Cybersecurity expert Samuel Wheeler, who works with MIT CSAIL and the W3C Privacy Interest Group, has again raised the issue of hidden threats from the Web Audio API, designed to control audio content right in the browser. He believes that attackers could use the API to send unauthorized ultrasound.
According to Wheeler, the Web Audio API can transmit audio signals from the victim’s computer that a human can’t recognize. Meanwhile, these audio signals can be used to take a digital fingerprint of the device. According to the expert, the Web Audio API needs to be restricted so that it cannot be used to generate or listen to ultrasonic signals without permission. He suggested that users could be explicitly asked to enable the use of the Web Audio API.
Wheeler’s concerns are shared by Peter Snyder, privacy researcher at Brave software and co-chair of PING. He said such techniques could be used “for cross-domain tracking; sites could pass ultrasound to other open pages, allowing cross-site tracking, which Brave and other privacy-focused browsers are trying to protect users from.” Brave has already added randomization to various Web Audio APIs to reduce the likelihood of digital fingerprinting in the browser.
Meanwhile, Google developer Raymond Toye believes it’s possible to let experts work exclusively with a single sampling rate.
Some developers, however, believe that limiting the available frequency could provoke phase shifts or delays, and that there is no reasonable lower or upper threshold suitable for all.
This problem of sound transmission has been brought to the attention of IS experts many times before.
Humans are capable of hearing sound frequencies between 20 Hz and 20,000 Hz, although individual ranges vary. Sound frequencies below and above the threshold of human hearing are known as infrasound and ultrasound. A few years ago, digital advertising companies began using ultrasonic signals to track people’s interests on different devices. If, for example, a television ad emits a covert inaudible signal, a smartphone near the TV can pick it up and transmit it to an app that updates the device owner’s targeting information with their browsing data.
The U.S. Commerce Department warned in 2016 against such tracking. A study later came out that confirmed that 234 Android apps covertly tapped ultrasonic beacons. Such covert tracking was banned.
But even today, computer security researchers continue to find new ways to use ultrasound to exfiltrate data. It’s being used for legitimate operations as well – for example, the Google Cast app uses an ultrasonic token when pairing with a nearby Chromecast.
