In recent months, even established industry standards like Bluetooth[1] and WPA2 Wi-Fi[2] have been shown to have vulnerabilities and flaws. But as impactful and potentially damaging as these revelations have been, some wireless communication technologies have their own alarming risks—precisely because the industry hasn't yet agreed on how to architect and implement them.
Among those haphazard wireless technologies are ultrasonic communications. Ultrasounds have already gained a sinister reputation for their use in device tracking[3] schemes in which apps gain permission to access a user's smartphone, then listen for inaudible "beacons" being broadcast in advertisements, websites, and even physical stores. At the RSA security conference in San Francisco on Tuesday, researchers are presenting new findings about where things stand with ultrasonic communication—and how concerned you should be about the technology.
'Leaving ultrasound completely unchecked causes confusion, and implementations are flawed because they're ad hoc.'
Giovanni Vigna, University of California Santa Barbara
Giovanni Vigna, a mobile and web security researcher at the University of California in Santa Barbara, and Vasilios Mavroudis, a doctoral researcher at University College London say that ultrasonic cross-device tracking, while certainly not eradicated[4], hasn't been gaining widespread adoption, thanks in part to an outcry from privacy watchdogs and an aggressive FTC probe a few years ago. Instead, ultrasonic communication technology has increasingly found usefulness for a diverse array of location-based services, in which an app listens for beacons and suggests location-related services or content when your device is close enough to hear particular ultrasonic emissions. This approach is being used to serve information for walking tours and museum visits, facilitate ticketing at stadiums and other venues, and create novel effects like light shows that coordinate the camera flashes on attendees' phones at an event.
Vigna