[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #20214 [Applications/Tor Browser]: Ultrasound Cross Device Tracking techniques could be used to launch deanonymization attacks against some users

Subject: [tor-bugs] #20214 [Applications/Tor Browser]: Ultrasound Cross Device Tracking techniques could be used to launch deanonymization attacks against some users
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 22 Sep 2016 00:42:54 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 21 Sep 2016 20:43:14 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#20214: Ultrasound Cross Device Tracking techniques could be used to launch
deanonymization attacks against some users
------------------------------------------+------------------------------
     Reporter:  VasiliosMavroudis         |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:  Tor: unspecified
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+------------------------------
 Emerging cross-device tracking technologies based on ultrasound could be
 used to fully deanonymize TOR users.

 Advertisers started using ultrasounds to link multiple devices owned by
 the same user (i.e., perform ultrasound cross-device tracking, uXDT). For
 this purpose, they release advertising frameworks that can be incorporated
 in apps (e.g., android apps). These frameworks listen for series of tones
 in the ultrasonic spectrum, and once one is detected, they report it to
 the advertiser's servers.

 It is easy to see how this could be exploited. The attacker sets up a
 hidden service playing such a beacon on the background and lures the
 victim to visit it using Tor browser. Once the victim loads the page, the
 tone is played through the speakers, and his/her phone picks the inaudible
 tone up and reports it to the advertiser's server. A state level adversary
 can then easily retrieve the Tor user's IP (and other unique identifiers)
 from the advertiser.

 Since the technology is emerging, we believe that taking action now rather
 than later would be preferable.

 One solution would be to filter-out all inaudible frequencies emitted by
 each visited webpage. We have developed such an extension for Chrome and a
 similar addon can be easily developed for the Tor browser. However, since
 there are similar tracking technologies using the audible spectrum: it may
 be a good idea to disable audio by default when using the Tor browser, or
 ask for user permission each time. In practice, this could be done by
 asking the user through popups, similarly to those used when requesting
 access to the user's location and the microphone.

 We would be happy to provide more details and/or help in the development
 of a countermeasure for the Tor browser.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20214>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #20214 [Applications/Tor Browser]: Ultrasound Cross Device Tracking techniques could be used to launch deanonymization attacks against some users
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #20214 [Applications/Tor Browser]: Ultrasound Cross Device Tracking techniques could be used to launch deanonymization attacks against some users
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #20098 [Metrics/CollecTor]: Make reference checker more accurate
Next by Author: Re: [tor-bugs] #9572 [Applications/Tor Browser]: TBB opens link in firefox about upgrade
Previous by thread: Re: [tor-bugs] #20213 [Internal Services/Service - trac]: broken CSS in metanav bar
Next by thread: Re: [tor-bugs] #20214 [Applications/Tor Browser]: Ultrasound Cross Device Tracking techniques could be used to launch deanonymization attacks against some users
Index(es):
- Author
- Thread