In a presentation scheduled for this week’s Black Hat conference in London, security researchers from University College London will outline how new marketing software that uses ultrasound signals could also expose millions of devices to malicious hacking.
The underlying technology in question is known as ultrasonic cross-device tracking, or uXDT. Cross-device tracking has been called a ‘holy grail’ for marketers, allowing them to, for instance, tell your phone when you’re watching a particular TV show, or share data about laptop web browsing to your tablet. A variety of startups and services, including Korea’s Soundlly and the rewards app Shopkick, are developing or using versions of the technology.
Get Data Sheet, Fortune’s technology newsletter.
There are already well-documented concerns about uXDT that have little to do with hackers. In March, the Federal Trade Commission warned several developers using software called Silverpush that they risked violating privacy guidelines by failing to disclose that apps could monitor user’s TV viewing habits.
The UCL team says the lack of disclosure and opt-out options on widely-installed uXDT apps represents an even bigger threat, though. Such apps often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking.
The researchers have already found ways to mine cloaked IP addresses. Speaking to New Scientist, UCL team member Vasilios Mavroudis suggests that an app’s always-on microphone access could be leveraged to monitor conversations (and, if you’re not paranoid already, to decipher what you’re typing). The ‘beacons’ that transmit ultrasound data can also be spoofed to manipulate apps’ user data.
For more on cybersecurity, watch our video.
This isn’t the first time that soundwaves have been implicated in hacking. In 2013, a security consultant named Dragos Ruiu said he witnessed several “air-gapped” machines—those with no Internet, Bluetooth, or other exploitable network connection—nonetheless spread an apparent virus strain he dubbed “badBIOS.” Ruiu initially speculated the persistent infection was being spread between machines via ultrasound. Though researchers have since largely debunked that theory, and though ultrasound can’t carry large amounts of data, something similar seems technically feasible.
The risk of ultrasound is particularly concerning because it’s a candidate for use in communication between the growing mass of Internet of Things devices. There are, according to Mavroudis, currently no standards for securing ultrasound beacons and signals. With last week’s massive IoT botnet attack still fresh in our memory, the UCL researchers are hoping to encourage the development of such standards. In the meantime, they’re also introducing a patch for Android that will allow better user supervision of ultrasound access.