gettyimages-98631224

Inaudible Soundwaves Expose a Spooky New Pathway for Hackers

Oct 30, 2016

In a presentation scheduled for this week’s Black Hat conference in London, security researchers from University College London will outline how new marketing software that uses ultrasound signals could also expose millions of devices to malicious hacking.

The underlying technology in question is known as ultrasonic cross-device tracking, or uXDT. Cross-device tracking has been called a ‘holy grail’ for marketers, allowing them to, for instance, tell your phone when you’re watching a particular TV show, or share data about laptop web browsing to your tablet. A variety of startups and services, including Korea’s Soundlly and the rewards app Shopkick, are developing or using versions of the technology.

Get Data Sheet, Fortune’s technology newsletter.

There are already well-documented concerns about uXDT that have little to do with hackers. In March, the Federal Trade Commission warned several developers using software called Silverpush that they risked violating privacy guidelines by failing to disclose that apps could monitor user’s TV viewing habits.

The UCL team says the lack of disclosure and opt-out options on widely-installed uXDT apps represents an even bigger threat, though. Such apps often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking.

The researchers have already found ways to mine cloaked IP addresses. Speaking to New Scientist, UCL team member Vasilios Mavroudis suggests that an app’s always-on microphone access could be leveraged to monitor conversations (and, if you’re not paranoid already, to decipher what you’re typing). The ‘beacons’ that transmit ultrasound data can also be spoofed to manipulate apps’ user data.

For more on cybersecurity, watch our video.

This isn’t the first time that soundwaves have been implicated in hacking. In 2013, a security consultant named Dragos Ruiu said he witnessed several “air-gapped” machines—those with no Internet, Bluetooth, or other exploitable network connection—nonetheless spread an apparent virus strain he dubbed “badBIOS.” Ruiu initially speculated the persistent infection was being spread between machines via ultrasound. Though researchers have since largely debunked that theory, and though ultrasound can’t carry large amounts of data, something similar seems technically feasible.

The risk of ultrasound is particularly concerning because it’s a candidate for use in communication between the growing mass of Internet of Things devices. There are, according to Mavroudis, currently no standards for securing ultrasound beacons and signals. With last week’s massive IoT botnet attack still fresh in our memory, the UCL researchers are hoping to encourage the development of such standards. In the meantime, they’re also introducing a patch for Android that will allow better user supervision of ultrasound access.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions