Ultrasonic Cross-Device Tracking: The Hidden Eavesdropper in Your Pocket

Imagine you are watching your favorite TV show. When the ads start, you glance at your phone. Suddenly, a pop-up appears for the same chocolate bar that was just on the screen. This is not coincidence—it is ultrasonic cross-device tracking at work. This technology uses high-frequency sounds, inaudible to humans, to link your television, smartphone, tablet, and computer. Advertisers then build detailed profiles about your behavior across devices. But the implications go far beyond targeted ads.

How Ultrasonic Cross-Device Tracking Works

Ultrasonic cross-device tracking (uXDT) embeds ultrasound signals into TV commercials, radio ads, or JavaScript code in online banners. These signals are picked up by the microphones on your other devices—provided a receiving app is installed. Sometimes users agree to this, often in exchange for rewards or incentives. However, many mobile apps listen for these sounds without explicit consent, and some even lack an opt-out option.

The process is seamless. A TV ad emits an ultrasonic beacon. Your smartphone, with a compatible app running, detects it. The app then reports back to the advertising platform, linking your TV viewing to your phone activity. This allows advertisers to measure ad effectiveness: Did you watch the full ad? Did you search for the product later? The goal is a unified profile of your multi-device habits.

Privacy and Security Risks of Ultrasonic Tracking

De-Anonymizing Tor Users

Security researchers at Blackhat EU and the 33rd Chaos Communication Congress demonstrated a serious vulnerability. They showed that uXDT can be used to de-anonymize Tor users. In the attack, described by researcher Vasilios Mavroudis and his team, a Tor user is tricked into visiting a page that emits ultrasound—either through an ad or via cross-site scripting. If the user’s phone or tablet is within range and has a listening app, the mobile device sends identifying details to the advertiser. A state actor could then subpoena that data, potentially revealing the user’s real IP address, geo-location, Android ID, or IMEI code.

This means that even with Tor’s privacy protections, your identity can leak through your phone. The attack exploits the very connectivity that makes uXDT attractive to marketers.

Data Collection Without Consent

Beyond Tor, the broader concern is unauthorized data collection. Many apps that listen for ultrasound do not clearly inform users. They may run in the background, constantly monitoring for beacons. This raises serious questions about consent and transparency. For more on how advertisers track you online, see our guide on digital privacy tips.

Who Uses Ultrasonic Cross-Device Tracking?

Major companies are investing in uXDT. Google, Nestle, and Domino’s have either funded or used providers like SilverPush and Signal360. These platforms offer advertisers the ability to link users across devices, creating more precise targeting. But the technology remains controversial, especially when used without clear user consent.

Advertisers argue that uXDT improves the user experience by showing relevant ads. Privacy advocates counter that it undermines anonymity and can be exploited for surveillance. The line between personalization and intrusion is thin.

How to Protect Yourself from Ultrasonic Tracking

What can you do to block ultrasonic cross-device tracking? Here are practical steps:

• Check app permissions: Review which apps have access to your microphone. On Android and iOS, you can disable microphone access for apps that do not need it.
• Use browser extensions: Mavroudis and his team developed a Chrome extension called SilverDog that filters out ultrasound from HTML5 audio. However, it does not block sounds from Flash, and it is not available for Firefox (which Tor Browser is based on).
• Advocate for OS-level controls: The researchers propose a new Android permission that would require apps to explicitly request access to the ultrasound spectrum. This would give users more control.
• Support standardized beacons: A standardized format for ultrasound advertising beacons, similar to Bluetooth, could make it easier to detect and block them. For more on securing your devices, read our article on mobile security best practices.

Turning off your microphone entirely is not practical for most phone users. But being selective about which apps can listen is a reasonable first step.

The Future of Cross-Device Tracking

Ultrasonic cross-device tracking is not going away. As advertisers seek ever more detailed profiles, the technology will evolve. However, increased awareness and regulatory pressure may force greater transparency. The European Union’s GDPR and similar laws require explicit consent for tracking. Yet enforcement remains inconsistent.

For now, the best defense is vigilance. Know that your devices can communicate through sounds you cannot hear. And before you reach for that chocolate bar, consider: Was it your choice, or an algorithm’s?

About the Author: This article was adapted from original reporting by Sharon Conheady, director of First Defence Information Security and a founding member of The Risk Avengers. For more on security awareness, visit our security awareness training page.