DOCSLIB.ORG

Zero-Permission Acoustic Cross-Device Tracking

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Zero-Permission Acoustic Cross-Device Tracking Zero-Permission Acoustic Cross-Device Tracking Nikolay Matyunin Jakub Szefer Stefan Katzenbeisser Technical University of Darmstadt, CYSEC Yale University Technical University of Darmstadt, CYSEC Darmstadt, Germany New Haven, CT, USA Darmstadt, Germany [email protected] [email protected] [email protected] Abstract—Adversaries today can embed tracking identifiers and detect them in a mobile application to show location- into ultrasonic sound and covertly transmit them between de- relevant content. The company Silverpush developed means of vices without users realizing that this is happening. To prevent embedding tracking identifiers into TV streams. Meanwhile, such emerging privacy risks, mobile applications now require a request for an explicit user permission, at run-time, to get researchers [4] demonstrated how the uXDT technology can access to a device’s microphone. In this paper, however, we be used for web-tracking purposes, e.g., for transmitting a show that current defenses are not enough. We introduce a tracking ID from the Tor browser to an application on the novel approach to acoustic cross-device tracking, which does not user’s smartphone in order to de-anonymize the web session. require microphone access, but instead exploits the susceptibility Due to privacy concerns, uXDT technology raised the atten- of MEMS gyroscopes to acoustic vibrations at specific (ultrasonic) frequencies. Currently, no permissions are needed to access the tion of public media [5] and the security community [4], [6]. gyroscope’s data, and the gyroscope can be accessed from apps or In response, the Federal Trade Commission issued warning even from a web browser. In this manner, gyroscopes in modern letters to app developers who use Silverpush components, smartphones and smartwatches can be used as zero-permission asking them to explicitly disclose the usage of ultrasonic receivers of ultrasonic signals, making cross-device tracking tracking. Nevertheless, researchers recently found 234 Android completely unnoticeable to users. We evaluate our approach on several mobile devices using different audio hardware, achieving applications that are listening in the background for ultrasonic 10–20bit/s transmission bandwidth at distances from 35cm to beacons from TV streams [6], some of them with millions of 16m in realistic attack scenarios. Finally, we discuss potential users, proving that the technology is being actively deployed. countermeasures against the presented attack. Starting from Android 6, mobile applications are required to Index Terms—cross-device tracking, ultrasonic communica- ask for a user permission at run-time to access the microphone tion, covert channels, MEMS gyroscope, web tracking (in the past it was only done during app installation). This way, Android devices prevent stealthy audio recording. On I. INTRODUCTION iOS devices, a pop-up warning is additionally shown when Commercial companies today collect an increasing amount the app accesses the microphone in the background. This way, of information about their users, to improve customer ex- an attempt to start detection of uXDT signals by the app will perience, but also to increase financial profits by showing most likely raise user’s attention. targeted advertisements. Advertising components can be em- In this paper, we present a new approach to perform bedded as third-party content on hundreds of websites or uXDT, which does not require access to a microphone at all, TV streams, making it possible to analyze user activity on and instead uses gyroscopes in smartphones or smartwatches a large scale. Moreover, the widespread use of mobile and as receivers for ultrasonic signals. It has been shown that wearable devices has resulted in the demand for cross-device microelectromechanical (MEMS) gyroscopes are susceptible tracking technologies, which allow companies to correlate to acoustic vibrations at specific resonance frequencies [7], [8], user activities even across different devices. This introduces a typically within ultrasonic range (19–29kHz). In our work, we serious privacy threat, since such aggregated user profiles may show that ultrasonic signals can be emitted at these frequencies contain sensitive information about personal interests, location, with commonly-used audio hardware, and subsequently be health, beliefs or sexuality, while users remain unaware of the captured at a distance by gyroscopes of modern smartphones scope and mechanisms of such tracking [1], [2]. and smartwatches. By analyzing spectral characteristics of Usually cross-device tracking is performed by linking the gyroscope’s response to sound, the signal can be decoded even device to some deterministic information provided by users in the presence of device movements, e.g., when a smartphone themselves, e.g., application or website login credentials [3], is held in a hand, or a smartwatch is worn on a wrist. or by comparing attributes shared by all the devices, such as We show that cross-device tracking can be established IP addresses or location data. Recently, ultrasonic cross-device between commonly-used devices (e.g., a laptop and a smart- tracking (uXDT) has emerged, based on embedding tracking phone) at distances of up to 