In recent months, even established industry standards like Bluetooth and WPA2 Wi-Fi have been shown to have vulnerabilities and flaws. But as impactful and potentially damaging as these revelations have been, some wireless communication technologies have their own alarming risks—precisely because the industry hasn't yet agreed on how to architect and implement them.

Among those haphazard wireless technologies are ultrasonic communications. Ultrasounds have already gained a sinister reputation for their use in device tracking schemes in which apps gain permission to access a user's smartphone, then listen for inaudible "beacons" being broadcast in advertisements, websites, and even physical stores. At the RSA security conference in San Francisco on Tuesday, researchers are presenting new findings about where things stand with ultrasonic communication—and how concerned you should be about the technology.

'Leaving ultrasound completely unchecked causes confusion, and implementations are flawed because they're ad hoc.' Giovanni Vigna, University of California Santa Barbara

Giovanni Vigna, a mobile and web security researcher at the University of California in Santa Barbara, and Vasilios Mavroudis, a doctoral researcher at University College London say that ultrasonic cross-device tracking, while certainly not eradicated, hasn't been gaining widespread adoption, thanks in part to an outcry from privacy watchdogs and an aggressive FTC probe a few years ago. Instead, ultrasonic communication technology has increasingly found usefulness for a diverse array of location-based services, in which an app listens for beacons and suggests location-related services or content when your device is close enough to hear particular ultrasonic emissions. This approach is being used to serve information for walking tours and museum visits, facilitate ticketing at stadiums and other venues, and create novel effects like light shows that coordinate the camera flashes on attendees' phones at an event.

Vigna and Mavroudis argue that these offerings in themselves aren't as immediately privacy-invading as initiatives that quietly track devices over time and collect information about their owners to create tailored profiles. When choosing to download a location-based app that uses ultrasounds, users are more directly aware of what that app will do. The researchers note, though, that there are still real problems at this point with ultrasonic technologies—not that they are being used for wireless communication in general, but that currently the technology is immature. Every company codes its own version and develops a different implementation of ultrasonic communication, and there's no way to ensure that all these different versions provide basic privacy and security protections.

"The real value of this technology is that you don’t need any specific network setup, you are riding a physical phenomenon and can model proximity in a physical way," Vigna says. "For IoT that could be important, because it’s something you cannot spoof across walls or across barriers. But leaving ultrasound completely unchecked causes confusion, and implementations are flawed because they're ad hoc. There are risks that are only going to become worse without standardization."

In past research into ultrasound communication, Mavroudis has concluded that the most pressing potential risks involve leaving ultrasound receiving apps unrestricted. If an app is given, say, carte blanche access to a device's microphone data, users have to simply trust that the app will only access ultrasonic information, and won't listen in on everything a user is doing. Similarly, some ultrasound apps will continue collecting data from a user's microphone while their device is on airplane mode—storing it up to eventually send back to a web server once the device regains connectivity—while other services and applications don't. With so much diversity, it's difficult for users to keep track of how any one ultrasound service functions.

It doesn't have to be that way. Operating systems could require ultrasonic communication to run through an application programming interface that controls for these types of extraneous access in a consistent way. And that sort of mechanism would ideally move beyond individual ecosystems to become a standard, like Wi-Fi and Bluetooth, that can be used across the industry.

'I wouldn’t want to see a Google monopoly on this.' Vasilios Mavroudis, University College London

The researchers note that Google in particular has been leading the way on this initiative with an API for Android and iOS called Google Nearby. The platform is built to be secure and resilient, and incorporates interoperability initiatives for certain beacon formats and partners. Google Nearby can also blend ultrasonic technologies with existing wireless standards. In addition to apps on Android, like entertainment and photo services from United Airlines and CVS, Google Nearby is also incorporated into smart home devices like Chromecast.

"It’s hard to control how people are going to use the technology, but Google Nearby is certainly a step in the right direction," Mavroudis notes. "Having said that, there are still many companies developing their own framework and I wouldn’t want to see a Google monopoly on this. If it was a technology where everyone could build their own solution based on an industry standard that would be better."

The researchers are relieved that the most abusable elements of ultrasonic cross-device tracking don't seem to be gaining popularity right now. But overall, companies are increasingly finding proximity-related uses for ultrasounds and implementing them more and more. Without widespread collaboration on a robust standard, ultrasonic services could quickly become a massive security and privacy problem.

Ultrasonic Boom