Nowadays users often possess a variety of electronic devices for communication and entertainment. In particular, smartphones are playing an increasingly central role in users’ lives: Users carry them everywhere they go and often use them to control other devices. This trend provides incentives for the industry to tackle new challenges, such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultrasounds has recently emerged to meet these demands. Ultrasound technology has a number of desirable features: it is easy to deploy, flexible, and inaudible by humans. This technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking.
This paper examines the different facets of ultrasound-based technology. Initially, we discuss how it is already used in the real world, and subsequently examine this emerging technology from the privacy and security perspectives. In particular, we first observe that the lack of OS features results in violations of the principle of least privilege: an app that wants to use this technology currently needs to require full access to the device microphone. We then analyse real-world Android apps and find that tracking techniques based on ultrasounds suffer from a number of vulnerabilities and are susceptible to various attacks. For example, we show that ultrasound cross-device tracking deployments can be abused to perform stealthy deanonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak a user’s private information.
Based on our findings, we introduce several defense mechanisms. We first propose and implement immediately deployable defenses that empower practitioners, researchers, and everyday users to protect their privacy. In particular, we introduce a browser extension and an Android permission that enable the user to selectively suppress frequencies falling within the ultrasonic spectrum. We then argue for the standardization of ultrasound beacons, and we envision a flexible OS-level API that addresses both the effortless deployment of ultrasound-enabled applications, and the prevention of existing privacy and security problems.
 C. Calabrese. Comments for November 2015 Workshop on Cross-Device Tracking.
 C. Castelluccia, M.-A. Kaafar, and M.-D. Tran. Betrayed by your ads! In Privacy Enhancing Technologies Symposium, pages 1–17. Springer, 2012.
 T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli. Information leakage through mobile analytics services. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications, page 15. ACM, 2014.
 M. Marlinspike. New tricks for defeating ssl in practice.
 W. Meng, X. Xing, A. Sheth, U. Weinsberg, and W. Lee. Your online interests: Pwned! a pollution attack against targeted advertising. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 129–140. ACM, 2014.
 L. Olejnik, C. Castelluccia, et al. Selling off privacy at auction. 2014.
 G. Petracca, Y. Sun, T. Jaeger, and A. Atamli. AuDroid: Preventing Attacks on Audio Channels in Mobile Devices. In Annual Computer Security Applications Conference. ACM Press.
 E. Ramirez. Transcript - Part 1. In FTC Cross-Device Tracking Workshop.
 E. Ramirez. Transcript - Part 2. In FTC Cross-Device Tracking Workshop.
 C. Roeding and A. Emigh. Method and system for location-triggered rewards, July 16 2013. US Patent 8,489,112.
 X. Su and T. M. Khoshgoftaar. A survey of collaborative filtering techniques. Advances in artificial intelligence, 2009:4, 2009.
 V. Subramanian, S. Uluagac, H. Cam, and R. Beyah. Examining the characteristics and implications of sensor side channels. In Communications (ICC), 2013 IEEE International Conference on, pages 2205–2210. IEEE.
 P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl. Spoiled Onions: Exposing Malicious Tor Exit Relays. In Privacy Enhancing Technologies Symposium. Springer, 2014.
 X. Xing, W. Meng, D. Doozan, A. C. Snoeren, N. Feamster, and W. Lee. Take this personally: Pollution attacks on personalized services. In Proceedings of the 22nd USENIX Security Symposium, 2013.
 J. Yan, N. Liu, G. Wang, W. Zhang, Y. Jiang, and Z. Chen. How much can behavioral targeting help online advertising? In Proceedings of the 18th international conference on World wide web, pages 261–270. ACM, 2009.
 Y. Yuan, F. Wang, J. Li, and R. Qin. A survey on real time bidding advertising. In Service Operations and Logistics, and Informatics (SOLI), 2014 IEEE International Conference on, pages 418–423. IEEE, 2014.
 W. Zhang, L. Chen, and J. Wang. Implicit look-alike modelling in display ads: Transfer collaborative filtering to ctr estimation. arXiv preprint arXiv:1601.02377, 2016.