An ultrasonic beacon is an inaudible sound with encoded data that can be used by a listening device to receive information on just about anything. Beacons can be used, for example, inside a shop to highlight a particular promotion or on a museum for guided tours where the ultrasonic beacons can encode the location. Or they can be used to track
people consumers. Imagine if Google find outs… oh, wait… they already did, some years ago. As with almost any technology, it can be used to ‘do no harm’ or to serve other purposes.
Researchers from the Technische Universitat Braunschweig in Germany presented a paper about Ultrasonic Side Channels on Mobile Devices and how can they be abused in a variety of scenarios , ranging from simple consumer tracking to deanonymization. These types of ultrasonic beacons work in the 18 kHz – 20 kHz range, which the human being doesn’t have the ability to hear, unless you are under twenty years old, due to presbycusis. Yes, presbycusis. This frequency range can played via almost any speaker and can be picked up easily by most mobile device microphones, so no special hardware is needed. Speakers and mics are almost ubiquitous nowadays, so there is a real appeal to the technology.
In their research paper, presented last week at the IEEE European Symposium on Security and Privacy, they found that 234 current Android applications incorporate some type of ultrasonic listening technology and the number of apps with this tech is on the rise. They also found that physical locations like shopping malls are already adopting and emitting beacons. They covered SilverPush, Lisnr and ShopKick software implementations and also tested for beacons being emitted via TV channels, but with no success.
For some reason, there was not a single mention to Google Nearby technology nor its Nearby Messages API.
Acoustic covert channels are not new but they seem to take some time to emerge from the research papers to widespread technology, maybe because of their limitations, such as error-proneness and range. On the other hand, once it’s understood that these beacons can actually work reliably, this technology is just too juicy for advertising agencies not to use.
And other ‘agencies’ too.