[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:13.85,Default,,0000,0000,0000,,{\i1}preroll music{\i0}
Dialogue: 0,0:00:13.85,0:00:18.72,Default,,0000,0000,0000,,Vasilios: Hello, everyone, thanks for coming\Ntoday. I'm going to introduce the ultrasound
Dialogue: 0,0:00:18.72,0:00:24.50,Default,,0000,0000,0000,,ecosystem, which is an exotic and kind of\Nlittle known ecosystem. So I would like to
Dialogue: 0,0:00:24.50,0:00:29.82,Default,,0000,0000,0000,,start with a short story about the\Nproduct, which is also our motivation for
Dialogue: 0,0:00:29.82,0:00:39.87,Default,,0000,0000,0000,,this work. So some time ago, there was a\Nproduct that worked in the ultrasound
Dialogue: 0,0:00:39.87,0:00:44.45,Default,,0000,0000,0000,,spectrum that cannot be perceived by\Nhumans. And the product was actually an
Dialogue: 0,0:00:44.45,0:00:50.70,Default,,0000,0000,0000,,interesting idea. It was very promising\Nand everything, but it also had a fatal
Dialogue: 0,0:00:50.70,0:00:56.73,Default,,0000,0000,0000,,flaw. So now that I've done this\Nintroduction, I would like to tell you
Dialogue: 0,0:00:56.73,0:01:01.35,Default,,0000,0000,0000,,more about the story of the product and\Nhow it came to be and what was it? What
Dialogue: 0,0:01:01.35,0:01:08.15,Default,,0000,0000,0000,,was its lifecycle. So 2012, a company\Ncalled SilverPush was a startup in
Dialogue: 0,0:01:08.15,0:01:14.81,Default,,0000,0000,0000,,India. It was founded there and they had\Nthis ultrasound device tracking product.
Dialogue: 0,0:01:14.81,0:01:18.77,Default,,0000,0000,0000,,I'll go more into the technical details\Nlater. So for a couple of years, they were
Dialogue: 0,0:01:18.77,0:01:26.79,Default,,0000,0000,0000,,working on that product. And it wasn't\Nuntil 2014 that they basically got some
Dialogue: 0,0:01:26.79,0:01:32.77,Default,,0000,0000,0000,,serious funding from a venture center or\Nother angel investors for millions. So in
Dialogue: 0,0:01:32.77,0:01:38.84,Default,,0000,0000,0000,,2014, they also got a few months after\Nthey got funded. They also got some press
Dialogue: 0,0:01:38.84,0:01:44.94,Default,,0000,0000,0000,,coverage about the product and they got\Nsome pretty good reviews on their
Dialogue: 0,0:01:44.94,0:01:49.26,Default,,0000,0000,0000,,newspapers and articles about what the\Nproduct could do. And at the same time,
Dialogue: 0,0:01:49.26,0:01:52.95,Default,,0000,0000,0000,,they were doing what most of the companies\Nare doing, like publishing patents about
Dialogue: 0,0:01:52.95,0:02:00.03,Default,,0000,0000,0000,,their technology and everything. So things\Nlater started to go like year after year
Dialogue: 0,0:02:00.03,0:02:06.50,Default,,0000,0000,0000,,and half maybe started to go not that well\Nfor them. The security community noticed
Dialogue: 0,0:02:06.50,0:02:10.76,Default,,0000,0000,0000,,and there was some press coverage about\Nthe product that was not so positive
Dialogue: 0,0:02:10.76,0:02:19.25,Default,,0000,0000,0000,,anymore. So this is one of the very first\Nemails that appear on the Web regarding
Dialogue: 0,0:02:19.25,0:02:24.71,Default,,0000,0000,0000,,the product. So it's from a W3C\Nworking group. So a researcher there is
Dialogue: 0,0:02:24.71,0:02:31.22,Default,,0000,0000,0000,,basically. Notifying the other members of\Nthe group that, OK, there is this product,
Dialogue: 0,0:02:31.22,0:02:36.35,Default,,0000,0000,0000,,maybe there are transparency issues, and\Ncertainly the users are not aware of
Dialogue: 0,0:02:36.35,0:02:42.49,Default,,0000,0000,0000,,what exactly is going on there. So let's\Nkeep an eye on it. And so this was a very
Dialogue: 0,0:02:42.49,0:02:48.37,Default,,0000,0000,0000,,one of the very first things published\Nabout the product from the privacy and
Dialogue: 0,0:02:48.37,0:02:54.47,Default,,0000,0000,0000,,security perspective. So what happened\Nthen was the press took notice and they
Dialogue: 0,0:02:54.47,0:03:01.38,Default,,0000,0000,0000,,got all those headlines urging users to be\Nvery careful. And, oh, this is a this is
Dialogue: 0,0:03:01.38,0:03:08.77,Default,,0000,0000,0000,,evil, take care. People are eavesdropping\Non you and stuff. So, of course, this led
Dialogue: 0,0:03:08.77,0:03:14.95,Default,,0000,0000,0000,,also on the FTC to take action. They\Norganized a workshop on cross device tracking
Dialogue: 0,0:03:14.95,0:03:22.06,Default,,0000,0000,0000,,in general, I think, and they made specific\Nmentions for ultrasound cross device tracking
Dialogue: 0,0:03:22.06,0:03:28.17,Default,,0000,0000,0000,,don't worry if you're not familiar with this terms,\NI'm going to define everything later. So
Dialogue: 0,0:03:28.17,0:03:33.39,Default,,0000,0000,0000,,what basically they were saying is\Ntransparency issues. How do how do we
Dialogue: 0,0:03:33.39,0:03:39.86,Default,,0000,0000,0000,,protect ourselves? How is that thing\Nworking? So, then the users, of course,
Dialogue: 0,0:03:39.86,0:03:43.69,Default,,0000,0000,0000,,started to react. And there were like many\Npeople who were unhappy, they were
Dialogue: 0,0:03:43.69,0:03:48.43,Default,,0000,0000,0000,,complaining, what is this? I don't want\Nthat thing. So people were actually
Dialogue: 0,0:03:48.43,0:03:53.48,Default,,0000,0000,0000,,suggesting solutions and the solutions\Nthat were making sense. And of course, you
Dialogue: 0,0:03:53.48,0:04:01.26,Default,,0000,0000,0000,,have always the users that are completely\Nimmune to what you have there. So what
Dialogue: 0,0:04:01.26,0:04:10.55,Default,,0000,0000,0000,,happened then is like five months after\Nthe FTC took much more serious action
Dialogue: 0,0:04:10.55,0:04:16.00,Default,,0000,0000,0000,,regarding this specific product. So it\Nsent a letter to all the developers. And
Dialogue: 0,0:04:16.00,0:04:19.78,Default,,0000,0000,0000,,the letter was essentially saying, you\Nknow, you're using this framework in
Dialogue: 0,0:04:19.78,0:04:27.16,Default,,0000,0000,0000,,Europe. We've seen it in Google Play\Nstore. It's not enough that you are asking
Dialogue: 0,0:04:27.16,0:04:31.38,Default,,0000,0000,0000,,for the microphone permission. You should\Nlet the users know that you are tracking
Dialogue: 0,0:04:31.38,0:04:36.33,Default,,0000,0000,0000,,them if you are doing so. Otherwise, you\Nare violating rule X, Y, Z, and you're not
Dialogue: 0,0:04:36.33,0:04:42.59,Default,,0000,0000,0000,,allowed to do that. So this was pretty\Nserious, I would say. And what happened
Dialogue: 0,0:04:42.59,0:04:46.61,Default,,0000,0000,0000,,next is basically the company withdrew\Nfrom the US market and said, you know, we
Dialogue: 0,0:04:46.61,0:04:51.04,Default,,0000,0000,0000,,have nothing to do with the U.S. market\Nand this product is not active there. You
Dialogue: 0,0:04:51.04,0:04:57.32,Default,,0000,0000,0000,,shouldn't be concerned. So end of story\Nlike the product is not out there in the
Dialogue: 0,0:04:57.32,0:05:03.66,Default,,0000,0000,0000,,US at least anymore. Are we safe? So it\Nseemed to us that it was assumed that this
Dialogue: 0,0:05:03.66,0:05:10.03,Default,,0000,0000,0000,,was an isolated security incident. And to\Nbe fair, very little became known about
Dialogue: 0,0:05:10.03,0:05:15.09,Default,,0000,0000,0000,,the technology. At this point. The press\Nmoved on to other hot topics at the time,
Dialogue: 0,0:05:15.09,0:05:20.95,Default,,0000,0000,0000,,people went quiet, like if people are not\Nusing it, it's fine. So everyone
Dialogue: 0,0:05:20.95,0:05:25.84,Default,,0000,0000,0000,,seemed happy. But we're curious people. So\Nwe had lots of questions that were not
Dialogue: 0,0:05:25.84,0:05:35.04,Default,,0000,0000,0000,,answered. So our main questions was like\Nwhy they were using ultrasounds. We'll see
Dialogue: 0,0:05:35.04,0:05:41.62,Default,,0000,0000,0000,,that what they are doing, you can do with\Nour technologies, how such frameworks
Dialogue: 0,0:05:41.62,0:05:47.12,Default,,0000,0000,0000,,work. We had no idea there was no coverage\Nor nothing about it. The technical,
Dialogue: 0,0:05:47.12,0:05:53.34,Default,,0000,0000,0000,,technically speaking, out there, are there\Nother such products there? Because we were
Dialogue: 0,0:05:53.34,0:05:59.41,Default,,0000,0000,0000,,aware of one. Everyone on all the articles\Nwas referring to that one product, but we
Dialogue: 0,0:05:59.41,0:06:03.21,Default,,0000,0000,0000,,were not sure if there are others doing\Nthe same thing. And of course, we were
Dialogue: 0,0:06:03.21,0:06:07.87,Default,,0000,0000,0000,,looking for a report about the whole\Necosystem and how it works. And there was
Dialogue: 0,0:06:07.87,0:06:13.29,Default,,0000,0000,0000,,nothing. So what do you do then if if\Nthere are no technical resources?
Dialogue: 0,0:06:13.29,0:06:19.74,Default,,0000,0000,0000,,Basically, we decided to do our own\Nresearch and come up with this report that
Dialogue: 0,0:06:19.74,0:06:24.98,Default,,0000,0000,0000,,we were lacking. So we're done with\Nmotivation so far. We were pretty pumped
Dialogue: 0,0:06:24.98,0:06:29.89,Default,,0000,0000,0000,,up about looking into it. OK, what's\Nthere? The rest of the presentation will
Dialogue: 0,0:06:29.89,0:06:34.01,Default,,0000,0000,0000,,go as follows. Like first I'm going to\Nintroduce ultrasound tracking and other
Dialogue: 0,0:06:34.01,0:06:40.62,Default,,0000,0000,0000,,terminology, then I'm going to go on with\Nthe attack details. And indeed, we have an
Dialogue: 0,0:06:40.62,0:06:47.61,Default,,0000,0000,0000,,attack again against the Tor browser. Then\Nwe're doing a formal security analysis of
Dialogue: 0,0:06:47.61,0:06:53.35,Default,,0000,0000,0000,,the ecosystem and try to pinpoint the\Nthings that went wrong. And then we'll try
Dialogue: 0,0:06:53.35,0:07:00.47,Default,,0000,0000,0000,,to introduce our countermeasures and\Nadvocate for proper practices. So to begin
Dialogue: 0,0:07:00.47,0:07:06.94,Default,,0000,0000,0000,,with, I'm Vasilis. I've done this work\Nwith other curious people. These are
Dialogue: 0,0:07:06.94,0:07:13.44,Default,,0000,0000,0000,,showing how Yanick Fratantonio, Christopher\NKruegel and Giovanni Vigna from UCSB and also
Dialogue: 0,0:07:13.44,0:07:19.28,Default,,0000,0000,0000,,Federico Maggi from Polytechnical\NDamilola. Let's now start with the
Dialogue: 0,0:07:19.28,0:07:26.34,Default,,0000,0000,0000,,ecosystem, so apparently ultrasounds are\Nused in a lot of places and they can be
Dialogue: 0,0:07:26.34,0:07:30.92,Default,,0000,0000,0000,,utilized for different purposes, some of\Nthem are cross device tracking that are
Dialogue: 0,0:07:30.92,0:07:36.77,Default,,0000,0000,0000,,referred already to audience analytics,\Nsynchronized content, proximity, marketing
Dialogue: 0,0:07:36.77,0:07:41.46,Default,,0000,0000,0000,,and device pairing. You can do some other\Nthings, but you will see them later. So to
Dialogue: 0,0:07:41.46,0:07:48.92,Default,,0000,0000,0000,,begin with what cross device tracking is,\Ncross device tracking is basically the holy
Dialogue: 0,0:07:48.92,0:07:53.63,Default,,0000,0000,0000,,grail for marketers right now because\Nyou're using your multiple devices
Dialogue: 0,0:07:53.63,0:07:57.99,Default,,0000,0000,0000,,smartphone, laptop, computer, maybe your\NTV and to them, your appear as different
Dialogue: 0,0:07:57.99,0:08:02.33,Default,,0000,0000,0000,,people. And they all want to be able to\Nlink to link those devices to know that
Dialogue: 0,0:08:02.33,0:08:06.92,Default,,0000,0000,0000,,you're the same person so that they can\Nbuild their profiles more accurately. So,
Dialogue: 0,0:08:06.92,0:08:13.30,Default,,0000,0000,0000,,for instance, if you're watching an ad on\Nthe TV, they want to be able to know that
Dialogue: 0,0:08:13.30,0:08:19.72,Default,,0000,0000,0000,,it's you so that they can push relevant\Nads from your smartphone or follow up ads.
