Earlier this year, companies like Silverpush were outed for sneaking ultrasonic communications channels into peoples' devices, so that advertisers could covertly link different devices to a single user in order to build deeper, more complete surveillance profiles of them.
In an upcoming Black Hat London presentation, UCL security researcher Vasilios Mavroudis and colleagues will describe how these ultrasonic channels (which are being incorporated as a network channel in an increasing cloud of Internet of Things devices) can be exploited by attackers to spread malicious software throughout homes -- they'll demo an attack where "an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps."
Before ultrasound goes mainstream, Mavroudis says that it’s time to work out how to regulate it and keep it from being hijacked for malicious purposes. “Ultrasound beacons don’t have specs yet,” he says. “There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.”
He and his co-authors are agitating for standards similar to those that exist for Bluetooth. But that will take a while, so they have also developed countermeasures you can use in the meantime. The first is an ultrasound-filtering browser extension for Google Chrome that blocks any website-embedded beacons from sounding. The second is a patch for Android devices that means users have to opt in to pick up ultrasound beacons and audible sound separately when they give an app permission to use their microphone.
“It’s going to get worse unless we fix it,” says Mavroudis.
Your home’s online gadgets could be hacked by ultrasound
[Sally Adee/New Scientist]
(Image: Ear E-2, Pearson Scott Foresman, PD)
It's been less than a year since a public-spirited hacker broke into the servers of Florida stalkerware vendor Retina-X, wiping out all the photos and data the company's customers had stolen from other peoples' phones (including their kids' phones) by installing the spying apps Phonesheriff on them.
A pair of researchers from Toronto's storied Citizen Lab (previously) have written an eye-opening editorial and call to action on the ways that repressive states have used the internet to attack dissidents, human rights advocates and political oppositions -- and how the information security community and tech companies have left these people vulnerable.
Radiflow reports that they discovered cryptojacking software -- malware that mines cryptocurrency -- running in the monitoring and control network of an unnamed European water utility, the first such discovery, and a point of serious concern about the security and integrity of critical infrastructure to both targeted and untargeted attacks.
Trains may not be the most popular means of conveyance nowadays, but chances are you grew up playing with toy trains or building a model set to wrap around the Christmas tree. In either case, it’s safe to say that locomotives have long carried a unique sense of awe and scale, especially when they’re hundreds […]
When it comes to redesigning or renovating a living space, envisioning changes before they occur can be tricky for most. Thankfully, the web is home to tools that can remove some of the guesswork, like Live Home 3D Pro for Mac. This app lets you create detailed and furnished floor plans for everything from sheds and […]
For many startups and fledgling businesses, web hosting — and the fees associated with it — can take a sizeable chunk out of the company budget and limit growth down the road. But, that’s not to say there aren’t hosts out there who can get your site online while staying within your budget. Arch Hosting is a […]