35cm using internal laptop identifiers into ultrasonic sounds and detecting them with a speakers at 75% volume level, achieving a bitrate of 10bit/s. microphone on a user’s smartphone. In particular, companies With a more powerful speaker, distances of several meters like Shopkick, Lisnr and Signal360 provide a way to deploy and a bitrate of up to 20bit/s are achieved. Although distance ultrasonic beacons at specific locations (e.g., shops or festivals) and bandwidth are limited in comparison to existing uXDT solutions with recording using microphones, the proposed 0.03 method can be run completely stealthily to users, as access 0.02 to gyroscope data does not require any explicit permissions. Adding such a permission, as well as applying other possible 0.01 countermeasures (as discussed in Section VI), introduces tech- 0 Angular speed (rad/s) nical and usability problems and may not completely eliminate 0 5 10 15 this new attack vector. Therefore, our work demonstrates that Time (s) even with the hardened permission model on mobile devices, Fig. 1. Example of acoustic disturbance of gyroscope measurements over the uXDT technologies still pose a significant privacy risk. x-axis, due to playing a 27kHz sine wave (5–10s). Measurements are recorded on an iPhone 6s in a stationary position, located 30cm from the speaker. A. Paper contributions Our contributions can be summarized as follows: disturb the resulting measurements on one or all of the axes. • We introduce a novel method of cross-device tracking, For example, Figure 1 demonstrates gyroscope measurements exploiting the sensitivity of gyroscopes in mobile devices from a stationary iPhone 6s placed near a speaker. Once 80dB to acoustic vibrations. sound is played at gyroscope’s resonance frequency, a clear • We present an implementation of the method with an disturbance in gyroscope measurements is noticeable. encoding scheme that is robust to background noise and natural device movements, and demonstrate its applica- To limit acoustic disturbance from background noise, man- bility to cross-device tracking scenarios, including web ufacturers design the sensors to have a resonance frequency in tracking, TV media tracking and location tracking. ultrasonic range. Most of gyroscopes tested in other works [7], [8] and in our experiments (Section IV-A), had a resonance • We evaluate the implementation on different hardware setups. To the best of our knowledge, our work is the frequency within 19–29 kHz. This fact makes gyroscopes first to consider and evaluate acoustic transmission using suitable receivers for covert ultrasonic signals: humans can MEMS gyroscopes as receivers at a distance, when perceive sounds only within the 20 Hz–20 kHz range, with sensor is not directly adjacent to the source. the upper threshold declining with age, so most people over 18 years cannot hear frequencies above 16 kHz [14]. II. BACKGROUND B. Capabilities of commodity audio hardware In this section, we briefly describe use of MEMS gyroscopes in mobile devices, their susceptibility to acoustic vibrations, In order to perform uXDT by disturbing gyroscopes at res- and abilities of modern audio hardware to transmit covert onance frequencies, the transmitter should be able to produce acoustic signals. ultrasonic signals at 19–29 kHz. According to the Nyquist sampling theorem, the highest possible frequency of the digital A. MEMS gyroscopes in mobile devices signal to be reproduced without aliasing should not be more Most modern smartphones and smartwatches are equipped than half of the sampling rate. Sound interfaces of computers with gyroscopes, which measure the rotation rate of the device and mobile devices typically support at least 44.1 kHz, and in radians per second around three physical axes, to estimate most of them even a 48 kHz sampling rate, to comply its orientation in space. The acquired data is used in games, with popular audio codecs. Moreover, many digital-to-analog virtual reality applications, etc. In Android and iOS devices, converters (DAC) and speakers in modern computers, home 3-axis gyroscope values are retrieved by using the Sensor API theater systems and smartphones have 96 kHz or even 192 kHz [9] and the Core Motion [10] framework, respectively. The sampling rates to
Load more

Recommended publications
  • Data Privacy: the Current Legal Landscape February 2016
    DATA PRIVACY: THE CURRENT LEGAL LANDSCAPE FEBRUARY 2016 By Mark C. Mao, Ronald Raether, Ashley Taylor, Sheila Pham, Sofia Jeong, Reade Jacob, Ryan Lewis, Julie Hoffmeister, and Jessica Lohr troutmansanders.com TROUTMAN SANDERS LLP DATA PRIVACY: THE CURRENT LEGAL LANDSCAPE • FEBRUARY 2016 I. Introduction P. 3 A. An Overview of Privacy Law In The United States B. Trends In 2015 Continue Into 2016 II. New U.S. Legislation, Amendments, And Updates P. 5 A. USA Freedom Act B. Cyber Information Security Act C. Other Significant Legislative Developments 1. Driverless And “Smart” Cars 2. Power Grids 3. Education Privacy 4. California III. Evolving Case Law P. 8 A. Data Breach Litigation 1. Motions to Dismiss: Standing And Damages 2. New Trends & Arguments: a. Defending On The Standard of Care b. Derivative Liability c. Business to Business Litigation B. Impermissible “Tracking” Cases 1. Expanding The Definition of “PII” 2. Persistent Identifiers, URL Tracking, And “Content Scanning” 3. Cross-Device Tracking 4. The