Dialogue: 0,0:08:19.72,0:08:27.86,Default,,0000,0000,0000,,Um. So this is employed by major\Nadvertising networks, and there are two
Dialogue: 0,0:08:27.86,0:08:32.78,Default,,0000,0000,0000,,ways to do it, either deterministically or\Nprobabilistically, that deterministic
Dialogue: 0,0:08:32.78,0:08:38.78,Default,,0000,0000,0000,,approach is much more reliable. You get\N100 percent accuracy and works as follows.
Dialogue: 0,0:08:38.78,0:08:43.20,Default,,0000,0000,0000,,If you are Facebook, the users are heavily\Nincentivized to log in from all their
Dialogue: 0,0:08:43.20,0:08:49.22,Default,,0000,0000,0000,,devices. So what happens is that. You can\Nimmediately know that, OK, this user has
Dialogue: 0,0:08:49.22,0:08:55.19,Default,,0000,0000,0000,,these three devices and I can put relevant\Ncontent to all of them. However, if you
Dialogue: 0,0:08:55.19,0:08:58.91,Default,,0000,0000,0000,,are not Facebook or Google you, it's much\Nmore unlikely that the users would want to
Dialogue: 0,0:08:58.91,0:09:03.58,Default,,0000,0000,0000,,log into your platform from their\Ndifferent devices. So you have to look for
Dialogue: 0,0:09:03.58,0:09:09.97,Default,,0000,0000,0000,,alternatives. And one tool to come up with\Nthose alternatives are ultrasound beacons.
Dialogue: 0,0:09:09.97,0:09:18.48,Default,,0000,0000,0000,,So, um, ultrasound tracking products are\Nusing ultrasound because they may sound
Dialogue: 0,0:09:18.48,0:09:22.59,Default,,0000,0000,0000,,exotic, but basically there they are. What\Nthey are doing is they are encoding a
Dialogue: 0,0:09:22.59,0:09:29.46,Default,,0000,0000,0000,,sequence of symbols, um, in a very high\Nfrequency that it's inaudible by humans.
Dialogue: 0,0:09:29.46,0:09:35.52,Default,,0000,0000,0000,,That's the first key feature. The second one\Nis they can be emitted by most commercial
Dialogue: 0,0:09:35.52,0:09:39.40,Default,,0000,0000,0000,,speakers and they can be captured by most\Ncommercial microphones, for instance,
Dialogue: 0,0:09:39.40,0:09:48.62,Default,,0000,0000,0000,,found on your smartphone. So the technical\Ndetails are the following. I know there
Dialogue: 0,0:09:48.62,0:09:54.38,Default,,0000,0000,0000,,are a lot of experts in these kinds of\Nthings here, so I'm averaging out what how
Dialogue: 0,0:09:54.38,0:09:57.59,Default,,0000,0000,0000,,the companies are doing it right now. I'm\Nnot saying that this is the best way to do
Dialogue: 0,0:09:57.59,0:10:01.52,Default,,0000,0000,0000,,it, but this is more or less what they're\Ndoing. Of course, they have patents, so
Dialogue: 0,0:10:01.52,0:10:06.23,Default,,0000,0000,0000,,each one of them is doing a slightly\Ndifferent thing so they don't overlap.
Dialogue: 0,0:10:06.23,0:10:13.33,Default,,0000,0000,0000,,They're using the near ultrasound spectrum\Nbetween the eight eight kilohertz and 20
Dialogue: 0,0:10:13.33,0:10:18.94,Default,,0000,0000,0000,,kilohertz, which is inaudible by usually\Nby adults. They divide it in smaller
Dialogue: 0,0:10:18.94,0:10:27.38,Default,,0000,0000,0000,,chunks. So if you divide it in chunks that\Nhave size of 75 Hertz, you get 26, about 26
Dialogue: 0,0:10:27.38,0:10:33.92,Default,,0000,0000,0000,,chunks, and then you can assign letter of\Nthe alphabet on each one of them. And then
Dialogue: 0,0:10:33.92,0:10:38.11,Default,,0000,0000,0000,,what they are doing is usually within four\Nto five seconds. They emit sequences of
Dialogue: 0,0:10:38.11,0:10:45.41,Default,,0000,0000,0000,,characters. Usually they contain for four\Nto six characters in there, and they use
Dialogue: 0,0:10:45.41,0:10:51.67,Default,,0000,0000,0000,,it to incorporate a unique ID\Ncorresponding to their source, they attach
Dialogue: 0,0:10:51.67,0:10:56.71,Default,,0000,0000,0000,,the beacon to. So there is no ultrasound\Nbeacon standard, as I said previously, but
Dialogue: 0,0:10:56.71,0:11:00.45,Default,,0000,0000,0000,,there are lots of patents, so each one of\Nthem is doing a slightly different thing.
Dialogue: 0,0:11:00.45,0:11:06.35,Default,,0000,0000,0000,,But this is a basic principle. We did some\Nexperiments and we found out that within
Dialogue: 0,0:11:06.35,0:11:13.88,Default,,0000,0000,0000,,seven meters, you get pretty good accuracy\Nin low error rate. So of course, this depends
Dialogue: 0,0:11:13.88,0:11:20.25,Default,,0000,0000,0000,,exactly how you encode things. But with\Napplications found on Google Play, this
Dialogue: 0,0:11:20.25,0:11:24.99,Default,,0000,0000,0000,,worked up to seven meters. Um, we couldn't\Nfind computer speakers that were not able
Dialogue: 0,0:11:24.99,0:11:33.31,Default,,0000,0000,0000,,to emit near ultrasound frequencies and\Nwork with this technology and.. we this is
Dialogue: 0,0:11:33.31,0:11:36.59,Default,,0000,0000,0000,,pretty known for this kind of frequencies,\Nthey cannot penetrate through physical
Dialogue: 0,0:11:36.59,0:11:41.00,Default,,0000,0000,0000,,objects, but this is not a problem for\Ntheir purposes. And we did some
Dialogue: 0,0:11:41.00,0:11:46.72,Default,,0000,0000,0000,,experiments with our research assistant\Nand we can say that they are audible by
Dialogue: 0,0:11:46.72,0:11:54.42,Default,,0000,0000,0000,,animals. So if you combine cross device\Ntracking and ultrasound because you get
Dialogue: 0,0:11:54.42,0:12:02.35,Default,,0000,0000,0000,,ultrasound cross device tracking. So now what\Nyou can do with this and this is this is a
Dialogue: 0,0:12:02.35,0:12:07.32,Default,,0000,0000,0000,,pretty good idea, actually, because it\Noffers high accuracy, you don't ask the
Dialogue: 0,0:12:07.32,0:12:16.72,Default,,0000,0000,0000,,users to log in, which is very high, very\Ndemanding thing to ask for. You can embed
Dialogue: 0,0:12:16.72,0:12:22.86,Default,,0000,0000,0000,,those beacons in websites or TV ads, and\Nthis technology, however, requires some
Dialogue: 0,0:12:22.86,0:12:26.21,Default,,0000,0000,0000,,sort of sophisticated backend\Ninfrastructure. We're going to see more
Dialogue: 0,0:12:26.21,0:12:30.26,Default,,0000,0000,0000,,about it later. And you also need the\Nnetwork of publishers who are willing to
Dialogue: 0,0:12:30.26,0:12:36.74,Default,,0000,0000,0000,,incorporate incorporate beacons in their\Ncontent, whatever this content is. And
Dialogue: 0,0:12:36.74,0:12:41.25,Default,,0000,0000,0000,,then, of course, you need an ultrasound\Ncross device tracking framework that is going
Dialogue: 0,0:12:41.25,0:12:47.08,Default,,0000,0000,0000,,to run on the user's mobile device, a\Nsmartphone. So these frameworks are
Dialogue: 0,0:12:47.08,0:12:52.68,Default,,0000,0000,0000,,essentially and as the advertising SDK is the\Nkey that the developers can use to display
Dialogue: 0,0:12:52.68,0:12:57.06,Default,,0000,0000,0000,,ads on their free apps. So it's not that\Nthe developers are going to incorporate
Dialogue: 0,0:12:57.06,0:13:04.49,Default,,0000,0000,0000,,the ultrasound framework is going to\Nincorporate an advertising SDK with
Dialogue: 0,0:13:04.49,0:13:09.61,Default,,0000,0000,0000,,varying degrees of understanding of what\Nit does. So here is how ultrasound cross device
Dialogue: 0,0:13:09.61,0:13:15.74,Default,,0000,0000,0000,,tracking works. On step one, basically, we\Nhave the advertising client. He just wants
Dialogue: 0,0:13:15.74,0:13:20.20,Default,,0000,0000,0000,,to advertise, advertises his products. He\Ngoes to the ultrasound cross device
Dialogue: 0,0:13:20.20,0:13:25.25,Default,,0000,0000,0000,,tracking provider who has the\Ninfrastructure set up, set up a campaign,
Dialogue: 0,0:13:25.25,0:13:31.61,Default,,0000,0000,0000,,and they provide their associates a unique\Nultrasound because with this campaign and
Dialogue: 0,0:13:31.61,0:13:37.66,Default,,0000,0000,0000,,then pushes this become to content\Npublishers to incorporate them
Dialogue: 0,0:13:37.66,0:13:43.86,Default,,0000,0000,0000,,incorporated into their content, depending\Non what the advertiser advertising client
Dialogue: 0,0:13:43.86,0:13:49.27,Default,,0000,0000,0000,,is trying to achieve. So this is step\Nthree or step for a user is basically
Dialogue: 0,0:13:49.27,0:13:56.95,Default,,0000,0000,0000,,accessing all of those content providers\Neither. This is a TV ad or a website on
Dialogue: 0,0:13:56.95,0:14:03.03,Default,,0000,0000,0000,,the Internet and one this once this\Ncontent is loaded or displayed by your TV.
Dialogue: 0,0:14:03.03,0:14:08.01,Default,,0000,0000,0000,,At the same time, the device, the devices\Nspeakers are emitting the ultrasounds. And
Dialogue: 0,0:14:08.01,0:14:13.58,Default,,0000,0000,0000,,if you have the ultrasound cross device tracking\Nframework on your phone, which is usually
Dialogue: 0,0:14:13.58,0:14:18.91,Default,,0000,0000,0000,,listening on the background, then it picks\Nup the ultrasound and on step six, it
Dialogue: 0,0:14:18.91,0:14:25.06,Default,,0000,0000,0000,,submits it back to the service provider,\Nwhich now knows that, OK, this guy has
Dialogue: 0,0:14:25.06,0:14:31.70,Default,,0000,0000,0000,,watched this DVR or whatever it is, and\NI'm going to add this to his profile and
Dialogue: 0,0:14:31.70,0:14:38.22,Default,,0000,0000,0000,,push our target dates back to his device.\NSo, of course, by doing this, they're just
Dialogue: 0,0:14:38.22,0:14:45.90,Default,,0000,0000,0000,,trying to improve, improve their\Nconversion rate and get more customers.
