Skip to main content

Smart Devices Can Be Hijacked to Track Your Body Movements And Activities Remotely

If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly.

One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity.

Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall.

The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source.

Here's how the CovertBand Attack works:


The attacking approach involves remotely hijacking of smart devices to play music embedded with repeating pulses that track one's position, body movements, and activities both near the device and through walls.

To do so, the attackers would first trick victims into installing a third-party Android app on their smart device that does not require rooting.

Once installed, the malicious app secretly uses the AudioTrack API to play the acoustic signals at 18-20 kHz and to mask this high-frequency sound, the app 'covered' Covertband's pulses by playing songs or other audio clips over them that act as a sonar.

These sound waves would then bounce off people and objects, which is picked up by a microphone.

The app then uses AudioRecord API to record the signals simultaneously on two microphones to achieve 2D tracking. The recorded data is then received by the attacker on a laptop over Bluetooth for offline processing.

Since the attack requires access only to a speaker and microphone, an attacker could leverage a lot of smart devices that already exist in the victim's home to spy on unsuspecting targets.
"A remote adversary who compromises one of these [smart] devices, perhaps via a Trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack," said the researchers. 
"For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played."
The researchers demonstrated how the CovertBand attack could potentially enable an attacker to differentiate between different types of people's movements even when they are in different body positions and orientations.

 More Links:

Nearly Half of the Norway Population Exposed in HealthCare Data Breach



The researchers experiment specifically focuses on two classes of motion:
  • Linear motion — when the subject walks in a straight line.
  • Periodic motion — when the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise.

According to the research paper [PDF], these motions would be differentiated by looking at the spectrograms, but are sufficient enough to potentially enable privacy leakage.
"For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target's culture and cultural norms or might vary depending on the target's public visibility, e.g., celebrity status or political status," the research paper reads.

How Intelligence Agency could use CovertBand



While explaining different scenarios, the researchers explained how spy agencies could use such tools for leaking information about obscured activities of a target even in the presence of background or cover noise.

Imagine a spy "Alice" entering a foreign country and renting a hotel room adjacent to an individual "Bob," whom she intends to discreetly and covertly surveil.

Since the Alice can not enter the country with dedicated surveillance hardware, she would simply use the CovertBand attack to do 2D tracking of subjects even through walls, "something she could run on her phone and that would avoid arousing Bob’s suspicion."

To demonstrate this, the researchers showed a scenario where Bob pretended to go through a routine in the bathroom while Alice used CovertBand to track his movements.

They were able to determine that Bob walk around inside of a bathroom and likely spent less than 20 seconds sitting on the toilet and brushing his teeth.
"We placed the speaker setup 15 cm outside the bathroom door and performed four trials during which Bob spent less than 20 seconds doing each of the following: showering, drying o on the scale, sitting on the toilet, and brushing his teeth. During the experiment, the bathroom fan was ON, and we could not hear Bob performing any of the activities inside the bathroom," the research paper reads.
The researchers believe their attack could be refined to enable the sensing of more subtle motions like the movement of hands, arms, or even fingers to gain both resolution and accuracy even in the absence of a direct path.

Protecting yourself from such attacks involves impractical defences for most people, like playing your own 18-20 kHz signals to jam CovertBand, but this could discomfort your pets and children, or soundproofing your homes with no windows.

The researchers hope that knowing about the consequences of such attacks would possibly prompt scientists to develop practical countermeasures.

 More Links:


Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

Chrome Web Browser Will Now Use 10% More RAM With Spectre Fix

A new security feature named ‘Site Isolation’ has been introduced for Google Chrome 67 which would nullify the effects of speculative execution side-channel attacks like Spectre. To put things to the perspective, Spectre is one of the two fundamental design flaws in the  modern processors, which allow programs to get access to the data for which it is not authorized. Malicious data can exploit this flaw to steal your password and other personal information. What is Site Isolation? The new Site Isolation feature introduced in Google Chrome 67 brings about a fundamental change to Chrome’s architecture. Now, Chrome has changed how its multi-process architecture worked and different tabs used different render processes. According to the new architecture, Chrome limits each renderer process to a single site. By this separation of processes, Google aims to prevent direct memory reading across different processes to safeguard users’ data. According to G...
Post a Comment
Read more

Google starts rolling out ‘Call Screen’ feature for Pixel smartphones

San Francisco, Dec 2 (IANS) Google has started rolling out a feature for its Pixel smartphones that lets users make use of the Google Assistant to see who is calling and why before they answer a call. The feature allows users to see a real-time transcript of how the caller responds so that they can then decide whether to pick up, respond by tapping a quick reply (for example, “I’ll call you back later”), or mark the call as spam and dismiss. “Call Screen is only available to English speakers in the United States who have Pixel 2, 2 XL, 3, or 3XL devices. If you don’t see Call Screen in the Phone app’s settings, it’s not available yet,” Google said. Call Screen, which can help users save the time spent on picking up unimportant calls from unknown numbers, does not use Wi-Fi or mobile data of the user. This feature does not work with third-party call recording and screen recording apps as these apps may interfere with how the feature works. It is better to turn off these app...
Post a Comment
Read more

Amazon, Reddit And Others Fail To Warn Us About Dumb Passwords

B elieve it or not, there is still a large number of people who use passwords such as “password,” “password123”, “[dog’s name]1” and others along the same lines. And in the era of sophisticated hacking, these passwords are not exactly “safe.” Before me, this is the first thing websites should inform you while setting up a password. But apparently, many big names are not doing enough to encourage non-terrible passwords, according to  the new research . Steve Furnell from the University of Plymouth has been keeping tabs on the websites like Amazon, Reddit, and Wikipedia for many years, carrying out similar assessments in 2007, 2011 and 2014. His 2018 survey examined practices of Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live, and Netflix. The study concluded that Amazon had the worst performance among all the names. It nearly accepted every kind of password of any length. On the other hand, Yahoo and Wikip...
Post a Comment
Read more