Video Privacy Protection Act (VPPA) And The Use of Pseudonyms 5. Consumer Profiling IV. Developments In Regulatory Enforcement P.12 A. The Federal Trade Commission B. The Federal Communications Commission C. HIPAA Enforcement D. State Attorneys General E. Other Administrative Enforcement Efforts V. Notable International Developments P.17 A. The “Privacy Shield” for Transatlantic Data Protection Framework B. General Data Protection Regulation (GDPR) C. The Network Information Security (NIS) Directive D. The Trans-Pacific Partnership (TPP) Agreement VI. Conclusion P.20 Page 2 TROUTMAN SANDERS LLP DATA PRIVACY: THE CURRENT LEGAL LANDSCAPE • FEBRUARY 2016 I. INTRODUCTION 1 A. An Overview of Privacy Law In The United States Privacy law in the United States is generally viewed as Telecommunication entities such as “(telecommunication) following a “sectoral model.” Unlike the European Union (EU) carriers,” cable television, and “video tape service providers” are and Canada, the US does not have comprehensive national also subject to federal legislation.
    [Show full text]
  • Privacy and Data Security Update 2016
    Privacy & Data Security Update: 2016 Federal Trade Commission January 2016 - December 2016 The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models. How Does the FTC Protect Consumer Privacy and Ensure Data Security? The FTC uses a variety of tools to protect consumers’ privacy and personal information. The FTC’s principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust transparency and choice mechanisms to consumers. If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations. The FTC can also obtain civil monetary penalties for violations of certain privacy statutes and rules, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Telemarketing Sales Rule.
    [Show full text]
  • Ultrasound-Based Cross-Device Tracking
    Vasilios Mavroudis*, Shuang Hao, Yanick Fratantonio, Federico Maggi, Christopher Kruegel, and Giovanni Vigna On the Privacy and Security of the Ultrasound Ecosystem Abstract: Nowadays users often possess a variety of elec- Keywords: Ultrasounds, Deanonymization, tronic devices for communication and entertainment. In Privacy Violation, Cross-device Linking. particular, smartphones are playing an increasingly central role in users’ lives: Users carry them everywhere they go and often use them to control other devices. This trend pro- vides incentives for the industry to tackle new challenges, 1 Introduction such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultra- Modern users have been increasingly relying on multi- sounds has recently emerged to meet these demands. Ul- ple devices and frequently switch between them in their trasound technology has a number of desirable features: it daily lives: Browsing the Internet from computers, playing is easy to deploy, flexible, and inaudible by humans. This mobile games on tablets, or watching shows on televi- technology is already utilized in a number of different real- sions. A recent survey has shown that a single user carries world applications, such as device pairing, proximity detec- 2.9 electronic devices on average [44]. Among the others, tion, and cross-device tracking. smartphones play a prominent role since users carry them This paper examines the different facets of ultrasound- everywhere they go, and they are often used to control based technology. Initially, we discuss how it is already used other devices. The trend of engaging with multiple digital in the real world, and subsequently examine this emerging platforms brought to the demand for new technologies to technology from the privacy and security perspectives.
    [Show full text]
  • Cross-Device Tracking: Measurement and Disclosures
    Proceedings on Privacy Enhancing Technologies ; 2017 (2):113–128 Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung Cross-Device Tracking: Measurement and Disclosures Abstract: Internet advertising and analytics technology share common attributes — such as the same lo- companies are increasingly trying to find ways to link cal network and IP address — those services may behavior across the various devices consumers own. This be able to correlate user activity across devices. In cross-device tracking can provide a more complete view visiting 100 sites on two virtual devices, we con- into a consumer’s behavior and can be valuable for a nected to 861 different third party domains on both range of purposes, including ad targeting, research, and devices, including domains operated by dedicated conversion attribution. However, consumers may not be cross-device tracking companies. aware of how and how often their behavior is tracked – 96 out of 100 of the sites we tested allowed con- across different devices. We designed this study to try sumers to submit a username or email address that to assess what information about cross-device tracking could be shared to correlate users across devices. (including data flows and policy disclosures) is observ- – Six companies that collect login information as a able from the perspective of the end user. Our paper first party also collect extensive behavioral data as demonstrates how data that is routinely collected and a third party on other websites. shared online could be used by online third parties to – 16 out of 100 sites shared personally identifying in- track consumers across devices.