Dialogue: 0,0:14:45.90,0:14:52.97,Default,,0000,0000,0000,,Another use of ultrasounds currently in\Npractice is proximity marketing, so venues
Dialogue: 0,0:14:52.97,0:14:59.38,Default,,0000,0000,0000,,basically set up multiple, multiple\Nultrasound meters. This is kind of fancy
Dialogue: 0,0:14:59.38,0:15:05.35,Default,,0000,0000,0000,,name for speakers and this is kind of the\Nnice thing about the ultrasound. You just
Dialogue: 0,0:15:05.35,0:15:11.47,Default,,0000,0000,0000,,need speakers. So they put this in\Nmultiple locations in their venue, either
Dialogue: 0,0:15:11.47,0:15:18.32,Default,,0000,0000,0000,,a supermarket or a stadium, for instance,\Nand then there is a customer up. If you're
Dialogue: 0,0:15:18.32,0:15:23.31,Default,,0000,0000,0000,,a supermarket, there is a supermarket up.\NIf you're an NBA team, which will see
Dialogue: 0,0:15:23.31,0:15:29.73,Default,,0000,0000,0000,,later, you have this fun application that\Nthe fans of your team can download
Dialogue: 0,0:15:29.73,0:15:35.08,Default,,0000,0000,0000,,and install on their smartphones. And then\Nonce this app, this happens, listing on
Dialogue: 0,0:15:35.08,0:15:40.55,Default,,0000,0000,0000,,the background and it picks up the\Nultrasound and submits them back to the
Dialogue: 0,0:15:40.55,0:15:47.66,Default,,0000,0000,0000,,company. So the main purpose of using is\Nthis is basically to study in user
Dialogue: 0,0:15:47.66,0:15:55.22,Default,,0000,0000,0000,,behavior, in user behavior, provide real\Ntime notifications like, OK, you are in
Dialogue: 0,0:15:55.22,0:15:59.61,Default,,0000,0000,0000,,this aisle on the supermarket, but if you\Njust walk two meters down, you're going to
Dialogue: 0,0:15:59.61,0:16:06.17,Default,,0000,0000,0000,,see this product in discount. Or the third\Npoint, which kind of incentivizes the
Dialogue: 0,0:16:06.17,0:16:11.24,Default,,0000,0000,0000,,users more, is basically you're offering\Nreward points for users visiting your
Dialogue: 0,0:16:11.24,0:16:17.60,Default,,0000,0000,0000,,store. And actually there is a product\Ndoing exactly that on the market. So some
Dialogue: 0,0:16:17.60,0:16:23.83,Default,,0000,0000,0000,,other uses are device pairing. And this\Nbasically relies on the fact that
Dialogue: 0,0:16:23.83,0:16:29.03,Default,,0000,0000,0000,,ultrasounds do not penetrate through\Nobjects. So if you have a small TV, say,
Dialogue: 0,0:16:29.03,0:16:36.81,Default,,0000,0000,0000,,with or Chromecast, for instance, they can\Nemit random PIN through ultrasound. Your
Dialogue: 0,0:16:36.81,0:16:40.70,Default,,0000,0000,0000,,device picks it up and submits it back to\Nthe device through the Internet. And now
Dialogue: 0,0:16:40.70,0:16:44.41,Default,,0000,0000,0000,,you've proved that you are on the same\Nphysical location with the with Chromecast
Dialogue: 0,0:16:44.41,0:16:51.32,Default,,0000,0000,0000,,or whatever your TV is. Also, Google\Nrecently acquired sleek login. They are
Dialogue: 0,0:16:51.32,0:16:55.77,Default,,0000,0000,0000,,also using ultrasounds for authentication.\NIt's not entirely clear what their product
Dialogue: 0,0:16:55.77,0:17:00.12,Default,,0000,0000,0000,,is about, though. And also you have\Naudience measurement and analytics. So
Dialogue: 0,0:17:00.12,0:17:07.24,Default,,0000,0000,0000,,what they are doing is basically if you're\Nif you incorporate multiple beacons in the
Dialogue: 0,0:17:07.24,0:17:12.17,Default,,0000,0000,0000,,night, then you can basically track the\Nreactions and the behavior of the users of
Dialogue: 0,0:17:12.17,0:17:17.56,Default,,0000,0000,0000,,it, of the audience in the sense that\Nfirst, you know, how many people have
Dialogue: 0,0:17:17.56,0:17:21.47,Default,,0000,0000,0000,,watched your ad a second, you know what\Nhappened. So if they show it's Sanderlin
Dialogue: 0,0:17:21.47,0:17:26.71,Default,,0000,0000,0000,,between and this, so they submit only the\Nfirst beacon of the two, if you have two,
Dialogue: 0,0:17:26.71,0:17:34.39,Default,,0000,0000,0000,,then you also track their behavior. OK, so\Nwe've seen all these technologies and then
Dialogue: 0,0:17:34.39,0:17:40.78,Default,,0000,0000,0000,,we started wondering how secure is that\Nthing? Like, OK, what security measures
Dialogue: 0,0:17:40.78,0:17:46.47,Default,,0000,0000,0000,,are there applied by companies and\Neverything? So I'm going to immediately
Dialogue: 0,0:17:46.47,0:17:51.37,Default,,0000,0000,0000,,start with the exploitation of the\Ntechnology. So to do that, we just need
Dialogue: 0,0:17:51.37,0:17:59.47,Default,,0000,0000,0000,,the computer with speakers and the Tor browser\Nand the smartphone with an ultrasound app
Dialogue: 0,0:17:59.47,0:18:03.00,Default,,0000,0000,0000,,and a state level advisory. I'm going to\Nsay more about the state level advisory
Dialogue: 0,0:18:03.00,0:18:11.68,Default,,0000,0000,0000,,later, but just keep in mind that it's on\Nthe Tor threat model, so. I have a
Dialogue: 0,0:18:11.68,0:18:15.06,Default,,0000,0000,0000,,video of the attack. I'm going to stop it,\NI'm going to pose it in different places
Dialogue: 0,0:18:15.06,0:18:24.67,Default,,0000,0000,0000,,to explain some more stuff. Yeah, OK, so\NI'm going to set up the scene before that.
Dialogue: 0,0:18:24.67,0:18:28.02,Default,,0000,0000,0000,,So let's make the assumption that we have\Na whistle blower that wants to leak some
Dialogue: 0,0:18:28.02,0:18:34.19,Default,,0000,0000,0000,,documents to a journalist, but he doesn't\Nknow that the journalist is working with
Dialogue: 0,0:18:34.19,0:18:38.70,Default,,0000,0000,0000,,the government and his main intent is\Nbasically to deanonymize him. So the
Dialogue: 0,0:18:38.70,0:18:42.56,Default,,0000,0000,0000,,journalist does the following, asks the\Nwhistleblower to upload the documents to a
Dialogue: 0,0:18:42.56,0:18:48.36,Default,,0000,0000,0000,,Tor hidden service or a website that he owns.\NAnd the whistleblower basically thinking
Dialogue: 0,0:18:48.36,0:18:55.34,Default,,0000,0000,0000,,that he's safe to do that through Tor\Nloads the page. So now I'm having I have the
Dialogue: 0,0:18:55.34,0:19:07.28,Default,,0000,0000,0000,,demo, which is exactly that implements\Nexactly that scenario. So the whistle
Dialogue: 0,0:19:07.28,0:19:12.97,Default,,0000,0000,0000,,blower opens the Tor browser, so the setup is\Nthe following, we have the phone next to
Dialogue: 0,0:19:12.97,0:19:16.78,Default,,0000,0000,0000,,the computer. This can be up to seven\Nmeters away, but for practical purposes,
Dialogue: 0,0:19:16.78,0:19:21.17,Default,,0000,0000,0000,,it has to be next to the computer. So we\Nhave the Tor browser. What are we going to do
Dialogue: 0,0:19:21.17,0:19:28.75,Default,,0000,0000,0000,,first? For the purpose of the demo, we use\Nthem smart for listening framework that's
Dialogue: 0,0:19:28.75,0:19:36.53,Default,,0000,0000,0000,,visible to the.. to the user. This is\Nbasically the demo(?). Those apps, ultrasound
Dialogue: 0,0:19:36.53,0:19:40.93,Default,,0000,0000,0000,,cross device tracking apps run in the background,\Nso now we're setting set it on listening
Dialogue: 0,0:19:40.93,0:19:46.28,Default,,0000,0000,0000,,mode so that it starts listening. Of\Ncourse, in normal framework, the user
Dialogue: 0,0:19:46.28,0:19:52.57,Default,,0000,0000,0000,,doesn't have to do that part. But we want\Nto show that. We want to show that what's
Dialogue: 0,0:19:52.57,0:20:02.57,Default,,0000,0000,0000,,happening. So now the whistleblower is\Ngoing to load the innocuous were paid,
Dialogue: 0,0:20:02.57,0:20:12.98,Default,,0000,0000,0000,,suggested by the journalist and see what\Nhappens to. OK, now we've loaded the page
Dialogue: 0,0:20:12.98,0:20:20.32,Default,,0000,0000,0000,,and the phone is listening in reality in\Nthe background, so let's see what happens.
