Ultrasonic Cross-Device Tracking: The Hidden Eavesdropper in Your Pocket

Imagine you are watching your favorite TV show. When the ads start, you glance at your phone. Suddenly, a pop-up appears for the same chocolate bar that was just on the screen. This is not coincidence—it is ultrasonic cross-device tracking at work. This technology uses high-frequency sounds, inaudible to humans, to link your television, smartphone, tablet, and computer. Advertisers then build detailed profiles about your behavior across devices. But the implications go far beyond targeted ads.

How Ultrasonic Cross-Device Tracking Works

Ultrasonic cross-device tracking (uXDT) embeds ultrasound signals into TV commercials, radio ads, or JavaScript code in online banners. These signals are picked up by the microphones on your other devices—provided a receiving app is installed. Sometimes users agree to this, often in exchange for rewards or incentives. However, many mobile apps listen for these sounds without explicit consent, and some even lack an opt-out option.

The process is seamless. A TV ad emits an ultrasonic beacon. Your smartphone, with a compatible app running, detects it. The app then reports back to the advertising platform, linking your TV viewing to your phone activity. This allows advertisers to measure ad effectiveness: Did you watch the full ad? Did you search for the product later? The goal is a unified profile of your multi-device habits.

Privacy and Security Risks of Ultrasonic Tracking

De-Anonymizing Tor Users

Security researchers at Blackhat EU and the 33rd Chaos Communication Congress demonstrated a serious vulnerability. They showed that uXDT can be used to de-anonymize Tor users. In the attack, described by researcher Vasilios Mavroudis and his team, a Tor user is tricked into visiting a page that emits ultrasound—either through an ad or via cross-site scripting. If the user’s phone or tablet is within range and has a listening app, the mobile device sends identifying details to the advertiser. A state actor could then subpoena that data, potentially revealing the user’s real IP address, geo-location, Android ID, or IMEI code.

This means that even with Tor’s privacy protections, your identity can leak through your phone. The attack exploits the very connectivity that makes uXDT attractive to marketers.

Data Collection Without Consent

Beyond Tor, the broader concern is unauthorized data collection. Many apps that listen for ultrasound do not clearly inform users. They may run in the background, constantly monitoring for beacons. This raises serious questions about consent and transparency. For more on how advertisers track you online, see our guide on digital privacy tips.

Who Uses Ultrasonic Cross-Device Tracking?

Major companies are investing in uXDT. Google, Nestle, and Domino’s have either funded or used providers like SilverPush and Signal360. These platforms offer advertisers the ability to link users across devices, creating more precise targeting. But the technology remains controversial, especially when used without clear user consent.

Advertisers argue that uXDT improves the user experience by showing relevant ads. Privacy advocates counter that it undermines anonymity and can be exploited for surveillance. The line between personalization and intrusion is thin.

How to Protect Yourself from Ultrasonic Tracking

What can you do to block ultrasonic cross-device tracking? Here are practical steps:

• Check app permissions: Review which apps have access to your microphone. On Android and iOS, you can disable microphone access for apps that do not need it.
• Use browser extensions: Mavroudis and his team developed a Chrome extension called SilverDog that filters out ultrasound from HTML5 audio. However, it does not block sounds from Flash, and it is not available for Firefox (which Tor Browser is based on).
• Advocate for OS-level controls: The researchers propose a new Android permission that would require apps to explicitly request access to the ultrasound spectrum. This would give users more control.
• Support standardized beacons: A standardized format for ultrasound advertising beacons, similar to Bluetooth, could make it easier to detect and block them. For more on securing your devices, read our article on mobile security best practices.

Turning off your microphone entirely is not practical for most phone users. But being selective about which apps can listen is a reasonable first step.

The Future of Cross-Device Tracking

Ultrasonic cross-device tracking is not going away. As advertisers seek ever more detailed profiles, the technology will evolve. However, increased awareness and regulatory pressure may force greater transparency. The European Union’s GDPR and similar laws require explicit consent for tracking. Yet enforcement remains inconsistent.

For now, the best defense is vigilance. Know that your devices can communicate through sounds you cannot hear. And before you reach for that chocolate bar, consider: Was it your choice, or an algorithm’s?

About the Author: This article was adapted from original reporting by Sharon Conheady, director of First Defence Information Security and a founding member of The Risk Avengers. For more on security awareness, visit our security awareness training page.

Why API Dependancy, IoT Expansion, and GDPR Will Define Cybersecurity in 2017, According to (ISC)2

As the digital economy accelerates, 2017 is poised to be a pivotal year for cybersecurity. Experts from (ISC)2 highlight that increasing API dependancy, the rapid growth of the Internet of Things (IoT), and the enforcement of GDPR will fundamentally reshape how businesses approach data protection. These forces are not just technological shifts—they are catalysts for a new era of accountability and risk management.

The Growing Risk of API Dependancy in a Connected Economy

Application Programming Interfaces (APIs) have quietly become the backbone of modern digital interactions. They enable software and systems to communicate seamlessly, powering everything from mobile apps to smart home devices. However, this increasing API dependancy also introduces significant vulnerabilities.

Consider Transport for London’s open API, which supports over 500 travel apps, or the Amazon Echo’s API that connects kettles to cars. While these innovations enhance convenience, they also create potential pathways for cyberattacks. A single weak API in an app store could compromise millions of smartphones. As a result, businesses must embed security into the design phase of every API-driven system.

IoT Expansion: New Threats and Shared Responsibilities

The Internet of Things (IoT) is expanding at an unprecedented rate. By 2020, there could be up to 20.8 billion connected devices, from traffic lights to medical implants. This growth, fueled by initiatives like the UK’s £40 million IoT investment and the EU’s €365 million Smart Cities funding, promises efficiency but also introduces complex security challenges.

