Tag Archives: Audio Beacon

Software Industry Greed is Driving the Assault on our Privacy & Security

The motivation to release software, without proper testing, in order to generate a quick buck is as much of a threat to our security and privacy as the activities of hackers and alphabet agencies. It is time that software companies started to pay the price for the sorry mess that their greed is helping to create.

Once upon a time these matters could be considered in isolation but with the “Internet of Things” connecting millions more devices every day we are headed for a world that will have 28 billion IoT devices by 2020.

Consumer concern will not halt the rollout. A staggeringly high number of consumers hold serious concerns about the possibility of their information getting stolen from everyday devices – their smart home, their tablet, their laptop. One would think therefore that this concern would pressure software manufacturers to be more rigorous in their pre-GA testing activities. Not so.

Why? Because so much of this IoT stuff is embedded and consumer awareness is mainly limited to the high profile exposures. Consumers are not hesitating to purchase connected devices because consumers do not know that the devices are connected.

Samsung’s SmartThings smart home platform is a leaky colander of loosely connected hack prone software. IoT security hardening is not just about the particular application but also about building security into the network connections that link applications and that link devices.

And then there is the “Data”. The amount of this stuff that is generated by IoT is intractably large. As few as 10,000 households can generate 215 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.

The number and variety of privacy attack vectors becomes unmanageable very quickly. From the CIA hacking your Samsung TV, uBeacons doing their bit (uXDT & Audio Beacons – Introduce your Paranoia to your Imagination), hackers controlling your car, it’s a worryingly real threat to the personal security and privacy of every one of us.

If the CIA’s Directorate of Digital Innovation (DDI), who are tasked with delivering cyber-espionage tools and intelligence gathering capabilities, cannot even secure their own USB drives then what chance do the rest of us have.

Unfortunately the answer is that we have no chance.


uXDT & Audio Beacons – Introduce your Paranoia to your Imagination

Ultrasonic‍ cross-device tracking‍ (uXDT‍) apparently represents an apocalyptic threat to privacy‍ . The techis being embedded in many apps but despite its significant intrusive abilities it is not complying – in most cases it would seem – with explicit consumer optin‍ / optout‍ choices.

At best it is an underhand advertising trick, at worst it stands to become one of the alphabet agencies handiest IoT mass surveillance piggybacking collection methods for device ownership cross referencing and tracking.

What the debate regarding uXDT and audio beacons does indicate though is that as IOTdevices expand exponentially they are accompanied by many little known and little understood elements that potentially expose consumers to threats ranging from low level adware‍ to full scale identitytheft and in the processinadvertently or intentionally expand the toolset available for mass surveillance‍ .

The concept of cross device tracking has been pitched as every marketers wet dream. In basic terms using audio beacons it can cross reference your habits across multiple devices to tell advertisers – amongst other things – what and where you are watching TV and more importantly use that to refine advertising.

“Audio Beacons” – As Used by SilverPush

The issue with creepy emerging‍ tech is well demonstrated by Silverpush which researchers from University College london last month again alleged could expose millions of devices to malicioushacking‍ . Signal360 and Audible Magic who have attracted investment from several VC leading lights and interest from a host of major companies are also engaged in rolling out uXDT services.

Even after silverpush withdrew the previous version of their software after an FTC warning to developers in March 2016 their current website still has very vague descriptions of their service offerings which fall squarely in the “creepy” category of marketing speak.

One of their TV products for marketeers is the unfortunately and unbelievably named PRISM‍ – whose NSA‍ surveillance program namesake was the subject of the snowden‍ revelations.

Chaps – I would have the marketing guys take another look at that choice of branding if I were you.

Using Inaudible Sounds To Link Device Ownership

In a Techcrunch article in 2014 SilverPush‘s original approach was explained by their CEO Hitesh Chawla. The company he said used “ultrasonic inaudible sounds.” If you are browsing and engage with a SilverPush advertiser then as they drop their cookie‍ they also ping one of those “inaudible” sounds.

You didn’t hear it but the app did and so did any app that used the SilverPush product suite. It passively listened for these sounds in the background. When an “audio beacon” was detected it was then able to establish that a desktop, laptop, phone, tablet or any other IoT device in range with the app installed belonged to the same person.

Who Uses / Used It

Sound.ly based in korea and Shopkick are other examples of a couple of startups embedding the tech in their stack. Before the FTC warning there were twelve app developers whose apps were available fordownload in the google play store who had the tech embedded in their product suites or apps.

The FTC was explicit about what it could mean for those developers “If your application enabled thirdparties to monitortelevision-viewing habits of U.S. consumers‍ and your statements or user interfacestated or implied otherwise, this could constitute a violation of the Federal Trade Commission Act,” the FTC’s letter to developers warned.

At that point several products and apps were voluntarily withdrawn.

Researching The “Threat”

There are now several research groups who have declared that they are planning to explore the uXDTecosystem‍, dig into the inner workings of popular uXDT frameworks‍, and perform an in-depth technicalanalysis‍ of the underlying technology, exposing both implementation & design vulnerabilities, and criticalsecurity‍ & Privacy shortcomings.

I look forward to reading their findings.