Dialogue: 0,0:20:30.59,0:20:36.32,Default,,0000,0000,0000,,OK, this is looks pretty bad. We have lots\Nof information about the user visiting our
Dialogue: 0,0:20:36.32,0:20:43.70,Default,,0000,0000,0000,,hidden service. I assume you already have some\Nclues about how this happened, what the
Dialogue: 0,0:20:43.70,0:20:54.85,Default,,0000,0000,0000,,information that we have is the following.\NFirst of all. We have his IP address,
Dialogue: 0,0:20:54.85,0:21:02.07,Default,,0000,0000,0000,,phone number. Don't call this phone\Nnumber, because this isn't right. The ID
Dialogue: 0,0:21:02.07,0:21:10.86,Default,,0000,0000,0000,,is he may end his Google account email. So\Nthis is enough to say and his location, of
Dialogue: 0,0:21:10.86,0:21:15.39,Default,,0000,0000,0000,,course, and this is enough to say that we\Nessentially deanonymized him, even if we
Dialogue: 0,0:21:15.39,0:21:22.34,Default,,0000,0000,0000,,had the IP address, that would have been\Nenough. So before I explain exactly how
Dialogue: 0,0:21:22.34,0:21:26.17,Default,,0000,0000,0000,,the attacked work, I'm going to introduce\Nsome tools that the attackers have at
Dialogue: 0,0:21:26.17,0:21:32.32,Default,,0000,0000,0000,,their disposal. The first one is a Bitcoin\Ninjection. So what you can essentially do
Dialogue: 0,0:21:32.32,0:21:37.23,Default,,0000,0000,0000,,is basically craft your own ultrasound\Nbeacons and push them to devices,
Dialogue: 0,0:21:37.23,0:21:40.81,Default,,0000,0000,0000,,listening for beacons, and then their\Ndevices are going to treat them like valid
Dialogue: 0,0:21:40.81,0:21:45.16,Default,,0000,0000,0000,,beacons and submit them back to the\Ncompany's backend. And then the same
Dialogue: 0,0:21:45.16,0:21:49.99,Default,,0000,0000,0000,,things. Basically, you can also replace\Nultrasound beacons, meaning that you can
Dialogue: 0,0:21:49.99,0:21:55.32,Default,,0000,0000,0000,,capture them from virus location. And this\Nis actually happening on the wild at a
Dialogue: 0,0:21:55.32,0:22:04.31,Default,,0000,0000,0000,,large scale for a specific application.\NAnd then once you capture those beacons,
Dialogue: 0,0:22:04.31,0:22:11.43,Default,,0000,0000,0000,,you can replace them back to the company's\Nback end through the user's devices to
Dialogue: 0,0:22:11.43,0:22:16.99,Default,,0000,0000,0000,,give you a clue. There is a company that\Nincentivizes users to visit stores by
Dialogue: 0,0:22:16.99,0:22:22.72,Default,,0000,0000,0000,,providing them offers and end points when\Nthey are visiting stores and people are
Dialogue: 0,0:22:22.72,0:22:27.66,Default,,0000,0000,0000,,capturing the beacons and are replaying them\Nback to their devices from home. So they
Dialogue: 0,0:22:27.66,0:22:30.58,Default,,0000,0000,0000,,are selling the beacons through the\NInternet so that they don't have to go to
Dialogue: 0,0:22:30.58,0:22:39.56,Default,,0000,0000,0000,,the actual stores. OK, the problem here is\Nbasically that the framework is handling
Dialogue: 0,0:22:39.56,0:22:43.00,Default,,0000,0000,0000,,every beacon. It doesn't have a way to\Ndistinguish between the valid and
Dialogue: 0,0:22:43.00,0:22:48.05,Default,,0000,0000,0000,,maliciously crafted beacons. And my favorite\Ntool for the attackers is basically a beacon
Dialogue: 0,0:22:48.05,0:22:55.35,Default,,0000,0000,0000,,trap, which is a code snippet that\Nonce you loaded, you basically reproduce
Dialogue: 0,0:22:55.35,0:23:01.68,Default,,0000,0000,0000,,one or more inaudible beacons that the\Nattacker chose to. So this can happen in
Dialogue: 0,0:23:01.68,0:23:06.76,Default,,0000,0000,0000,,lots of ways on the demo. I use the first\None. So you build a website and you have
Dialogue: 0,0:23:06.76,0:23:12.19,Default,,0000,0000,0000,,some JavaScript there just playing the\Nultrasounds from the back. What else you can
Dialogue: 0,0:23:12.19,0:23:17.77,Default,,0000,0000,0000,,do is basically start crosseyed scripting\Nvulnerability. Just exploit it on any
Dialogue: 0,0:23:17.77,0:23:22.93,Default,,0000,0000,0000,,random website and then you can inject\Nbeacons to the visitors of this website
Dialogue: 0,0:23:22.93,0:23:30.25,Default,,0000,0000,0000,,or a man-in-the-middle attacks just\Nadding or javascript snippet on that
Dialogue: 0,0:23:30.25,0:23:37.78,Default,,0000,0000,0000,,user's traffic or they send an audio\Nmessage to the to the victim. So how did
Dialogue: 0,0:23:37.78,0:23:41.83,Default,,0000,0000,0000,,Tor deanonymization attack work? It's the\Nfollowing. So first the adversary needs to
Dialogue: 0,0:23:41.83,0:23:50.05,Default,,0000,0000,0000,,set up, set up a campaign, and then once\Nhe captures the the beacon associated with
Dialogue: 0,0:23:50.05,0:23:55.54,Default,,0000,0000,0000,,that campaign, he builds a beacon trap and\Nessentially on step three lures, the user
Dialogue: 0,0:23:55.54,0:24:00.79,Default,,0000,0000,0000,,to visit it. This is what the journalist\Nbasically did for the whistleblower on our
Dialogue: 0,0:24:00.79,0:24:05.84,Default,,0000,0000,0000,,scenario. Then the user loads the\Nresource. He has no idea this is possible.
Dialogue: 0,0:24:05.84,0:24:12.44,Default,,0000,0000,0000,,And she slapped him amidst the ultrasound,\Nbeacon. If you if your smartphone has such a
Dialogue: 0,0:24:12.44,0:24:17.46,Default,,0000,0000,0000,,framework, it's going to pick it up and\Nsubmit it back to the provider and I don't
Dialogue: 0,0:24:17.46,0:24:22.18,Default,,0000,0000,0000,,know about you, but when I'm using Tor,\NI'm not connecting my phone through to the
Dialogue: 0,0:24:22.18,0:24:25.51,Default,,0000,0000,0000,,Internet, through the Tor network. My\Nphone is connected through my normal Wi-
Dialogue: 0,0:24:25.51,0:24:34.04,Default,,0000,0000,0000,,Fi. So now the ultrasound service provider\Nknows that the you know, this smartphone
Dialogue: 0,0:24:34.04,0:24:37.69,Default,,0000,0000,0000,,device omitted that specific beacon. And\Nthen I step seven, basically the
Dialogue: 0,0:24:37.69,0:24:42.81,Default,,0000,0000,0000,,adversary, which is state level adversary.\NCan simply subpoena the provider for the
Dialogue: 0,0:24:42.81,0:24:48.51,Default,,0000,0000,0000,,AP or other identifiers, which from what\Nwe've seen, they collect plenty of them.
Dialogue: 0,0:24:48.51,0:24:54.52,Default,,0000,0000,0000,,OK, so the first two elements, we have\Nthem already like the Tor browser
Dialogue: 0,0:24:54.52,0:25:02.92,Default,,0000,0000,0000,,computer, which biggest fine smartphone\Nwith ultrasound tracking enabled
Dialogue: 0,0:25:02.92,0:25:08.33,Default,,0000,0000,0000,,framework. Fine. What about the state\Nlevel adversity? So we didn't have a state
Dialogue: 0,0:25:08.33,0:25:13.09,Default,,0000,0000,0000,,level adversity handy. So what we did is\Nbasically we redirected the
Dialogue: 0,0:25:13.09,0:25:18.54,Default,,0000,0000,0000,,traffic from step six to the advertized\Nbackend. And I want to stress a point
Dialogue: 0,0:25:18.54,0:25:28.60,Default,,0000,0000,0000,,here. This is not. A long, long shot\Nassumption. So what we've seen in October
Dialogue: 0,0:25:28.60,0:25:33.18,Default,,0000,0000,0000,,is the following. I don't know how many of\Nyou realize, but AT&T was running a spy
Dialogue: 0,0:25:33.18,0:25:41.03,Default,,0000,0000,0000,,program, a thing called Hammesfahr, and it\Nwas providing paid access to governments
Dialogue: 0,0:25:41.03,0:25:45.27,Default,,0000,0000,0000,,only with an administrative subpoena,\Nwhich is not doesn't even need to be
Dialogue: 0,0:25:45.27,0:25:50.79,Default,,0000,0000,0000,,obtained by it's ads. So it's pretty easy\Nfor them to get access to this kind of
Dialogue: 0,0:25:50.79,0:25:55.52,Default,,0000,0000,0000,,data. Especially we're talking about an IP\Naddress. It's not it's very easy for them
Dialogue: 0,0:25:55.52,0:26:01.57,Default,,0000,0000,0000,,to get it. So we also came up with some\Nmore attacks. First one is profile,
Dialogue: 0,0:26:01.57,0:26:07.71,Default,,0000,0000,0000,,corruption. Advertisers really like to\Nbuild profiles about you, your interests
Dialogue: 0,0:26:07.71,0:26:15.21,Default,,0000,0000,0000,,and your behavior. So what you are\Nbasically doing is you can inject beacons
Dialogue: 0,0:26:15.21,0:26:21.21,Default,,0000,0000,0000,,to other people or even to your own phone\Nand then you can malform their profile.
Dialogue: 0,0:26:21.21,0:26:28.31,Default,,0000,0000,0000,,Exactly. The impact of this attack depends\Non how the backend of the advertising
Dialogue: 0,0:26:28.31,0:26:33.04,Default,,0000,0000,0000,,company and the infrastructure works, but\Nthe attack is definitely possible. And
Dialogue: 0,0:26:33.04,0:26:40.17,Default,,0000,0000,0000,,then there is information leakage attack\Nwere works under a similar assumption. You
Dialogue: 0,0:26:40.17,0:26:44.51,Default,,0000,0000,0000,,can replay Beacon's eavesdrop and replay\Nbecause your own phone to make your
Dialogue: 0,0:26:44.51,0:26:49.52,Default,,0000,0000,0000,,profile similar to that of the victims.\NAnd then based on how recommendation
Dialogue: 0,0:26:49.52,0:26:56.30,Default,,0000,0000,0000,,systems work, you're very likely to get\Nsimilar arts and similar content with that
Dialogue: 0,0:26:56.30,0:27:01.02,Default,,0000,0000,0000,,of the victims. So of course, this also\Ndepends about exactly how the
Dialogue: 0,0:27:01.02,0:27:07.37,Default,,0000,0000,0000,,recommendation system is implemented, but\Nit's definitely possible. OK, so we've
Dialogue: 0,0:27:07.37,0:27:11.54,Default,,0000,0000,0000,,seen certain things that makes us think\Nthat, OK, the ecosystem is not very
Dialogue: 0,0:27:11.54,0:27:19.41,Default,,0000,0000,0000,,secure. Um, we try to find out exactly why\Nthis happened. So we did a security
Dialogue: 0,0:27:19.41,0:27:24.58,Default,,0000,0000,0000,,evaluation or we came up with four points.\NThe first one is that we came up with we
Dialogue: 0,0:27:24.58,0:27:31.75,Default,,0000,0000,0000,,realized that the threat model is\Ninaccurate, that ultrasound, because none
Dialogue: 0,0:27:31.75,0:27:39.13,Default,,0000,0000,0000,,of the implementations we've seen had any\Nsecurity features. Um, they also violated
Dialogue: 0,0:27:39.13,0:27:44.15,Default,,0000,0000,0000,,the fundamental security principle and\Nthey lacked transparency when it comes
Dialogue: 0,0:27:44.15,0:27:49.27,Default,,0000,0000,0000,,when it came to user interface. So let's\Ngo through them one by one. So inaccurate
Dialogue: 0,0:27:49.27,0:27:52.100,Default,,0000,0000,0000,,and model. Basically what they do is\Nbasically they rely on the fact that
Dialogue: 0,0:27:52.100,0:27:58.36,Default,,0000,0000,0000,,ultrasounds cannot penetrate the walls and\Nthey travel up to seven meters reliably.
Dialogue: 0,0:27:58.36,0:28:05.56,Default,,0000,0000,0000,,However, as I said, as a matter of fact,\Nthey also assume that you cannot capture
Dialogue: 0,0:28:05.56,0:28:10.87,Default,,0000,0000,0000,,and replay because because of that, that's\Nthe reason, um, what what's happening in
Dialogue: 0,0:28:10.87,0:28:15.03,Default,,0000,0000,0000,,practice, that you can get really close\Nusing beacon traps. So their assumption
Dialogue: 0,0:28:15.03,0:28:21.80,Default,,0000,0000,0000,,is not that accurate. Um, also, the\Nsecurity capabilities of beacons are
Dialogue: 0,0:28:21.80,0:28:30.13,Default,,0000,0000,0000,,heavily constrained by the low bandwidth\Nthe channel is has the limited time that
Dialogue: 0,0:28:30.13,0:28:33.58,Default,,0000,0000,0000,,you have to reach the users. So if someone\Nis in a supermarket, he's not going to
Dialogue: 0,0:28:33.58,0:28:37.17,Default,,0000,0000,0000,,stop somewhere for a very long time. So\Nyou have limited time and a noisy
Dialogue: 0,0:28:37.17,0:28:42.44,Default,,0000,0000,0000,,environment. So you want a very low error\Nrate. And adding crypto to the beacons
Dialogue: 0,0:28:42.44,0:28:49.14,Default,,0000,0000,0000,,it may not be a good idea, but it also\Nresults. This also results in replay in
Dialogue: 0,0:28:49.14,0:28:54.26,Default,,0000,0000,0000,,injection attacks being possible. Um, we\Nalso hear the violation of the privilege
Dialogue: 0,0:28:54.26,0:28:59.85,Default,,0000,0000,0000,,of, uh, sorry, the principle of least privilege.\NSo what happens is basically all these
Dialogue: 0,0:28:59.85,0:29:05.11,Default,,0000,0000,0000,,apps need full access to the microphone.\NAnd based on the way it works, it's
Dialogue: 0,0:29:05.11,0:29:10.49,Default,,0000,0000,0000,,completely unnecessary for them to gain\Naccess to the audible frequencies.
