Alexa – what are you hearing that I can’t?

Stewart Mitchell reveals how your devices’ microphones are listening out for more than just your voice commands

From Amazon Echo and Google Home to Siri and Cortana, technology is increasingly listening to what we say. And as with any new technology, people are finding ways to exploit it for nefarious purposes -- for example, when Burger King tricked Google Home into playing an advert for its Whoppers.

Advertisement - Article continues below

That Google could be duped so easily is a surprise, but the threat was minimal. However, security researchers have discovered far more sinister means of using open microphones to snoop on consumers.

According to researchers from the Technische Universitat Braunschweig in Germany, more than 230 apps on Google Play use listening technology that responds to near ultrasonic signals broadcast from a variety of sources. Beacons can be placed in offline media content, such as TV or radio ads, to let apps know what a mobile user is watching, or in shops to pinpoint their location without having to seek permission to use GPS.

The technology originally drew criticism in 2015, when developer SilverPush publicised an SDK for audio beacons that were generally outside the range of human hearing. Yet, despite criticism from the authorities, the ultrasonic beacons appear to by spreading.

SilverPush has said it no longer uses the technology, but others have taken its place. A representative sample of five of those apps identified by the German researchers have been downloaded between 2.25 million and 11.1 million times, and although the study only investigated Android devices, the team said similar tactics could theoretically also apply to iOS hardware too.

Advertisement - Article continues below
Advertisement - Article continues below

None of those apps disclosed their ability to listen for beacons and the technology is expected to be rolled out further as commercial applications develop. "Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons," Erwin Quiring, lead researcher on the Privacy Threats through Ultrasonic Side Channels on Mobile Devices report, told PC Pro.

"In particular, they embed these beacons in the ultrasonic frequency range between 18kHz and 20kHz of audio content and detect them with regular mobile applications using the device's microphone. This side channel offers various possibilities for tracking."

Privacy and permission

Google says it removes apps that don't abide by its privacy policy, but the fear is that companies could create eavesdropping apps simply by seeking permission to use the microphone during installation. Once permission has been granted, it's almost impossible to tell if the microphone is listening for prompts.

"They've been designed to be ambient, or in the background, and this makes it harder for people to know that they are often continuously recording," said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology. "We might understand why audio beacons exist or how they provide functionality for some products and services, but that understanding is not the same thing as consent. Data collection is opaque by design, and audio beacons can be particularly stealthy and silent."

Advertisement - Article continues below

Following an initial backlash, De Mooy said some companies had tried to make it clearer how customer conversations may be recorded or used, and have offered enhanced privacy settings, "but there are always one or two companies that cross privacy boundaries... and they perpetuate an atmosphere of mistrust."

That's not to say everyone employing the technology is doing so nefariously. "Legitimate audio beacon apps are increasingly used by companies that declare their presence and capabilities within the sign-up process," said Quiring.

"The mobile application Shopkick, for instance, provides rewards to users if they walk into stores that collaborate with Shopkick. In contrast to GPS, loudspeakers at the entrance emit an audio beacon that lets Shopkick precisely determine whether someone is in the shop or not."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020