    [Show full text]
  • September 2015 M&A and Investment Summary Table of Contents
    September 2015 M&A and Investment Summary Table of Contents 1 About Petsky Prunier 3 2 Overview of Monthly M&A and Investment Activity 6 3 Monthly M&A and Investment Activity by Industry Segment 12 4 Additional Monthly M&A and Investment Activity Data 42 Securities offered through Petsky Prunier Securities, LLC, member of FINRA. This M&A and Investment Summary has been prepared by and is being distributed in the United States by Petsky Prunier, a broker dealer registered with the U.S. SEC and a member of FINRA. Petsky Prunier is not affiliated with Altium Capital Ltd, but has partnered with Altium to expand its international presence. Altium has not prepared or verified the information in this Summary. Persons in the United States should contact Petsky Prunier for further information or services. This M&A and Investment Summary is not being distributed by Altium Capital Ltd in the United States and Altium Capital Ltd is not offering any services to persons in the United States. 2 | M&A and Investment Summary September 2015 Petsky Prunier: Maximizing Shareholder Value . Top-ranked, global investment bank dedicated to digital advertising and marketing, eCommerce, digital media, technology, information, business services, and healthcare services industries . Extensive sell-side M&A and capital raise expertise, with a transaction closing rate unmatched at our level of deal volume . Founded in 1999 . More than 50 focused professionals; growth of 40% since 2011 . New York, Palo Alto, Las Vegas, Chicago, Boston, Tampa . Deep relationships across a broad spectrum of strategic buyers, as well as private equity, growth equity, and VC groups and lenders .
    [Show full text]
  • Cross-Device Tracking: Measurement and Disclosures
    Proceedings on Privacy Enhancing Technologies ; 2017 (2):133–148 Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung Cross-Device Tracking: Measurement and Disclosures Abstract: Internet advertising and analytics technology share common attributes — such as the same lo- companies are increasingly trying to find ways to link cal network and IP address — those services may behavior across the various devices consumers own. This be able to correlate user activity across devices. In cross-device tracking can provide a more complete view visiting 100 sites on two virtual devices, we con- into a consumer’s behavior and can be valuable for a nected to 861 different third party domains on both range of purposes, including ad targeting, research, and devices, including domains operated by dedicated conversion attribution. However, consumers may not be cross-device tracking companies. aware of how and how often their behavior is tracked – 96 out of 100 of the sites we tested allowed con- across different devices. We designed this study to try sumers to submit a username or email address that to assess what information about cross-device tracking could be shared to correlate users across devices. (including data flows and policy disclosures) is observ- – Six companies that collect login information as a able from the perspective of the end user. Our paper first party also collect extensive behavioral data as demonstrates how data that is routinely collected and a third party on other websites. shared online could be used by online third parties to – 16 out of 100 sites shared personally identifying in- track consumers across devices.
    [Show full text]
  • Annual Deal Tracker
    Annual Deal List February 2020 Contents Section Page M&A 04 Domestic 05 Mergers and internal restructuring 16 M&A: Inbound 17 M&A: Outbound 21 Private equity 25 IPO 62 QIP 64 Disclaimer This document captures the list of deals announced based on information available in the public domain and based on public announcements. Grant Thornton India LLP does not take any responsibility for the information, any errors or any decision by the reader based on this information. This document should not be relied upon as a substitute for detailed advice and hence, we do not accept responsibility for any loss as a result of relying on the material contained herein. Further, our analysis of the deal values is based on publicly available information and based on appropriate assumptions (wherever necessary). Hence, if different assumptions were to be applied, the outcomes and results would be different. This document contains the deals announced and closed as of 20 December 2019. 02 Industry 4.0: Transforming the manufacturing landscape Annual Deal List 2019 0 3 M&A 04 Annual Deal List 2019 I. Domestic Acquirer Target Sector USDm % Stake Reliance Strategic Business Asteria Aerospace Pvt. Ltd. Aerospace and defence 3.30 52% Ventures Limited Ashok Leyland Ltd. Ashley Aviation Ltd. Aerospace and defence 0.08 27% PI Industries Ltd. Isagro (Asia) Agrochemicals Private Limited Agriculture and forestry 49.00 100% Luxmi Tea Co. Pvt. Ltd. Mcleod Russel India Ltd. - Specified assets of Agriculture and forestry 21.43 100% Addabarie Tea Estate, Mahakali Tea Estate and Dirai Tea Estate Mahindra CIE Automotive Ltd.