Dialogue: 0,0:29:10.49,0:29:14.67,Default,,0000,0000,0000,,However, even if they want to, there's no\Nway to gain access only to the ultrasound
Dialogue: 0,0:29:14.67,0:29:20.53,Default,,0000,0000,0000,,spectrum, both in Android and iOS. You\Nhave to gain either access to the whole
Dialogue: 0,0:29:20.53,0:29:26.63,Default,,0000,0000,0000,,spectrum or no access at all. So this, of\Ncourse, results in the first malicious
Dialogue: 0,0:29:26.63,0:29:32.23,Default,,0000,0000,0000,,developers can at any time start using\Ntheir access to the microphone. And of
Dialogue: 0,0:29:32.23,0:29:38.52,Default,,0000,0000,0000,,course, all the benign ultrasound enabled\Napps are perceived by as malicious by the
Dialogue: 0,0:29:38.52,0:29:45.40,Default,,0000,0000,0000,,users. And this actually will say more\Nabout it later. So lack of transparency is
Dialogue: 0,0:29:45.40,0:29:51.26,Default,,0000,0000,0000,,inclose. This is a bad combination with\Nwhat exactly we've seen previously,
Dialogue: 0,0:29:51.26,0:29:55.92,Default,,0000,0000,0000,,because it that we've observed large\Ndiscrepancies between apps when it comes
Dialogue: 0,0:29:55.92,0:30:00.88,Default,,0000,0000,0000,,to informing the users and also lots of\Ndiscrepancies when it comes to providing
Dialogue: 0,0:30:00.88,0:30:06.11,Default,,0000,0000,0000,,opt out options. And there is a conflict\Nof interest there, because if you're a
Dialogue: 0,0:30:06.11,0:30:12.60,Default,,0000,0000,0000,,framework developer, developer, you want\Nto advise for proper practices for your
Dialogue: 0,0:30:12.60,0:30:17.96,Default,,0000,0000,0000,,customers, but you are not you're not\Ngoing to enforce them or kind of blackmail
Dialogue: 0,0:30:17.96,0:30:22.50,Default,,0000,0000,0000,,them. Either you do it properly or you're\Nnot using my framework. So there is a
Dialogue: 0,0:30:22.50,0:30:27.19,Default,,0000,0000,0000,,conflict of interest there. So what\Nhappened because of a lack of
Dialogue: 0,0:30:27.19,0:30:33.29,Default,,0000,0000,0000,,transparency is the following. Signals 360 is\None of those frameworks. An NBA team
Dialogue: 0,0:30:33.29,0:30:39.50,Default,,0000,0000,0000,,started using this in May. And then a few\Nmonths after there is a sue and someone
Dialogue: 0,0:30:39.50,0:30:43.84,Default,,0000,0000,0000,,claims, you know, that thing is listening\Nin the background. And what's interesting
Dialogue: 0,0:30:43.84,0:30:49.22,Default,,0000,0000,0000,,is on the claim, what they are saying is,\NOK, I gave permission through the Android
Dialogue: 0,0:30:49.22,0:30:54.12,Default,,0000,0000,0000,,permission system for them to access the\Nmicrophone, but it was not explained to me
Dialogue: 0,0:30:54.12,0:30:58.84,Default,,0000,0000,0000,,exactly what they were doing. And this is\Nin close ties with what the FTC was saying
Dialogue: 0,0:30:58.84,0:31:08.74,Default,,0000,0000,0000,,in the letter a few months ago. Also,\Nagain, the same story, um, football team
Dialogue: 0,0:31:08.74,0:31:14.34,Default,,0000,0000,0000,,starts using such a framework a few months\Nafter people are complaining that they are
Dialogue: 0,0:31:14.34,0:31:21.68,Default,,0000,0000,0000,,being eavesdropped on. Um, I think what\Nhappened here is that. When the team was
Dialogue: 0,0:31:21.68,0:31:25.75,Default,,0000,0000,0000,,playing a match, the application started\Nlistening for ultrasounds, but not all
Dialogue: 0,0:31:25.75,0:31:29.56,Default,,0000,0000,0000,,your fans are going to be in the stadium,\Nso you end up listening for ultrasounds in
Dialogue: 0,0:31:29.56,0:31:37.03,Default,,0000,0000,0000,,a church and other places. So, yeah,\Npeople were also pissed. Um, OK, just to
Dialogue: 0,0:31:37.03,0:31:41.99,Default,,0000,0000,0000,,put it into perspective how prevalent\Nthese technologies are, the ecosystem is
Dialogue: 0,0:31:41.99,0:31:48.00,Default,,0000,0000,0000,,growing. Even though that one company\Nwithdrew. There are other companies in the
Dialogue: 0,0:31:48.00,0:31:54.90,Default,,0000,0000,0000,,ecosystem are coming up with new products\Nas well. So the number of users is
Dialogue: 0,0:31:54.90,0:32:00.11,Default,,0000,0000,0000,,relatively low, but it's also very hard to\Nestimate right now. We could find around
Dialogue: 0,0:32:00.11,0:32:05.27,Default,,0000,0000,0000,,10 companies offering ultrasound related\Nproducts and the majority of them is
Dialogue: 0,0:32:05.27,0:32:09.78,Default,,0000,0000,0000,,gathered around proximity marketing. There\Nwas only one company doing ultrasound
Dialogue: 0,0:32:09.78,0:32:16.59,Default,,0000,0000,0000,,cross device tracking. At least we found\None. Um, and this is mainly due to
Dialogue: 0,0:32:16.59,0:32:21.29,Default,,0000,0000,0000,,infrastructure complexity. It's not easy\Nto do all those things. And secondly, I
Dialogue: 0,0:32:21.29,0:32:26.14,Default,,0000,0000,0000,,also believe that the whole backslash from\Nthe security community is incentivized
Dialogue: 0,0:32:26.14,0:32:32.60,Default,,0000,0000,0000,,other companies from joining because they\Ndon't want a tarnished reputation. OK, so
Dialogue: 0,0:32:32.60,0:32:36.92,Default,,0000,0000,0000,,we have this situation right now.\NCompanies are using ultrasound. What are
Dialogue: 0,0:32:36.92,0:32:48.34,Default,,0000,0000,0000,,we going to do? So this was our initial\Nidea. This is what we thought first. But
Dialogue: 0,0:32:48.34,0:32:54.95,Default,,0000,0000,0000,,we want to fix things. So we tried to come\Nup with certain steps that we need to take
Dialogue: 0,0:32:54.95,0:33:02.02,Default,,0000,0000,0000,,to actually fix that thing and make it\Nusable, but not dangerous. Um, so we
Dialogue: 0,0:33:02.02,0:33:07.24,Default,,0000,0000,0000,,listed what's wrong with it. We did it\Nalready. We we developed some quick fixes
Dialogue: 0,0:33:07.24,0:33:12.33,Default,,0000,0000,0000,,that I'm going to present later and medium\Nterm solutions as well. And then we
Dialogue: 0,0:33:12.33,0:33:16.83,Default,,0000,0000,0000,,started advocating for a long term changes\Nthat are going to make the ecosystem
Dialogue: 0,0:33:16.83,0:33:23.65,Default,,0000,0000,0000,,reliable. And we need the involvement from\Nthe community there. Definitely. So. We
Dialogue: 0,0:33:23.65,0:33:29.52,Default,,0000,0000,0000,,developed some short and medium term\Nsolutions, um, the first one is a browser
Dialogue: 0,0:33:29.52,0:33:37.89,Default,,0000,0000,0000,,extension, our browser extension basically\Ndoes the following is based on HTML5, the
Dialogue: 0,0:33:37.89,0:33:45.90,Default,,0000,0000,0000,,Web audio API. Um, it filters all audio\Nsources and places a filter between the
Dialogue: 0,0:33:45.90,0:33:51.28,Default,,0000,0000,0000,,audio source and the destination on the\NWeb page and filters out ultrasounds. To
Dialogue: 0,0:33:51.28,0:33:55.49,Default,,0000,0000,0000,,do that, we use a heisel filter that\Nattenuates all frequencies above 18kHz
Dialogue: 0,0:33:55.49,0:34:04.54,Default,,0000,0000,0000,,and it works pretty reliably. And\Nwe leave all audible frequencies, intact.
Dialogue: 0,0:34:04.54,0:34:10.06,Default,,0000,0000,0000,,But it's not going to work with\Nobsolete legacy technologies such as
Dialogue: 0,0:34:10.06,0:34:16.79,Default,,0000,0000,0000,,flash. OK, we also have an adroit\Npermission, I think this somewhat more
Dialogue: 0,0:34:16.79,0:34:22.98,Default,,0000,0000,0000,,medium term solution, what we did is we\Ndeveloped a unique developed parts for the
Dialogue: 0,0:34:22.98,0:34:28.81,Default,,0000,0000,0000,,Android permission system. This allows for\Nfine grained control over the audio channel,
Dialogue: 0,0:34:28.81,0:34:35.10,Default,,0000,0000,0000,,basically separates the permission needed\Nfor listening to audible sound and the
Dialogue: 0,0:34:35.10,0:34:39.75,Default,,0000,0000,0000,,permission needed for listening to the\Nultrasound spectrum. So at least we force the
Dialogue: 0,0:34:39.75,0:34:44.56,Default,,0000,0000,0000,,applications to specifically declare that\Nthey are going to listen to four
Dialogue: 0,0:34:44.56,0:34:49.40,Default,,0000,0000,0000,,ultrasounds. And of course, users can, on\Nthe latest Android versions, can also
Dialogue: 0,0:34:49.40,0:34:54.37,Default,,0000,0000,0000,,disable this permission and it can act as\Nan opt out option if the app is not
Dialogue: 0,0:34:54.37,0:35:02.90,Default,,0000,0000,0000,,providing it. We also initiated discussion\Non the Turbo Tracker, but, um, we have,
Dialogue: 0,0:35:02.90,0:35:09.38,Default,,0000,0000,0000,,um, we are advocating for some long term\Nsolutions, so we really need some
Dialogue: 0,0:35:09.38,0:35:15.65,Default,,0000,0000,0000,,standardization here. Um, let's agree on\Nultrasound to confirm that and decide what
Dialogue: 0,0:35:15.65,0:35:20.44,Default,,0000,0000,0000,,security features can be there. I mean, we\Nneed to figure out what's technically
Dialogue: 0,0:35:20.44,0:35:25.41,Default,,0000,0000,0000,,possible there because it's not clear. And\Nthen once we have a standard, we can start
Dialogue: 0,0:35:25.41,0:35:32.11,Default,,0000,0000,0000,,building some APIs. And the APIs are very\Nnice idea because, um, they will work as
Dialogue: 0,0:35:32.11,0:35:37.25,Default,,0000,0000,0000,,the Bluetooth APIs work, meaning that they\Nwill provide some methods to discover,
Dialogue: 0,0:35:37.25,0:35:42.24,Default,,0000,0000,0000,,process, generate and emit the sound\Nbeacons through a new API related
Dialogue: 0,0:35:42.24,0:35:48.81,Default,,0000,0000,0000,,permission. And this means that we will\Nstop having overprivileged apps. We won't
Dialogue: 0,0:35:48.81,0:35:54.31,Default,,0000,0000,0000,,need access to the microphone anymore,\Nwhich is a huge problem right now. And of
Dialogue: 0,0:35:54.31,0:35:58.70,Default,,0000,0000,0000,,course, the applications will not be\Nconsidered spying anymore. And there is
Dialogue: 0,0:35:58.70,0:36:03.63,Default,,0000,0000,0000,,also another problem that we found out\Nwhile we were playing with those shops.
Dialogue: 0,0:36:03.63,0:36:08.24,Default,,0000,0000,0000,,Um, if you have a framework listening\Nthrough the microphone, other apps cannot
Dialogue: 0,0:36:08.24,0:36:12.29,Default,,0000,0000,0000,,access it. So we are trying to open the\Ncamera app to record the video on the app.
