McDonald's and other companies use ultrasound to spy on users.

Ultrasonic tracking beacon technology operation scheme

A group of researchers from Braunschweig Technical University (Germany) found a large number of Android applications using ultrasonic beacons for spying on users. Experts say that the technology (ultrasound cross-device tracking, uXDT) has gained great popularity in the past few years.

The idea is that during the playback of advertising on TV, on a mobile device or in an offline store / restaurant, an inaudible ultrasound signal is emitted. It is usually added to a music video or jingle. This signal is recorded by the microphones of surrounding electronic devices (laptops, PCs, smartphones, tablets) —and then the advertiser knows that this particular user owns the listed devices at the same time. This is also necessary for linking advertising profiles and tracking a user who goes to the Internet from different devices.

In a store / restaurant, a specific smartphone is linked to a specific guest. Then he can “vparivat” targeted advertising this restaurant throughout the Internet.

Advertisers really appreciate the binding of profiles between devices, because this way you can create a more accurate and complete profile of a person, examine in detail his habits, behavior on the Internet, interests. So show more relevant and annoying ads. Users will then wonder why they are shown pornography on a smartphone, if they only watched erotica on a personal computer. And the profiles are already connected.


Test facility in the laboratory of the Technical University of Braunschweig. The recognition of beacons from a distance of 2 meters at a frequency of 18 kHz ranges from 70% to 100%, and at a frequency of 20 kHz - from 75% to 100%, depending on the quality of the phone

From the point of view of security specialists and the majority of users, profile binding technology is a real threat to confidentiality, because ad networks get information that nobody wanted to provide to them. If a person accidentally saw an advertisement on TV - this does not mean that he gave permission to study the history of visited sites from a smartphone and a PC. The advertising network, on the other hand, believes that it has the right to it, because such surveillance is not prohibited by law.

The technology is supported by the Shopkick, Lisnr and SilverPush advertising engines.

In real life, the situation is not critical. First, ultrasonic beacons emit only a few offline stores and fast food chains. For example, a study in two European stores showed that in the trading floors ultrasonic trackkers sound only in 4 of the 35 points studied. Secondly, to register a signal on a smartphone, the user must actually open the application that runs on the Shopkick SDK. Obviously, such applications are not installed on many phones, although the stores themselves are actively promoting them, offering users different discounts and bonuses if they install the branded application and use it. Two of the applications that researchers have found are from 1 to 5 million downloads.


Audio recordings and spectrograms of the musical track and the ultrasonic beacon

The interception of several dozen TV channels in seven countries (a total of 6 days of audio recordings) did not reveal a single tracking ultrasound between frequencies of 18 and 20 kHz. Researchers say that TV channels during Internet broadcasts use different video and audio compression settings. It is likely that after compression this ultrasound disappeared from the broadcast, although it was present in the original signal.

The presence of more than 200 applications with ultrasound recognition function (out of 1.3 million tested) seems to hint that these tags should be present somewhere in the original television broadcasts.

What is characteristic, in recent years, the number of applications with uXDT support is growing rapidly. For example, a previous scan in April 2015 revealed only 6 applications using uXDT, and in December 2015 - 39 applications. But now the technology has gone to the masses.



Sadly, this type of surveillance is used, judging by the applications, by some seemingly respectable companies, such as McDonald's and Krispy Kreme. Although their reputation may suffer if many people learn about such hidden methods of advertising profiling.

By the way, the same group of researchers previously described the method of de-anonymization of Tor users through the same tracking ultrasonic beacons in JavaScript that work through the HTML5 Audio API.



Presentation of that worktook place at the hacker conferences Black Hat Europe 2016 and the 33rd Chaos Communication Congress in November-December ( video mp4, 543 MB ). So people are already aware of this channel of attack. The developers of the Tor Project are also notified . Just turn off your mobile phone if you go online via the Tor browser from a personal computer. You can use a special scanner to find and remove programs from your smartphone that recognize ultrasound (static code analysis reveals characteristic areas). Or filter on the signal source ultrasound above 18 kHz.