In a connected world, a cyberattack on one sector—say, energy—can quickly cascade into others, such as transportation or healthcare. This interconnectedness demands cross-sector intelligence sharing. The cybersecurity profession must evolve from siloed competition to collaborative defense. As GDPR compliance looms, companies will be legally obligated to protect data across the entire supply chain, further driving this convergence.

GDPR Compliance: Shifting Accountability to the Boardroom

The General Data Protection Regulation (GDPR) represents a seismic shift in data privacy. With fines of up to 4% of global turnover, it gives regulators real enforcement power. Crucially, GDPR places responsibility squarely on corporate boards, not just IT departments.

Boards must now appoint data privacy officers and oversee privacy strategies. This change is already driving demand for cyber insurance and forcing businesses to integrate cybersecurity into risk management. As a result, 2017 will see cybersecurity earn a permanent seat in the boardroom.

How GDPR Affects Data Integrity

Beyond fines, GDPR aims to restore consumer trust. High-profile data breaches have made users wary of sharing personal information. Some are already falsifying details online, undermining the data-driven economy. GDPR’s transparency requirements will compel companies to disclose breaches, but this could further erode trust if not handled carefully. Businesses must prioritize data integrity to maintain the fuel of the digital economy.

3D Printing and the Industrial Supply Chain

Another emerging threat comes from 3D printing, which is transforming manufacturing. Printable files contain millions of lines of code, effectively creating a “data supply chain.” However, without universal cybersecurity standards, these files are vulnerable to sabotage.

Imagine a drone crashing because a hacker altered its propeller design during printing. Such scenarios are not far-fetched. The digitalization of manufacturing means that cybersecurity can no longer be an afterthought. Industry 4.0 demands built-in protections at the design stage to ensure product safety.

Cross-Sector Collaboration: The Future of Cybersecurity

As API dependancy and IoT blur industry boundaries, cybersecurity professionals must adapt. The threat landscape is no longer confined to one sector—an attack on a smart city’s traffic system could disrupt emergency services. Therefore, intelligence sharing across energy, healthcare, and finance is essential.

GDPR will accelerate this trend by making every link in the data supply chain accountable. Companies are already calling for co-operation, and 2017 may herald a new era where cybersecurity thrives on partnership rather than competition. For more insights, explore our guide on cybersecurity strategies for 2017 and learn about GDPR compliance steps.

In conclusion, the convergence of API dependancy, IoT proliferation, and GDPR enforcement will define 2017. Businesses that embrace proactive security, board-level accountability, and cross-sector collaboration will be best positioned to thrive in this new landscape.

Exploit Threats Evolve: The Emergence of TrickLoader and TrickBot

Cybersecurity experts have identified a troubling shift in the exploit landscape. The market for malicious tools is diversifying, giving rise to fresh dangers. Among the most recent are TrickLoader and a revived version of the older TrickBot. Originally flagged by Arbor Networks in 2014, TrickBot has resurfaced with new capabilities. These exploit threats highlight how attackers recycle and refine code to bypass defenses.

Understanding the Evolution of TrickBot and QuantLoader

According to Recorded Future, the code behind TrickBot was reused and rebranded as QuantLoader in 2016. This transformation was fueled by distribution through multiple exploit kits, including the notorious RIG. ForcePoint tracked the bot as it changed names but retained core functions from the earlier Madness Bot. This means that the malware still modifies local firewall rules using the netsh command and adjusts file permissions via CACLS. Such behavior allows it to maintain persistence and evade detection.

How Exploit Kits Deliver These Threats

One key differentiator for QuantLoader is its delivery mechanism. Unlike many rivals, it relies heavily on exploit kits—particularly the RIG exploit kit. In late November 2016, researchers observed compromised websites using .top domains to host landing pages. These pages then dropped QuantLoader onto victims’ systems. This approach gives attackers a flexible and scalable infection vector. Similarly, the RIG kit also deployed TrickLoader, which borrows code from the earlier Dyreza botnet. Dyreza, first identified in 2015, used compromised routers as part of its toolkit.

Indicators of Compromise for QuantLoader

Security teams should monitor for the following indicators linked to QuantLoader:
– Command-and-control server: 195.161.62.222
– URI pattern: GET / ba/index.php
– RIG landing page: Unspecified.mtw.ru (IP: 194.87.238.156)
– SHA-1 hash: 4b8ac2ae5ae8a4fff43b88893ee202ffc4c5ac16

Indicators of Compromise for TrickLoader

For TrickLoader, watch for these signs:
– RIG pages: 70.39.115.202 and hxxp://um8ycv.v9rg6k.top/
– Trick URL: 78.47.139.102
– Possible fake SSL certificate address: 207.35.75.110
– SHA-1 hash: abeb1660ddda663d0495a5d214e2f6a9fac6cb80

Defending Against Modern Exploit Threats

In today’s threat environment, organizations cannot afford complacency. Cybersecurity must be a boardroom priority. To combat these evolving exploit threats, companies should implement a multi-layered defense strategy. This includes an effective security education program for employees, a robust threat intelligence system, and a well-practiced incident response plan. By staying informed about indicators of compromise and leveraging tools like threat intelligence platforms, businesses can protect their data assets. Additionally, regular security awareness training helps staff recognize phishing attempts and other attack vectors.

Building a Resilient Security Posture

As the exploit market continues to diversify, new threats will emerge. However, with proactive defense measures, organizations can reduce their risk. Start by reviewing your firewall rules and file permissions regularly. Use network monitoring to detect unusual outbound connections. Finally, ensure your incident response plan is up to date. By taking these steps, you can stay ahead of cybercriminals who rely on recycled code and evolving tactics.