According to research by the University of Washington, hackers could embed a high-frequency sound in audio recordings that acts as a sonar. Sound waves would bounce off people and objects and this is picked up by a microphone.
Hackers could then use this information to produce an image of a person's environs and actions.
Researchers showed how this can be done using a Samsung Galaxy S4 with common audio devices, including four portable speakers and a home theatre system. Researchers ran experiments in five homes in the Seattle area to demonstrate CovertBand's ability to help an attacker both localise victims and leak information about activities even in scenarios where those activities are not audible.
The research found that people could be tracked as they walk across a room and they were also able to track persons and objects in nearby rooms as wellas though doors, walls and windows.
Researchers said that in tests w CovertBand can track walking subjects with a mean tracking error of 18 cm and subjects moving at a fixed position with an accuracy of 8 cm at up to 6 m in line-of-sight and 3 m through barriers. In tests with 33 subjects, they also showed that even in ideal scenarios, listeners were unlikely to detect a CovertBand attack.
The paper looked at a few scenarios where such attacks could happen. One would be where a spy enters a foreign country and rents a hotel room to monitor a target. The spy cannot use h dedicated surveillance hardware, and cannot acquire any suspicious new hardware while in-country. Researchers said that a spy could benet from using a covert monitoring mechanism, something they could run on their phone and that would avoid arousing suspicion.
The attack could also be used in vigilante justice. “In some cases, revealing certain private activities can be dangerous to victims. For example, many countries or non-government entities persecute pre-marital or other sexual partnerships. We note that in many of these cases, vigilantes do not seek conclusive evidence before condemning victims; as such, the possibility of even circumstantial evidence could pose security threats for these individuals,” said researchers.
Lastly, the attack could leverage devices already inside a victim's home. Because the attack requires access only to a speaker and microphone, an attacker can leverage many devices that already exist in the home environment.
“A remote adversary who compromises one of these devices, perhaps via a trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack. For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played,” said the researchers.
The researchers said that with further work, the attack could be refined to enable the sensing of more subtle motions such as the movement of hands, arms, or even fingers.
Tim Woods, VP of Technology Alliances at FireMon, told SC Media UK that he remains sceptical on using music to track an individual's activity but it doesn't negate the fact that our so called “Smart devices” are too often not so smart when it comes to security.
“Handheld smart devices, and the growing household of IoT smart devices, is yet another attack surface that needs to be better defended. The security of this surface, be it perimeter or embedded, has been found woefully open to exploitation. Better comprehensive security measures must be a consideration at the core of the operating systems driving our smart devices and IoT devices. Personal authentication must be well implemented and internal command authenticity must be validated. Bottom line… security must start at the core and perpetuate out,” he said.