    [Show full text]
  • Mobile Threat Report What’S on the Horizon for 2016 Table of Contents
    Mobile Threat Report What’s on the Horizon for 2016 Table of Contents This Threat Report Introduction . 3 was written by: Stagefright: Setting the Stage for Increased Security . 4 Bruce Snell Is Your Phone Monitoring What You Watch on TV? .. 6 Cybersecurity and Privacy Director SMiShing Continues to Evolve . 7 Intel Security Dangers on the App Stores . 8 Mobile Malware Grows Up . 10 Looking Ahead: IoT and Wearables . 12 Play It Safe . 12 Mobile Threat Report: What’s on the Horizon for 2016 2 We find the mobile threat landscape continues to grow and evolve with several factors contributing. The increasing speed, power and storage space on mobile devices has led to more people using their devices in more places for online shopping, managing their finances and paying their bills. This leads to mobile becoming a much more valuable target for cybercriminals. This past year, we’ve seen how major vulnerabilities in the Android OS changed how Google looks at security updates. We also saw aggressive adware spying on your TV and radio habits. Additionally, we saw an increase in more advanced malware that brings threats we’ve been dealing with for years on PC’s into the mobile world. Rule of three—top three Ransomware, bank fraud and remote access tools (RATs) all have an increased threats facing mobile users: presence on mobile devices. 1. Android moved to monthly security updates, How are these new threats getting to your mobile devices? In our last report, but each manufacturer is responsible for rolling we detailed the ways in which apps overshare your information; now we take out the updates, often leading to delays a look at the large numbers of infected apps that make it past the screening 2.
    [Show full text]
  • Official Submission Kit Asia Pacific Edition 2020
    Official Submission Kit Asia Pacific Edition 2020 The Celebration of Mobile Talent To enter, visit mmaglobal.com/smarties/awards/programs/apac. Deadline is September 15, 2020 Mobile Marketing Mobile has disrupted the way people engage with brands. It is the foundation of a connected marketing strategy and marketing leaders must embrace this reality. Wendy Clark, CEO of DDB Worldwide says “If our plans don’t include mobile, your plans are not finished.” According to Salesforce, 71% marketers say that mobile marketing is core to their business, while 68% brands have integrated mobile marketing into their overall marketing strategy. It’s no longer a question of whether mobile marketing is important -- we know it is -- it’s now the case of understanding how consumers behave on mobile devices. Introducing SMARTIES What are the SMARTIES? The first and only annual competition honoring outstanding innovation and creativity resulting in significant business impact. An annual ‘Innovation’ Showcase recognizing significant achievement in the modern communications world where mobile is at the heart of consumer engagement and action. We know what kind of hours you’ve put into the work. We know the sleepless nights, the countless drafts, and the head-scratching dilemmas that come from bringing an idea into execution. It’s an All-Star Game for marketers. It’s the World Championship of innovation. It’s an underground tournament of known and unknown professionals, wrapped in the sparkle and allure of an award’s ceremony. SMARTIES identifies recipients as a major force driving marketing innovations of strategy, creativity, effectiveness, and most importantly, the execution of ideas.