Dialogue: 0,0:36:12.29,0:36:17.32,Default,,0000,0000,0000,,Camera app was crashing because the framework\Nwas locking the access to the
Dialogue: 0,0:36:17.32,0:36:22.35,Default,,0000,0000,0000,,microphone. Now we may have some\Ndevelopers from frameworks saying, you
Dialogue: 0,0:36:22.35,0:36:26.02,Default,,0000,0000,0000,,know, I'm not going to use your API. I'm\Ngoing to keep asking for access to the
Dialogue: 0,0:36:26.02,0:36:34.09,Default,,0000,0000,0000,,microphone. But we can force them to use\Nthis API if we somehow, um, by default
Dialogue: 0,0:36:34.09,0:36:38.75,Default,,0000,0000,0000,,filter out the ultrasound frequencies\Nfrom the microphone and
Dialogue: 0,0:36:38.75,0:36:44.64,Default,,0000,0000,0000,,provide the way to the user to enable them\Non a pure application basis from his
Dialogue: 0,0:36:44.64,0:36:56.20,Default,,0000,0000,0000,,phone. OK, so. Here's what we did, um, we\Nanalyzed them, multiple ultrasound
Dialogue: 0,0:36:56.20,0:37:00.33,Default,,0000,0000,0000,,tracking technologies, we saw what what's\Nout there in the real world and reverse
Dialogue: 0,0:37:00.33,0:37:08.50,Default,,0000,0000,0000,,engineered such frameworks. We identified,\Num, quite a few security shortcomings. We
Dialogue: 0,0:37:08.50,0:37:16.15,Default,,0000,0000,0000,,introduced our attacks and proposed some,\Num, usable countermeasures. Um, and
Dialogue: 0,0:37:16.15,0:37:21.58,Default,,0000,0000,0000,,hopefully we initiated the discussion\Nabout standardizing ultrasound because,
Dialogue: 0,0:37:21.58,0:37:27.54,Default,,0000,0000,0000,,um, but there are still things left to do.\NSo for the application developers, please,
Dialogue: 0,0:37:27.54,0:37:32.88,Default,,0000,0000,0000,,um, explicitly notify the users about what\Nyour app is doing. Many of them would
Dialogue: 0,0:37:32.88,0:37:41.15,Default,,0000,0000,0000,,appreciate to know that. Um, also, we need\Nto improve transparency in the data
Dialogue: 0,0:37:41.15,0:37:47.15,Default,,0000,0000,0000,,collection process because they collecting\Nlots of data and very few information were
Dialogue: 0,0:37:47.15,0:37:52.01,Default,,0000,0000,0000,,available about what kind of data they\Nframework's collect. Um, we also think
Dialogue: 0,0:37:52.01,0:37:57.01,Default,,0000,0000,0000,,it's a good idea to have an opt in option\Nif it's not too much to ask, at least an
Dialogue: 0,0:37:57.01,0:38:07.91,Default,,0000,0000,0000,,opt out and standard security practices,\Num, as always. So framework providers
Dialogue: 0,0:38:07.91,0:38:13.73,Default,,0000,0000,0000,,basically need to make sure that the\Ndevelopers inform the users and also make
Dialogue: 0,0:38:13.73,0:38:21.03,Default,,0000,0000,0000,,sure that the users consent regularly to\Nlistening for because like it's not enough
Dialogue: 0,0:38:21.03,0:38:25.81,Default,,0000,0000,0000,,if you consent once and then a month after\Nthe app is still listening for ultrasound beacons
Dialogue: 0,0:38:25.81,0:38:33.17,Default,,0000,0000,0000,,you have to periodically ask the user if it's\Nstill okay to do that. Um. Ideally, every time
Dialogue: 0,0:38:33.17,0:38:39.62,Default,,0000,0000,0000,,you are going to listen and then, of\Ncourse, we need to work on standardizing
Dialogue: 0,0:38:39.62,0:38:43.93,Default,,0000,0000,0000,,ultrasound because this is going to be a\Nlong process and then building the
Dialogue: 0,0:38:43.93,0:38:48.43,Default,,0000,0000,0000,,specialized, specialized API. Hopefully\Nthis is going to be easier once we have a
Dialogue: 0,0:38:48.43,0:38:56.96,Default,,0000,0000,0000,,standard and see what kind of\Nauthentication mechanisms can we have in
Dialogue: 0,0:38:56.96,0:39:03.99,Default,,0000,0000,0000,,this kind of constrained transmission\Nchannel. So..
Dialogue: 0,0:39:03.99,0:39:17.15,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:39:17.15,0:39:21.23,Default,,0000,0000,0000,,Herald: Thank you Vasilios. If you have any\Nquestions, please do line up at the four
Dialogue: 0,0:39:21.23,0:39:26.68,Default,,0000,0000,0000,,microphones here in the walkways and the\Nfirst question will be the front
Dialogue: 0,0:39:26.68,0:39:30.96,Default,,0000,0000,0000,,microphone here.\NMic: Hello and thank you for your
Dialogue: 0,0:39:30.96,0:39:35.24,Default,,0000,0000,0000,,presentation. And I have a couple of\Nquestions to ask that are technical and
Dialogue: 0,0:39:35.24,0:39:41.07,Default,,0000,0000,0000,,they are very related. First of all, do\Nyou think that blocking out in our system
Dialogue: 0,0:39:41.07,0:39:47.80,Default,,0000,0000,0000,,level the high frequencies for either\Nmicrophone or the speakers as well, a
Dialogue: 0,0:39:47.80,0:39:53.07,Default,,0000,0000,0000,,something that is technically feasible and\Nwill not put a very high latency in the
Dialogue: 0,0:39:53.07,0:39:56.75,Default,,0000,0000,0000,,processing?\NVasilios: So we did that through the
Dialogue: 0,0:39:56.75,0:39:59.35,Default,,0000,0000,0000,,permission. You are talking\Nabout the smartphone right?
Dialogue: 0,0:39:59.35,0:40:03.85,Default,,0000,0000,0000,,Mic: Yeah, basically, because you have to\Nhave a real time sound and microphone
Dialogue: 0,0:40:03.85,0:40:06.77,Default,,0000,0000,0000,,feedback.\NVasilios: So we did that with the
Dialogue: 0,0:40:06.77,0:40:14.18,Default,,0000,0000,0000,,permission. And I think it's not it's not\Nto resource demanding, if that's
Dialogue: 0,0:40:14.18,0:40:17.22,Default,,0000,0000,0000,,your question. So it's\Ndefinitely possible to do that.
Dialogue: 0,0:40:17.22,0:40:21.82,Default,,0000,0000,0000,,Mic: And the second part is, so\Nthere is a new market maybe for some
Dialogue: 0,0:40:21.82,0:40:28.17,Default,,0000,0000,0000,,companies producing and microphones and\Nspeakers that explicitly block out
Dialogue: 0,0:40:28.17,0:40:33.86,Default,,0000,0000,0000,,ultrasounds, right?\NVasilios: Possibly. Possibly. Um, I'm not
Dialogue: 0,0:40:33.86,0:40:38.69,Default,,0000,0000,0000,,sure if you can do this from the\Napplication level. We developed parts for
Dialogue: 0,0:40:38.69,0:40:43.87,Default,,0000,0000,0000,,the Android system. I think our first\Napproach back then was basically try to
Dialogue: 0,0:40:43.87,0:40:48.13,Default,,0000,0000,0000,,build an app to do that from the\Napplication, from the user land. And
Dialogue: 0,0:40:48.13,0:40:53.10,Default,,0000,0000,0000,,basically, I'm not sure if you can I doubt\Nactually an Android if you can filter out
Dialogue: 0,0:40:53.10,0:40:58.57,Default,,0000,0000,0000,,ultrasounds. But from a browser, we have\Nour extension. It works on Chrome. You can
Dialogue: 0,0:40:58.57,0:41:04.25,Default,,0000,0000,0000,,easily use our code to do the\Nsame thing on the Firefox.
Dialogue: 0,0:41:04.25,0:41:06.60,Default,,0000,0000,0000,,Mic: Thanks.\NHerald: The next question is from the
Dialogue: 0,0:41:06.60,0:41:10.46,Default,,0000,0000,0000,,front right microphone.\NMic: Thank you for your talk. I have a
Dialogue: 0,0:41:10.46,0:41:15.22,Default,,0000,0000,0000,,question about the attack requirements\Nagainst the whistleblower using Tor.
Dialogue: 0,0:41:15.22,0:41:23.73,Default,,0000,0000,0000,,I'm curious, the attacker has access to\Nthe app on the smartphone and also access
Dialogue: 0,0:41:23.73,0:41:32.79,Default,,0000,0000,0000,,to the smartphone microphone. Wouldn't the\Nattacker then be able to just listen in on
Dialogue: 0,0:41:32.79,0:41:37.34,Default,,0000,0000,0000,,the conversation of the whistleblower and\Nthereby identify him?
Dialogue: 0,0:41:37.34,0:41:40.67,Default,,0000,0000,0000,,Vasilios: Yeah, absolutely. Absolutely.\NIt's a major problem. The problem is that
Dialogue: 0,0:41:40.67,0:41:47.76,Default,,0000,0000,0000,,they have access to the microphone. So\Nthis is very this is very real and it's
Dialogue: 0,0:41:47.76,0:41:52.87,Default,,0000,0000,0000,,not going to be resolved even if we had\Naccess only to the ultrasound spectrum.
Dialogue: 0,0:41:52.87,0:41:57.36,Default,,0000,0000,0000,,What we're saying is basically, if we only\Nhad access to the ultrasound spectrum,
Dialogue: 0,0:41:57.36,0:42:04.82,Default,,0000,0000,0000,,you're still uhm you are still vulnerable\Nto these attacks unless you incorporate
Dialogue: 0,0:42:04.82,0:42:10.42,Default,,0000,0000,0000,,some crypto mechanisms that prevent these\Nthings from happening. Is this your
Dialogue: 0,0:42:10.42,0:42:15.90,Default,,0000,0000,0000,,question or?\NMic: Um, well, I can still pull off the
Dialogue: 0,0:42:15.90,0:42:19.35,Default,,0000,0000,0000,,same attack if I don't\Nuse ultrasound right?
Dialogue: 0,0:42:19.35,0:42:21.54,Default,,0000,0000,0000,,Vasilios: Through the audible spectrum?\NMic: Yes,
Dialogue: 0,0:42:21.54,0:42:28.99,Default,,0000,0000,0000,,Vasilios: You can absolutely do. There is\None company doing tracking in the audible
Dialogue: 0,0:42:28.99,0:42:35.56,Default,,0000,0000,0000,,spectrum. This is much harder to mitigate.\NWe're looking into it about ways, but
Dialogue: 0,0:42:35.56,0:42:39.11,Default,,0000,0000,0000,,there are so many ways to incorporate\Nbeacons in the audible spectrum. The thing
Dialogue: 0,0:42:39.11,0:42:47.24,Default,,0000,0000,0000,,is that there is not much of an ecosystem\Nin this area right now that so you don't
Dialogue: 0,0:42:47.24,0:42:52.64,Default,,0000,0000,0000,,have lots of frameworks are there as many\Nas you have for ultrasounds.
Dialogue: 0,0:42:52.64,0:42:56.22,Default,,0000,0000,0000,,Mic: Thank you.\NHerald: Our next question will be from
Dialogue: 0,0:42:56.22,0:43:01.35,Default,,0000,0000,0000,,the Internet via our signal angel\NSignal Angel: $Username is asking, have
Dialogue: 0,0:43:01.35,0:43:08.17,Default,,0000,0000,0000,,you heard about exploiting parricide\Nultrasound emiters like IC component's?
Dialogue: 0,0:43:08.17,0:43:10.23,Default,,0000,0000,0000,,Vasilios: Can you please\Nrepeat the question?
