Applications page
    Chen
  • Betrayed by your ads InPrivacy Enhancing Technologies pages
    Castelluccia
  • Implicit look - alike modelling in display ads : Transfer collaborative filtering to ctr estimation arXiv preprint arXiv
    Zhang
  • http www tchirp com theTech
    Tchirp
  • The global system for mobile communications Protocols for High - Efficiency pages
    Andreadis
  • Signal http www signal com solution
  • Your online interests a pollution attack against targeted advertising InProceedings of the Conference on Communications pages
    Meng
  • Google Nearby Messages API https developers google com nearby messages android get beacon messages
  • Preventing Attacks on in Mobile Devices Applications Conference
    Petracca
  • Google Proximity Beacon API https developers google com beacons proximity guides
  • Ultrasonic Aquatic System
    Honda
  • http lisnr com platform
    Lisnr
  • The global system for mobile communications Protocols for High - Efficiency pages
    Andreadis
  • New tricks for defeating ssl in practice
    Marlinspike
  • Google Chromecast guest mode guest mode faqs https support google com chromecast answer hl en
    August
  • Preventing Attacks on in Mobile Devices Applications Conference
    Petracca
  • New tricks for defeating ssl in practice
    Marlinspike
  • On Covert Acoustical Mesh Networks in Air
    Hanspach
  • Detector Silverpush android apps https public addonsdetector com silverpush android apps November
  • Bluetooth Low API Level https developer android com guide topics connectivity bluetooth le html
  • How much can behavioral targeting help online advertising ? InProceedings of the th international conference on World wide web pages
    Yan
  • Philippines app on the Play Store https play google com store apps details id ph mobext mcdelivery
    McDo
  • Indianapolis Colts Mobile app on the Play Store https play google com store apps details id com yinzcam nfl colts
  • leakage through mobile analytics services InProceedings of the th Workshop on Mobile Applications page
    Chen
  • Spoiled Onions Exposing Malicious Tor Exit Relays InPrivacy Enhancing Technologies
    Winter
  • Audible magic https www audiblemagic com advertising
  • Indianapolis Colts Mobile app on the Play Store https play google com store apps details id com yinzcam nfl colts
  • Beware of ads that use inaudible sound to link your phone TV tablet PC
    Goodin
  • Cam Examining the characteristics and implications of sensor side channels InCommunications International Conference on pages
    Subramanian
  • Take this personally : Pollution attacks on personalized services InProceedings of the nd
    Xing
  • Copsonic http www copsonic com products html webtostoretracker
  • Implicit look - alike modelling in display ads : Transfer collaborative filtering to ctr estimation arXiv preprint arXiv
    Zhang
  • Detector Silverpush android apps https public addonsdetector com silverpush android apps November
  • https www silverpush co
    Silverpush
  • survey of collaborative filtering techniques in artificial intelligence
    Su
  • Transcript Part Cross Device Tracking Workshop
    Ramirez
  • Targeted cyberattacks a superset of advanced persistent threats security privacy
    Sood
  • https www shopkick com
    Shopkick
  • survey on real time bidding advertising Operations and Logistics SOLI International Conference on pages
    Yuan
  • Selling off privacy at auction
    Olejnik
  • How much can behavioral targeting help online advertising ? InProceedings of the th international conference on World wide web pages
    Yan
  • Comments for November Workshop on Cross - Device Tracking
    Calabrese
  • minimodem general purpose software modem
    Kamal
  • Targeted cyberattacks a superset of advanced persistent threats security privacy
    Sood
  • Philippines app on the Play Store https play google com store apps details id ph mobext mcdelivery
    McDo
  • Google Nearby Messages API https developers google com nearby messages android get beacon messages
  • Transcript Part Cross Device Tracking Workshop
    Ramirez
  • Take this personally : Pollution attacks on personalized services InProceedings of the nd
    Xing
  • survey on real time bidding advertising Operations and Logistics SOLI International Conference on pages
    Yuan
  • Audible magic https www audiblemagic com advertising
  • rd generation partnership project technical specification of international mobile station equipment identities imei
  • http lisnr com platform
    Lisnr
  • survey of collaborative filtering techniques in artificial intelligence
    Su
  • Spoiled Onions Exposing Malicious Tor Exit Relays InPrivacy Enhancing Technologies
    Winter
  • Selling off privacy at auction
    Olejnik