    [Show full text]
  • 32:3 Berkeley Technology Law Journal
    32:3 BERKELEY TECHNOLOGY LAW JOURNAL 2017 Pages 1027 to 1300 Berkeley Technology Law Journal Volume 32, Number 3 Production: Produced by members of the Berkeley Technology Law Journal. All editing and layout done using Microsoft Word. Printer: Joe Christensen, Inc., Lincoln, Nebraska. Printed in the U.S.A. The paper used in this publication meets the minimum requirements of American National Standard for Information Sciences—Permanence of Paper for Library Materials, ANSI Z39.48—1984. Copyright © 2017 Regents of the University of California. All Rights Reserved. Berkeley Technology Law Journal University of California School of Law 3 Boalt Hall Berkeley, California 94720-7200 [email protected] http://www.btlj.org BERKELEY TECHNOLOGY LAW JOURNAL VOLUME 32 NUMBER 3 2017 TABLE OF CONTENTS ARTICLES FTC 2.0: KEEPING PACE WITH ONLINE PLATFORMS ....................................... 1027 Terrell McSweeny PLATFORM MARKET POWER ............................................................................ 1051 Kenneth A. Bamberger & Orly Lobel DETERRING CYBERCRIME: FOCUS ON INTERMEDIARIES .................................. 1093 Aniket Kesari, Chris Hoofnagle & Damon McCoy PLATFORM LAW AND THE BRAND ENTERPRISE ............................................... 1135 Sonia K. Katyal & Leah Chan Grinvald DESIGNING AGAINST DISCRIMINATION IN ONLINE MARKETS ......................... 1183 Karen Levy & Solon Barocas HOW DIGITAL ASSISTANTS CAN HARM OUR ECONOMY, PRIVACY, AND DEMOCRACY..................................................................................................... 1239 Maurice E. Stucke & Ariel Ezrachi SUBSCRIBER INFORMATION The Berkeley Technology Law Journal (ISSN1086-3818), a continuation of the High Technology Law Journal effective Volume 11, is edited by the students of the University of California, Berkeley, School of Law (Boalt Hall) and is published in print three times each year (March, September, December), with a fourth issue published online only (July), by the Regents of the University of California, Berkeley.
    [Show full text]
  • D53d0ae6fa776b682c5f58f65ac
    ERROR the Art of Imperfection Edited by Gerfried Stocker / Christine Schöpf / Hannes Leopoldseder Ars Electronica 2018 Festival for Art, Technology, and Society September 6—10, 2018 Ars Electronica, Linz Editors: Hannes Leopoldseder, Christine Schöpf, Gerfried Stocker Editing: Katia Kreuzhuber, Alexander Wöran Translations: German–English, all texts (unless otherwise indicated): Mel Greenwald English–German: Ingrid Fischer-Schreiber Copyediting: Laura Freeburn Graphic design and production: Cornelia Prokop, Lunart Werbeagentur Minion Typeface: Klavika PEFC Certified This product is from Printed by: Gutenberg-Werbering Gesellschaft m.b.H, Linz sustainably managed forests and controlled Paper: Magno Volume 1,1 Vol., 115 g/m2, 300 g/m2 sources EN www.pefc.org PEFC Certified © 2018 Ars Electronica PEFC Certified PEFC Certified © 2018 for the reproduced works by the artists,This product or is their legalThis product is This product is PEFC Certified from sustainably from sustainably from sustainably This product is from successors managed forests managed forests managed forests sustainably managed and controlled and controlled and controlled forests and controlled sources Published by sources sources sources Hatje Cantz Verlag GmbH www.pefc.org www.pefc.org www.pefc.org www.pefc.org Mommsenstrasse 27 10629 Berlin PEFC Certified Germany This product is from Tel. +49 30 3464678-00 sustainably managed Fax +49 30 3464678-29 forests and controlled www.hatjecantz.com sources A Ganske Publishing Group company www.pefc.org Hatje Cantz books are available
    [Show full text]
  • Privacy Threats Through Ultrasonic Side Channels on Mobile Devices
    Privacy Threats through Ultrasonic Side Channels on Mobile Devices Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck Technische Universitat¨ Braunschweig Brunswick, Germany Abstract—Device tracking is a serious threat to the privacy of user walked into a store. Furthermore, mobile applications users, as it enables spying on their habits and activities. A like Lisnr and Signal360 present location-specific content recent practice embeds ultrasonic beacons in audio and tracks on mobile devices such as vouchers for festivals and sport them using the microphone of mobile devices. This side channel events via ultrasonic beacons. Once the user has installed allows an adversary to identify a user’s current location, spy these applications on her phone, she neither knows when on her TV viewing habits or link together her different mobile the microphone is activated nor is she able to see which devices. In this paper, we explore the capabilities, the current information is sent to the company servers. prevalence and technical limitations of this new tracking tech- Finally, the developers of Silverpush filed a patent which nique based on three commercial tracking solutions. To this recently raised attention in the media [23] due to its privacy end, we develop detection approaches for ultrasonic beacons threat: The patent proposes to mark TV commercials using and Android applications capable of processing these. Our ultrasonic beacons, thus allowing them to precisely track a findings confirm our privacy concerns: We spot ultrasonic user’s viewing habits. In contrast to other tracking products, beacons in various web media content and detect signals in however, the number and the names of the mobile applica- 4 of 35 stores in two European cities that are used for location tions carrying this functionality are unknown.
    [Show full text]