Dialogue: 0,0:43:10.23,0:43:14.60,Default,,0000,0000,0000,,Signal Angel: Yes, sure. The question is,\Ncan you use other components on the main
Dialogue: 0,0:43:14.60,0:43:23.74,Default,,0000,0000,0000,,board or maybe the hard disk to emit\Nultrasounds and then broadcast the beacon
Dialogue: 0,0:43:23.74,0:43:28.96,Default,,0000,0000,0000,,via this?\NVailios: Uh. So that's a very that's a
Dialogue: 0,0:43:28.96,0:43:35.45,Default,,0000,0000,0000,,very good question. The answer is I don't\Nknow, possibly, and it's very scary. Um,
Dialogue: 0,0:43:35.45,0:43:42.49,Default,,0000,0000,0000,,hopefully not, but I doubt it. I think\Nthere should be a way to do it. Um, maybe
Dialogue: 0,0:43:42.49,0:43:47.20,Default,,0000,0000,0000,,the problem is that you cannot do this\Ncompletely in a completely inaudible way.
Dialogue: 0,0:43:47.20,0:43:51.76,Default,,0000,0000,0000,,Like you may be able to meet ultrasounds,\Nbut you will also emit some sort of sound
Dialogue: 0,0:43:51.76,0:43:58.01,Default,,0000,0000,0000,,in the audible spectrum so that the user\Nwill know that something is going on.
Dialogue: 0,0:43:58.01,0:44:02.52,Default,,0000,0000,0000,,Herald: The next question\Nfrom the left microphone.
Dialogue: 0,0:44:02.52,0:44:06.56,Default,,0000,0000,0000,,Mic: Thank you for your talk and\Nespecially thanks for the research. So,
Dialogue: 0,0:44:06.56,0:44:12.92,Default,,0000,0000,0000,,uh, do you know of any framework's or, uh,\NSTKs that cash the beacon's they find?
Dialogue: 0,0:44:12.92,0:44:17.76,Default,,0000,0000,0000,,Because for my use case, I my phone was\Nmostly offline. I just make it online when
Dialogue: 0,0:44:17.76,0:44:21.95,Default,,0000,0000,0000,,I have to check\Nsomething. So I'm not that concerned. But
Dialogue: 0,0:44:21.95,0:44:24.66,Default,,0000,0000,0000,,you do you know, if they like cash the\Nbeacons and and submit them later
Dialogue: 0,0:44:24.66,0:44:32.25,Default,,0000,0000,0000,,something like this. Of course they do.\NI'm not surprised, unfortunately. Yeah.
Dialogue: 0,0:44:32.25,0:44:39.45,Default,,0000,0000,0000,,Thanks. Next question from the rear.\NRight. Oh, what is the data rate? You can
Dialogue: 0,0:44:39.45,0:44:44.12,Default,,0000,0000,0000,,send in the ultrasound. Very good\Nquestion. And it's totally relevant to the
Dialogue: 0,0:44:44.12,0:44:51.25,Default,,0000,0000,0000,,cryptographic mechanisms we want to\Nincorporate from our experiments. Um, in
Dialogue: 0,0:44:51.25,0:44:58.48,Default,,0000,0000,0000,,four seconds you can basically send like\Nfive to six alphabet characters if you're
Dialogue: 0,0:44:58.48,0:45:04.50,Default,,0000,0000,0000,,willing to kind of reduce the range a lot\Nless in less than seven meters, you may be
Dialogue: 0,0:45:04.50,0:45:11.97,Default,,0000,0000,0000,,able to send more. But the standard is not\Nvery robust in this sense. But these
Dialogue: 0,0:45:11.97,0:45:16.26,Default,,0000,0000,0000,,experiments were done with this kind of\Nnaive encoding that most of the companies
Dialogue: 0,0:45:16.26,0:45:22.93,Default,,0000,0000,0000,,are using. So if you do the encoding in a\Nvery smart way, possibly you can increase
Dialogue: 0,0:45:22.93,0:45:29.33,Default,,0000,0000,0000,,that. And a small second part, what's the\Nenergy consumption on the phone if that is
Dialogue: 0,0:45:29.33,0:45:35.11,Default,,0000,0000,0000,,running all the time? Wouldn't I detect\Nthat? So it's not, uh, it's not good. We
Dialogue: 0,0:45:35.11,0:45:38.89,Default,,0000,0000,0000,,saw that it was draining the battery and\Nactually in the comments, I don't know if
Dialogue: 0,0:45:38.89,0:45:44.50,Default,,0000,0000,0000,,I had that comment here. Some people were\Ncomplaining that, um, I tried and it was
Dialogue: 0,0:45:44.50,0:45:53.03,Default,,0000,0000,0000,,draining my battery. And, um, there is an\Nimpact. Absolutely. Amazon and Google Nest
Dialogue: 0,0:45:53.03,0:45:57.71,Default,,0000,0000,0000,,and all the other parts, aren't you more\Nworried about that? You know, the always
Dialogue: 0,0:45:57.71,0:46:02.40,Default,,0000,0000,0000,,listening thing from Google and Amazon and\Neveryone is coming up with some something
Dialogue: 0,0:46:02.40,0:46:10.13,Default,,0000,0000,0000,,like that that's always on. And so that\Nit's kind of strange because a user's
Dialogue: 0,0:46:10.13,0:46:18.37,Default,,0000,0000,0000,,consent. But at the same time, they don't\Ncompletely understand. So there is a gray
Dialogue: 0,0:46:18.37,0:46:22.67,Default,,0000,0000,0000,,line there, like you can say that the\Nusers, OK, you consented to that up,
Dialogue: 0,0:46:22.67,0:46:28.55,Default,,0000,0000,0000,,starting with your with your phone and\Nlistening on the background. But at the
Dialogue: 0,0:46:28.55,0:46:34.87,Default,,0000,0000,0000,,same time, the users don't have the best\Nunderstanding. Always. Thank you. Next
Dialogue: 0,0:46:34.87,0:46:39.43,Default,,0000,0000,0000,,question from the front left microphone\Nfirst. Thank you for the talk. I would be
Dialogue: 0,0:46:39.43,0:46:43.81,Default,,0000,0000,0000,,interested in how you selected your real\Nworld applications and how many you found
Dialogue: 0,0:46:43.81,0:46:51.12,Default,,0000,0000,0000,,that already use such a framework. So what\Nwas the first part of the question, how
Dialogue: 0,0:46:51.12,0:46:56.79,Default,,0000,0000,0000,,you selected your real world applications\Nfrom the marketplace staff if you had any.
Dialogue: 0,0:46:56.79,0:47:04.11,Default,,0000,0000,0000,,So we're trying to do a systematic scan of\Nthe whole market, but it's not easy. So we
Dialogue: 0,0:47:04.11,0:47:09.44,Default,,0000,0000,0000,,not able to do that. There are resources\Non the Internet. Luckily, the companies
Dialogue: 0,0:47:09.44,0:47:15.71,Default,,0000,0000,0000,,need to advertise their product. So they\Nbasically publish press releases saying,
Dialogue: 0,0:47:15.71,0:47:22.00,Default,,0000,0000,0000,,you know, this NBA team started using our\Nproduct. We did some sort of scanning
Dialogue: 0,0:47:22.00,0:47:27.89,Default,,0000,0000,0000,,through alternative datasets, but\Ndefinitely we don't have an exhaustive
Dialogue: 0,0:47:27.89,0:47:33.05,Default,,0000,0000,0000,,list of applications. What I can say,\Nthough, is that there are applications
Dialogue: 0,0:47:33.05,0:47:40.25,Default,,0000,0000,0000,,with. Using such frameworks with nearly up\Nto, if I remember correctly, up to one
Dialogue: 0,0:47:40.25,0:47:49.16,Default,,0000,0000,0000,,million installations. One notable\Nexample, OK, I'm not entirely sure what I
Dialogue: 0,0:47:49.16,0:47:55.38,Default,,0000,0000,0000,,wanted, but up to a million we definitely\Nsaw. OK, thanks. Do we have more questions
Dialogue: 0,0:47:55.38,0:48:02.50,Default,,0000,0000,0000,,from the Internet? Yes, E.F. is asking, is\Nhe aware of or are you aware sorry? Are
Dialogue: 0,0:48:02.50,0:48:05.57,Default,,0000,0000,0000,,you aware of any framework available by\NGoogle or Apple? In other words, how do we
Dialogue: 0,0:48:05.57,0:48:11.96,Default,,0000,0000,0000,,know that it's not, for instance,\Nseriously snitching on us? How do we know
Dialogue: 0,0:48:11.96,0:48:19.91,Default,,0000,0000,0000,,that it's not true? It's not serious. Some\Nmaybe Aleksa snitching on us. We don't. I
Dialogue: 0,0:48:19.91,0:48:24.16,Default,,0000,0000,0000,,think that's a that's a very large\Ndiscussion. Right. So is the same problem
Dialogue: 0,0:48:24.16,0:48:34.06,Default,,0000,0000,0000,,that these companies are having? Because\Nif I go back here, basically the users are
Dialogue: 0,0:48:34.06,0:48:43.69,Default,,0000,0000,0000,,accusing them of eavesdropping. Especially\Nhere from reverse engineering those
Dialogue: 0,0:48:43.69,0:48:49.87,Default,,0000,0000,0000,,frameworks, we couldn't find any such\Nactivity, but again, it's very hard to
Dialogue: 0,0:48:49.87,0:48:54.26,Default,,0000,0000,0000,,convince the users that you are listening\Nto the ultrasound spectrum. You if you're
Dialogue: 0,0:48:54.26,0:48:59.77,Default,,0000,0000,0000,,accessing the whole audible frequencies\Nthrough the microphone, you're going to or
Dialogue: 0,0:48:59.77,0:49:04.12,Default,,0000,0000,0000,,you will always find yourself in this\Nposition. So I guess it's the same problem
Dialogue: 0,0:49:04.12,0:49:09.34,Default,,0000,0000,0000,,that Alexa has from Amazon. But in this\Ncase, you can actually solve it by
Dialogue: 0,0:49:09.34,0:49:15.41,Default,,0000,0000,0000,,constraining the spectrum that you gain\Naccess to. Next question from the front
Dialogue: 0,0:49:15.41,0:49:21.07,Default,,0000,0000,0000,,left microphone, please. Has anybody done\Nan audible demonstration off these beacons
Dialogue: 0,0:49:21.07,0:49:26.23,Default,,0000,0000,0000,,bypassed by transposing them down an\Noctave or two, I think might be useful for
Dialogue: 0,0:49:26.23,0:49:34.09,Default,,0000,0000,0000,,for or your talk to something like that.\NSo you mean a demo, but using audible
Dialogue: 0,0:49:34.09,0:49:40.63,Default,,0000,0000,0000,,frequencies? Essentially, there is this\None company, but they are being pretty to
Dialogue: 0,0:49:40.63,0:49:44.87,Default,,0000,0000,0000,,all of these companies are being pretty\Nsecretive with their technology. So they
Dialogue: 0,0:49:44.87,0:49:51.43,Default,,0000,0000,0000,,publish what's needed for marketing\Npurposes like accuracy sometimes remains
Dialogue: 0,0:49:51.43,0:49:57.39,Default,,0000,0000,0000,,very limited technical details. But apart\Nfrom these, you have to get your hands on
Dialogue: 0,0:49:57.39,0:50:04.83,Default,,0000,0000,0000,,the framework somehow and analyze it\Nyourself. So in this kind of overview we
Dialogue: 0,0:50:04.83,0:50:08.13,Default,,0000,0000,0000,,need for the ecosystem, we had to do\Neverything by ourselves. There was no
Dialogue: 0,0:50:08.13,0:50:15.79,Default,,0000,0000,0000,,resources out there were very limited, um,\Nor recording it and playing it down and
Dialogue: 0,0:50:15.79,0:50:23.29,Default,,0000,0000,0000,,transposing it yourself, if you know where\Nas a beacon of. Possibly I'm not I'm not
Dialogue: 0,0:50:23.29,0:50:31.78,Default,,0000,0000,0000,,entirely sure you could. Yeah. Another\Nquestion from our signal, angel mestas,
Dialogue: 0,0:50:31.78,0:50:37.79,Default,,0000,0000,0000,,again asking, um, would it be possible,\Neven if you have a low pass filter to use,
