Ultrasonic Tracking Beacons Rising

An ultrasonic beacon is an inaudible sound with encoded data that can be used by a listening device to receive information on just about anything. Beacons can be used, for example, inside a shop to highlight a particular promotion or on a museum for guided tours where the ultrasonic beacons can encode the location. Or they can be used to track people consumers. Imagine if Google find outs… oh, wait… they already did, some years ago. As with almost any technology, it can be used to ‘do no harm’ or to serve other purposes.

Researchers from the Technische Universitat Braunschweig in Germany presented a paper about Ultrasonic Side Channels on Mobile Devices and how can they be abused in a variety of scenarios , ranging from simple consumer tracking to deanonymization. These types of ultrasonic beacons work in the 18 kHz – 20 kHz range, which the human being doesn’t have the ability to hear, unless you are under twenty years old, due to presbycusis. Yes, presbycusis. This frequency range can played via almost any speaker and can be picked up easily by most mobile device microphones, so no special hardware is needed. Speakers and mics are almost ubiquitous nowadays, so there is a real appeal to the technology.

In their research paper, presented last week at the IEEE European Symposium on Security and Privacy, they found that 234 current Android applications incorporate some type of ultrasonic listening technology and the number of apps with this tech is on the rise. They also found that physical locations like shopping malls are already adopting and emitting beacons. They covered SilverPush, Lisnr and ShopKick software implementations and also tested for beacons being emitted via TV channels, but with no success.

For some reason, there was not a single mention to Google Nearby technology nor its Nearby Messages API.

Acoustic covert channels are not new but they seem to take some time to emerge from the research papers to widespread technology, maybe because of their limitations, such as error-proneness and range. On the other hand, once it’s understood that these beacons can actually work reliably, this technology is just too juicy for advertising agencies not to use.

And other ‘agencies’ too.

41 thoughts on “Ultrasonic Tracking Beacons Rising

  1. I would say “nearly inaudible” instead of “inaudible” and not just teenagers and mosquito ringtones. If you crank up ultrasound loud enough, it will prove just audible and extremely directional. In the early Y2Ks, I experimented with piezo tweeters, a 10 watt amplifier and a BASIC Stamp. At full power, the ultrasound was clearly audible but not loud sounding. An ultrasound detector could be made with merely a high pass filter and a system like a superhet radio – or the crude way. Better yet, a jammer could be employed to foil the intrusiveness! You modulate the ultrasound oscillator with white noise or random 1s and 0s then an audio amplifying chip (like an LM386) as the “linear amp”. An Arduino and amp and piezo speaker is all you need to make a jammer. Code added separately!

    1. I don’t know about jamming it unless you can over-drive the detector/microphone. Superposition applies to sound and an optimal filter would extract the known signal, particularly if you try to jam with true noise. White noise gives the best extraction results. In fact, I think it is assumed in the derivation of the optimal filter.

    2. I have done similar experiments and have found that you end up with the peizo device resonating at its fundamental frequency stimulated by the higher frequencies – it is not that people can hear ultrasonic sound if it is loud enough.

  2. De-anonymization (also spelt as deanonymization) is a strategy in data mining in which anonymous data is cross-referenced with other sources of data to re-identify the anonymous data source. The term became popular in 2006 when Arvind Narayanan and Vitaly Shmatikov entered a contest hosted by Netflix, and applied their de-anonymization techniques to successfully identify Netflix data for a number of specific members.


    It’s more complicated that just “ID”.

  3. “These types of ultrasonic beacons work in the 18 kHz – 20 kHz range, which the human being doesn’t have the ability to hear, unless you are under twenty years old, due to presbycusis.”

    So you think I’m not human? Pushing 40, and I can hear those frequencies just fine, thank you very much! Though I’ve always been sensitive to high frequencies; my neighbor installed an ultrasonic deterrent to keep the dog out of his yard. It kept me out better than it did the dog.

    Just an editorial comment: saying something is used to “do no harm” implies it is actively used to prevent harm from being done, not that its use is harmless. Understanding language makes a difference.

    1. I struggled with the 17.4Khz tone on the Wiki page, Had to put my laptop speakers to max and then my ears up to the speakers,
      My earphones wouldn’t reproduce a high enough sensitivity so I will have to try my headphones when I get back, they’re best described as a tad bit bright on the highs with a clean well defined mid-range and a gentle bass: overall flat yet clean sound response, none of that blur-inducing harmonic distortion caused by cheap cone deformations as it has a heavier Mylar cone than the cheap stuff, hence the gentle bass reproduction)

      However some of the PSUs that go out as PASSED must dump at least 200W of 18-19Khz into them, I can hear them scream from around the corner, yet have the same perceivable db “Volume” when going up to said units as when I am about 150 meters away from it!!!

