Some mobile apps continue to track ultrasound signals even when closed

Bruce Brown
Security researcher Brian Krebs discovered that W-2 tax forms for 2016 are currently up for purchase on the dark web for $20 or less. The forms stem from a "potential hacking" of a firm that handles payrolls for other companies.

Ghosts in your smartphone, tablet, or computers may be listening. A technology called ultrasonic cross-device tracking (uXDT) has the Federal Trade Commission (FTC) and computer security watchdogs on alert, according to Fortune.

Researchers from University College London (UCL) are scheduled to present a method by which marketing software that monitors ultrasonic sound poses a privacy and security threat at a Black Hat conference in London this week. Examples include a cell phone that can detect what you watch on television and a tablet gathering your notebook web browsing history. In each case, an app running on your mobile device, even when you have closed the app itself, could be still be listening and sharing.

Related: Meet Danger Drone – a flying computer designed to hack into all your unprotected devices

The FTC has already informed developers about the dangers of using code called Silverpush. Fortune reports the FTC warned that failure to inform users that the software could violate privacy guidelines by not disclosing the ability to monitor user television viewing even when the software is closed.

According to the UCL team, worse than undisclosed market data gathering, the apps can listen for ultrasound signals and could potentially continuously monitor conversations and even record keystrokes. Because the technology works across devices, for example, even an air-gapped computer, one with no Wi-Fi, Bluetooth, or other network connection, a system used for secure computing, could be monitored by a smartphone or tablet or another computer within ultrasonic range “listening” through its own microphone. The UCL researchers say that software that lacks opt-out options and disclosure poses a significant threat.

UCL team member Vasilios Mavroudis told New Scientist that the growth of the Internet of Things exacerbates the risk of ultrasound beacons used in IoT because there are no current standards for securing ultrasound signals. The world realized the threat of massive IoT botnet attacks earlier this month with the DD0S attacks on major domain name servers.

The UCL team has developed a patch for Android devices that enables improved ultrasound access management by users, but that is just a start. The current threat from mobile device software that keeps listening and the potential growing threat from nosy devices raise the need for better control.