Alexa – what are you hearing that I can’t?

Ethical dilemma

The beacons first grabbed headlines when it was revealed they could be hidden in television or radio content such as adverts which would alert companies which users watched certain programs. For the first time, companies could even get a picture of which channels or shows were being watched by individual viewers with or without their permission.

"Where traditional broadcasting via terrestrial, satellite or cable signals previously provided anonymity to a recipient, local media selection becomes observable," the researchers said. "Someone using beacons can precisely link watching even sensitive content such as adult movies to a single individual even at varying locations."

The ultrasonic signals also enable app developers to work out which devices belong to the same individual. For example, if two devices regularly register the same beacons, then the app owner would know that the handsets likely belong to the same person. "Beacons could be used to link together private and business devices of a user, if they receive the same ultrasonic signal, thereby providing a potential infection vector for targeted attacks," said Quiring.

The German researchers highlight that beacons also enable an adversary to track user movement indoors without requiring GPS, revealing where and when an individual goes in a store or hotel, for example, while anyone with access to the data can also learn when people are meeting or are in close proximity to one another.

Security services

Given the publicised capabilities of security services, there are also concerns that inaudible sound waves could prove a useful tool for snooping on or identifying members of the public, particularly against those that are using VPNs or Tor to remain anonymous.

"One of the attacks we identified affects anonymous communication systems," said Vasilios Mavroudis, doctoral researcher in the Information Security Group at the University College London. "Imagine a user uses Tor on their home computer to browse the web anonymously and has left their mobile phone nearby, and the phone features an app periodically listening for ultrasound beacons for tracking. If one of the websites has been compromised and emits ultrasounds, that unique ultrasound beacon is picked up by the app in the phone, which reports it back to the tracking company."

With this information, Mavroudis says, security officials could ask for a warrant demanding the tracking company provides details of the users reporting the specific beacon ID.

According to Mavroudis, who has created a Chrome extension (SilverDog) that blocks inaudible data, audio technology could also move beyond announcing "I'm here" and carry potentially dangerous data streams which would evade conventional security software. "At first, it was simply a unique identifier corresponding to the content or the location where the beacon was emitted from," said Mavroudis. "However, the ecosystem is fast evolving and full communication stacks will be soon made available."