      1. Yep tried the Wiki example with my decent headphones: Can hear it albeit at a low but constant loudness, even sounds the same loudness whilst taking off my headphones!

        It is like my ears can detect the tone, yet not be able to determine its loudness.

  4. Can we place rogue transmitters in shopping malls to rickroll people somehow? Can the signal be encoded to cause an event on the phone? I suppose we’d have to hack one of the listening apps, but I bet one has a security hole we could drive a truck through.

  5. Looks like a good argument to add hardware off buttons to mics or maybe band pass circuitry to remove the ability for devices to transmit and receive ultrasonic sounds.

  6. What I don’t get is… why ultrasound?

    Yeah, obviously because you don’t hear it, but wouldn’t be a more “steganographic” approach far more robust? You wouldn’t hear a phase-shift modulation or some “last bit” noise either. And with good forward error correction…

    An energy burst in the > 18 KHz is just too conspicuous in the spectrogram!

    (And, btw… this has some precedent: Google was playing around with that a couple of years ago, to let your PC recognize what was (acoustically) coming out of your TV, no “active” beacon, though).

    Now… how can we creatively shenanigan that?

  7. Nearly everyday I learn something from HAD, today I learned that I’m not at all paranoid, it really is all a plot.
    All the power circuits in our house are shut off at night automatically, we haven no tv receivers, I have no mobile phone, all family photos and any other private information is stored on a properly air gapped computer(drive lights disconnected, runs off an inverter, fans connected directly to the supply battery, rear usb ports and any unused ports removed, front usb ports covered with a hasp and staple padlock) but I can still be tracked, my wife and kids love a bit of technology.

      1. They’re out to get us all!!!!
        Reaping their rewards of comfortable lives.
        One day people will awake and see.
        Look at those in power, the Illuminati!!!
        Listen to the truth, not the Satan system.
        It is time to repent and start again.
        Now is time to pray for the weak , the government are weak.
        Go and spread the word, Viva La Revolution!!!!

    1. Ruby Ridge comes to mind. A case where privacy and independence were appropriately pursued in peace and civility, but a single act mushroomed into national tragedy with lives of two innocents lost.

      If someone seeks a bit of help, just borrow them your hacksaw.

    2. I guess if you want to live like that, go ahead. Sounds like too much work for me. I try to do a simple risk analysis. Likelihood*severity*detectability=risk priority number. If that number gets high enough, I do something.

  8. The Nielsen TV ratings folks have used this for years to tell which TV shows you’re watching (and even which songs you’re listening to) by the encoded ultrasonic signals. I know someone that wore a special pager-like device that did the listening in exchange for compensation, but I think they have now switched to using a phone app instead.

    No more filling out papers to say what you’re watching and then mailing it in later. Even if you’re watching TV while you’re in the waiting room at the hospital it will know what you see and they know right away. Okay, technically, they will really only know what you hear, not watch, but you get the idea.

    1. Ok, so you’re at the hospital and someone hacks the TV media stream to play back terror recruitment propaganda.
      Sounds like an excuse for them to kick peoples doors through! LOL

      Presumptions are bad things: Did George HasNone and Tony LoudMouth (George Bush, Tony Blair) ever find those wepons of mass destruction????

  9. IMHO cone and coil speakers do not do a great job with ultrasonic sounds, and certainly not wide range devices. Cone and coil speakers depend to some extent on the vibration of the cone to cool the coil. In the past manufacturers have went as far as to trying to use magnetic ferrofluids to conduct the heat away from the coils. That cooling mechanism does not work efficiently at ultrasonic frequencies as the excursions are very small and the power factor is very high. Crank up a loud steady state tone for too long and you may cook your speaker.

    Piezoelectric tweeters are an entirely different beast, and interestingly enough all of the ultrasonic transducers I have enver encountered have been piezoelectric devices.

    Given that you need to access both the audio output device and the audio input device for to even begin to try to get this to work, it might just be easier to get access to the camera and look for any changes frame to frame. It sounds harder but it only requires accessing one device, and that device would be working within it’s normal operating range.

  10. It’s interesting to read about what ultrasonic data transmission can be used for. My brother was talking about this technology last night and I didn’t realize that it can be used for anything from highlighting a product to tracking certain devices. It really makes sense that this can be a very helpful took for stores and shops to help refer their customers to products they might want. Thanks for the post, it’s very interesting!

  11. I’d be interested to know if one could reverse the connection, such that the person on the receiving end could do things to/with the server owned by whoever is sending the beacons.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.