One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity.
Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall.
The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source.
Here's how the CovertBand Attack works:
To do so, the attackers would first trick victims into installing a third-party Android app on their smart device that does not require rooting.
Once installed, the malicious app secretly uses the AudioTrack API to play the acoustic signals at 18-20 kHz and to mask this high-frequency sound, the app 'covered' Covertband's pulses by playing songs or other audio clips over them that act as a sonar.
These sound waves would then bounce off people and objects, which is picked up by a microphone.
The app then uses AudioRecord API to record the signals simultaneously on two microphones to achieve 2D tracking. The recorded data is then received by the attacker on a laptop over Bluetooth for offline processing.
Since the attack requires access only to a speaker and microphone, an attacker could leverage a lot of smart devices that already exist in the victim's home to spy on unsuspecting targets.
"A remote adversary who compromises one of these [smart] devices, perhaps via a Trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack," said the researchers.
"For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played."
Video Demonstration of CovertBand Attack
The researchers experiment specifically focuses on two classes of motion:
- Linear motion — when the subject walks in a straight line.
- Periodic motion — when the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise.
According to the research paper [PDF], these motions would be differentiated by looking at the spectrograms, but are sufficient enough to potentially enable privacy leakage.
"For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target's culture and cultural norms or might vary depending on the target's public visibility, e.g., celebrity status or political status," the research paper reads.
How Intelligence Agency could use CovertBand
Imagine a spy "Alice" entering a foreign country and renting a hotel room adjacent to an individual "Bob," whom she intends to discreetly and covertly surveil.
Since the Alice can not enter the country with dedicated surveillance hardware, she would simply use the CovertBand attack to do 2D tracking of subjects even through walls, "something she could run on her phone and that would avoid arousing Bob’s suspicion."
To demonstrate this, the researchers showed a scenario where Bob pretended to go through a routine in the bathroom while Alice used CovertBand to track his movements.
They were able to determine that Bob walk around inside of a bathroom and likely spent less than 20 seconds sitting on the toilet and brushing his teeth.
"We placed the speaker setup 15 cm outside the bathroom door and performed four trials during which Bob spent less than 20 seconds doing each of the following: showering, drying o on the scale, sitting on the toilet, and brushing his teeth. During the experiment, the bathroom fan was ON, and we could not hear Bob performing any of the activities inside the bathroom," the research paper reads.The researchers believe their attack could be refined to enable the sensing of more subtle motions like the movement of hands, arms, or even fingers to gain both resolution and accuracy even in the absence of a direct path.
Protecting yourself from such attacks involves impractical defences for most people, like playing your own 18-20 kHz signals to jam CovertBand, but this could discomfort your pets and children, or soundproofing your homes with no windows.
The researchers hope that knowing about the consequences of such attacks would possibly prompt scientists to develop practical countermeasures.