Dialogue: 0,0:50:37.79,0:50:44.81,Default,,0000,0000,0000,,uh, for instance, the cost effect and high\Ncost effect to transmit the beacon via
Dialogue: 0,0:50:44.81,0:50:53.90,Default,,0000,0000,0000,,ultrasound, but in a regime which is as\Nfree for the app? So it's basically the
Dialogue: 0,0:50:53.90,0:50:59.80,Default,,0000,0000,0000,,question, can I somehow, via Aliasing USA\Naddress on signal to make a normal signal
Dialogue: 0,0:50:59.80,0:51:08.32,Default,,0000,0000,0000,,out of it? Possibly, I don't know. I think\Nyou are much more creative than I am, so
Dialogue: 0,0:51:08.32,0:51:16.82,Default,,0000,0000,0000,,maybe I should add more bullet points on\Nthis controversialist here. Apparently,
Dialogue: 0,0:51:16.82,0:51:23.15,Default,,0000,0000,0000,,there are many more ways to do this,\Npossibly like hardware missions. This one
Dialogue: 0,0:51:23.15,0:51:29.62,Default,,0000,0000,0000,,sounds like a good idea, too. So next\Nquestion from the real right microphone. I
Dialogue: 0,0:51:29.62,0:51:33.56,Default,,0000,0000,0000,,apologize if you explain the story they\Ndidn't understand, but is is sort of
Dialogue: 0,0:51:33.56,0:51:38.82,Default,,0000,0000,0000,,drowning out the signals, like jamming.\NThey just broadcasting white noise in that
Dialogue: 0,0:51:38.82,0:51:43.81,Default,,0000,0000,0000,,spectrum, an effective countermeasure. And\Nas a follow up, if it is, would it
Dialogue: 0,0:51:43.81,0:51:56.75,Default,,0000,0000,0000,,terrorize my dog? So absolutely, it's\Neffective. I mean, this it works up to
Dialogue: 0,0:51:56.75,0:52:01.77,Default,,0000,0000,0000,,seven meters, but we're not saying it's\Nnot fragile, so you can do that, but it's
Dialogue: 0,0:52:01.77,0:52:05.83,Default,,0000,0000,0000,,noise pollution. And my dog, I don't think\Nit was happy. I did it for a very limited
Dialogue: 0,0:52:05.83,0:52:10.28,Default,,0000,0000,0000,,time. I could see her ears moving, but I\Ndon't think she would appreciate it if I
Dialogue: 0,0:52:10.28,0:52:16.72,Default,,0000,0000,0000,,had the device at home doing this all the\Ntime. Do we have any more questions from
Dialogue: 0,0:52:16.72,0:52:22.46,Default,,0000,0000,0000,,the Internet? Yes, EULEX is asking to what\Nextent could we use these for our own
Dialogue: 0,0:52:22.46,0:52:26.56,Default,,0000,0000,0000,,needs? For example, people in repressive\Nsituations, for example, activists could
Dialogue: 0,0:52:26.56,0:52:30.63,Default,,0000,0000,0000,,use it to transmit secret encrypted\Nmessages. Are there any efforts in this
Dialogue: 0,0:52:30.63,0:52:40.83,Default,,0000,0000,0000,,area? Yes, there are. People are\Ndeveloping ultrasound modems. I think
Dialogue: 0,0:52:40.83,0:52:51.03,Default,,0000,0000,0000,,there is even a tag on it. And yes, of\Ncourse there is. So I would say, yes, I'm
Dialogue: 0,0:52:51.03,0:52:57.03,Default,,0000,0000,0000,,not entirely sure about the capabilities\Nof this channel in terms of bandwidth, but
Dialogue: 0,0:52:57.03,0:53:01.89,Default,,0000,0000,0000,,this is why we we are not advocating to\Nkill the technology just to make it secure
Dialogue: 0,0:53:01.89,0:53:06.90,Default,,0000,0000,0000,,and know its limitations. So you can do\Ngood stuff with it. And this is what we
Dialogue: 0,0:53:06.90,0:53:13.72,Default,,0000,0000,0000,,want. Next question from the Rio, right?\NYeah, I'm wondering if you could transfer
Dialogue: 0,0:53:13.72,0:53:19.86,Default,,0000,0000,0000,,that technique from the ultrasound range\Nalso to the Audible Range, for example, by
Dialogue: 0,0:53:19.86,0:53:26.55,Default,,0000,0000,0000,,using watermarks, audio, watermarks, and\Nthen, well, your permission thingy with
Dialogue: 0,0:53:26.55,0:53:31.74,Default,,0000,0000,0000,,the ultrasound permissions would be\Nineffective and you could also track the
Dialogue: 0,0:53:31.74,0:53:37.81,Default,,0000,0000,0000,,user. How about this? Is it possible audio\Nwatermarks in the audible spectrum? Yeah,
Dialogue: 0,0:53:37.81,0:53:42.90,Default,,0000,0000,0000,,it's absolutely possible. Um, our\Ncountermeasures are not effective against
Dialogue: 0,0:53:42.90,0:53:50.49,Default,,0000,0000,0000,,this. Um, it's just that there is from our\Nresearch, just one company doing this. Uh,
Dialogue: 0,0:53:50.49,0:53:57.12,Default,,0000,0000,0000,,so this one, um, I think technically it's\Na bit more challenging to do that.
Dialogue: 0,0:53:57.12,0:54:02.81,Default,,0000,0000,0000,,Instead, they're just admitting they are\Ndoing it in a very basic way. So
Dialogue: 0,0:54:02.81,0:54:08.48,Default,,0000,0000,0000,,hopefully, um, if there is a clear way to\Ndo it through ultrasounds, they are not
Dialogue: 0,0:54:08.48,0:54:15.40,Default,,0000,0000,0000,,going to reside reside in the audible\Nspectrum. But our countermeasures are not
Dialogue: 0,0:54:15.40,0:54:22.64,Default,,0000,0000,0000,,effective against the audible. Um.\NWatermarks. Yeah, thanks, next question
Dialogue: 0,0:54:22.64,0:54:28.96,Default,,0000,0000,0000,,from the front left microphone. I've heard\Nthat I don't think it's very credible, but
Dialogue: 0,0:54:28.96,0:54:34.08,Default,,0000,0000,0000,,I've heard that there is some sound on\Nthis sub sound spectrum. There were some
Dialogue: 0,0:54:34.08,0:54:40.70,Default,,0000,0000,0000,,experiments showing that they can\Ninfluence our mood, the mood of humans. Is
Dialogue: 0,0:54:40.70,0:54:47.90,Default,,0000,0000,0000,,there any relevant information about how\Nultrasounds could affect us? So without
Dialogue: 0,0:54:47.90,0:54:54.58,Default,,0000,0000,0000,,being an expert in this particular area?\NI've read similar articles when I was
Dialogue: 0,0:54:54.58,0:54:59.19,Default,,0000,0000,0000,,looking into it. I can tell you it's very\Nannoying, especially if you're listening
Dialogue: 0,0:54:59.19,0:55:05.68,Default,,0000,0000,0000,,to it through headphones. You cannot\Nreally hear the sound, but you can if
Dialogue: 0,0:55:05.68,0:55:11.60,Default,,0000,0000,0000,,you're using headphones, you can feel the\Npressure. So if I don't know what kind of
Dialogue: 0,0:55:11.60,0:55:19.81,Default,,0000,0000,0000,,medical condition you may develop, but you\Nwon't be very sane after. Do we have any
Dialogue: 0,0:55:19.81,0:55:27.29,Default,,0000,0000,0000,,more questions? Yes. One further question,\Num, would it be possible to, um, use a
Dialogue: 0,0:55:27.29,0:55:33.100,Default,,0000,0000,0000,,charming solution to get rid of the\Nsignals? Yes, but you you're going to
Dialogue: 0,0:55:33.100,0:55:38.45,Default,,0000,0000,0000,,follow the you know, it's going to result\Nin noise pollution, but if you are being
Dialogue: 0,0:55:38.45,0:55:46.69,Default,,0000,0000,0000,,paranoid about it, yes, it's and it's, I\Nthink, a straightforward thing to do. Any
Dialogue: 0,0:55:46.69,0:55:53.33,Default,,0000,0000,0000,,more questions? One more on the front left\Nmicrophone. Know, you said that physical
Dialogue: 0,0:55:53.33,0:55:59.05,Default,,0000,0000,0000,,objects will block the ultrasound. How\Nsolid do the physical objects need to be?
Dialogue: 0,0:55:59.05,0:56:04.68,Default,,0000,0000,0000,,So, for example, does my pocket block the\Nultrasound and thus prevent my phone to
Dialogue: 0,0:56:04.68,0:56:11.58,Default,,0000,0000,0000,,call the environment and vice versa? OK,\Nwell, that's a good question. I don't
Dialogue: 0,0:56:11.58,0:56:16.53,Default,,0000,0000,0000,,think that clothes can actually do that\Nunless it's very thick. Thin girls
Dialogue: 0,0:56:16.53,0:56:27.19,Default,,0000,0000,0000,,definitely block it. Um. Thick glass, I\Nwould say it reduce the transmission rate,
Dialogue: 0,0:56:27.19,0:56:35.56,Default,,0000,0000,0000,,the signal to noise ratio by a lot, but it\Ncould go through it, so. You need
Dialogue: 0,0:56:35.56,0:56:42.69,Default,,0000,0000,0000,,something quite concrete, metal. I don't\Nthink it goes through it. So are there any
Dialogue: 0,0:56:42.69,0:56:48.16,Default,,0000,0000,0000,,more? Doesn't look like it, maybe, maybe\None more sorry. Oh, good signal, good bye.
Dialogue: 0,0:56:48.16,0:57:02.35,Default,,0000,0000,0000,,Kitty is asking, could you name or compile\Na list of tracking programs and apps? So.
Dialogue: 0,0:57:02.35,0:57:07.41,Default,,0000,0000,0000,,That's a good question. We're trying to\Nmake an exhaustive list and try to resolve
Dialogue: 0,0:57:07.41,0:57:16.53,Default,,0000,0000,0000,,this in a systematic way. I've already\Nlisted two Macenta frameworks. One is the
Dialogue: 0,0:57:16.53,0:57:20.16,Default,,0000,0000,0000,,Silverbush one three actually. One is the\NSilver Paswan. There is another one used
Dialogue: 0,0:57:20.16,0:57:32.94,Default,,0000,0000,0000,,by single 360. So developed the signal\N360, and then there is a listener one.
Dialogue: 0,0:57:32.94,0:57:39.61,Default,,0000,0000,0000,,These are very popular. Um, and then its\Ndeveloper is incorporating them into their
Dialogue: 0,0:57:39.61,0:57:48.75,Default,,0000,0000,0000,,applications in different ways, offering\Nvarying levels of transparency for the
Dialogue: 0,0:57:48.75,0:57:54.34,Default,,0000,0000,0000,,users. So it's better if you start knowing\Nwhat the frameworks are and then trying to
Dialogue: 0,0:57:54.34,0:57:59.04,Default,,0000,0000,0000,,find the applications using them, because\Nyou know what? You're looking in the code
Dialogue: 0,0:57:59.04,0:58:06.28,Default,,0000,0000,0000,,and you can develop some queries and\Nenabling you to access an ability to to
Dialogue: 0,0:58:06.28,0:58:13.51,Default,,0000,0000,0000,,track which applications are using them.\NWhat what we observed for Silverbush is
Dialogue: 0,0:58:13.51,0:58:18.82,Default,,0000,0000,0000,,basically after the company announced that\Nthey are moving out of the US and because
Dialogue: 0,0:58:18.82,0:58:24.39,Default,,0000,0000,0000,,of the whole backslash, maybe even before\Nthat, um, companies started to drop the
Dialogue: 0,0:58:24.39,0:58:30.11,Default,,0000,0000,0000,,framework. So all their versions had the\Nframework, but they are not using it
Dialogue: 0,0:58:30.11,0:58:52.55,Default,,0000,0000,0000,,anymore. I think that's it. Thank you very\Nmuch, Vasilios Lovelady's.
Dialogue: 0,0:58:52.55,0:59:02.93,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!