Alexa – what are you hearing that I can’t?

Stewart Mitchell reveals how your devices’ microphones are listening out for more than just your voice commands

From Amazon Echo and Google Home to Siri and Cortana, technology is increasingly listening to what we say. And as with any new technology, people are finding ways to exploit it for nefarious purposes -- for example, when Burger King tricked Google Home into playing an advert for its Whoppers.

That Google could be duped so easily is a surprise, but the threat was minimal. However, security researchers have discovered far more sinister means of using open microphones to snoop on consumers.

According to researchers from the Technische Universitat Braunschweig in Germany, more than 230 apps on Google Play use listening technology that responds to near ultrasonic signals broadcast from a variety of sources. Beacons can be placed in offline media content, such as TV or radio ads, to let apps know what a mobile user is watching, or in shops to pinpoint their location without having to seek permission to use GPS.

The technology originally drew criticism in 2015, when developer SilverPush publicised an SDK for audio beacons that were generally outside the range of human hearing. Yet, despite criticism from the authorities, the ultrasonic beacons appear to by spreading.

SilverPush has said it no longer uses the technology, but others have taken its place. A representative sample of five of those apps identified by the German researchers have been downloaded between 2.25 million and 11.1 million times, and although the study only investigated Android devices, the team said similar tactics could theoretically also apply to iOS hardware too.

None of those apps disclosed their ability to listen for beacons and the technology is expected to be rolled out further as commercial applications develop. "Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons," Erwin Quiring, lead researcher on the Privacy Threats through Ultrasonic Side Channels on Mobile Devices report, told PC Pro.

"In particular, they embed these beacons in the ultrasonic frequency range between 18kHz and 20kHz of audio content and detect them with regular mobile applications using the device's microphone. This side channel offers various possibilities for tracking."

Privacy and permission

Google says it removes apps that don't abide by its privacy policy, but the fear is that companies could create eavesdropping apps simply by seeking permission to use the microphone during installation. Once permission has been granted, it's almost impossible to tell if the microphone is listening for prompts.

"They've been designed to be ambient, or in the background, and this makes it harder for people to know that they are often continuously recording," said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology. "We might understand why audio beacons exist or how they provide functionality for some products and services, but that understanding is not the same thing as consent. Data collection is opaque by design, and audio beacons can be particularly stealthy and silent."

Following an initial backlash, De Mooy said some companies had tried to make it clearer how customer conversations may be recorded or used, and have offered enhanced privacy settings, "but there are always one or two companies that cross privacy boundaries... and they perpetuate an atmosphere of mistrust."

That's not to say everyone employing the technology is doing so nefariously. "Legitimate audio beacon apps are increasingly used by companies that declare their presence and capabilities within the sign-up process," said Quiring.

"The mobile application Shopkick, for instance, provides rewards to users if they walk into stores that collaborate with Shopkick. In contrast to GPS, loudspeakers at the entrance emit an audio beacon that lets Shopkick precisely determine whether someone is in the shop or not."

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021