The Center for Democracy and Technology (CDT) warned that an Indian firm called SilverPush has technology that allows adverts to ping inaudible commands to smartphones and tablets.
A savvy chap has reverse-engineered the code and published it.
SilverPush’s software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. The signals are found within the range of 18kHz to 19.95kHz, and are too high pitched for most humans to hear, but of course the signals can be decoded by software.
An application that uses SilverPush’s code can pick up these messages from the phone or tablet’s builtin microphone, and be directed to send information such as the handheld’s IMEI number, location, operating system version, and potentially the identity of the owner, to the application’s backend servers.
Imagine sitting in front of the telly with your smartphone nearby. An advert comes on during the show you’re watching, and it has a SilverPush ultrasonic message embedded in it. This is picked up by an app on your mobile, which pings a media network with information about you, and could even display followup ads and links on your handheld phone.
Joe Hall, chief technologist at CDT told The Register on Thursday.
“This kind of technology is fundamentally surreptitious in that it doesn’t require consent; if it did require it then the number of users would drop, It lacks the ability to have consumers say that they don’t want this and not be associated by the software.”
Joe Hall pointed out that very few of the applications that include the SilverPush SDK tell users about it, so there was no informed consent. This makes such software technically illegal in Europe and possibly in the US, and if it is not the case it should be made so.
There are similar systems in use already. Ratings agency Nielsen has an audio system that does just this to measure the size of radio station audiences, but it’s something people have to agree to use and get paid to do so.
In addition, this sort of thing doesn’t just need to be used for advertising. What if a repressive regime decided to use it to track the phones of dissidents, he said.
Of course, none of this matters if you don’t have an app listening out for the sounds of SilverPush. But initial research found almost 30 applications using the SilverPush SDK, predominantly shopping apps run by Indian or Far Eastern firms.
He found that the software assigned letters of the alphabet to high-pitch tones, e.g.: an 18 kHz sound translates into an ‘A,’ and 19.125 kHz is a ‘P’. Pairs of these characters are used to identify TV ads: ‘AP’ is used to recognise a Geico ad and display an image and link to the insurance biz, we’re told. Sound-playing online adverts appear to use a fingerprint of five characters.
The logical next step is to see if these signals can be disrupted. Finisterre played around with trying to spoof the sounds the apps are looking for and send them junk data. It would also be possible to write a program that randomly sent out ultrasonic tones to disrupt the system, although this would “probably upset the dog and a bunch of other animals off,” he claimed.
“I would try to block this at the audio driver level, not at the browser level. Any other app can implement the same type of tech,” he said.
“There are lots of possibilities. It really depends on which aspect of it you are trying to protect against. The audible beacon triggers themselves (audio driver-based protections, spoofing tones, etc), or the data collection process (think blocking the IPs of the servers), or the monetisation of the data collection (think spoofing randomised invalid data at the backend).”
Smart Meters and the Smart Network, a Dangerous Game