Hackers could use a sonar-based attack to infer information about what a target is doing, including when they might be engaging in sexual activity.

The attack, known as CovertBand, is the product of four researchers’ work at the University of Washington’s Paul G. Allen School of Computer Science & Engineering. These individuals sought to answer to an important question in the age of digital security and privacy: what if an attacker could use a smart device to track a target’s movements without the target’s knowledge?

CovertBand succeeds in this regard by masquerading as a third-party Android app.

Upon installation, the app secretly uses the AudioTrack API to blast acoustic signals at 18-20 kHz. Some adults can faintly distinguish these signals, so CovertBank transmits them under a song with lots of percussive sounds for masking purposes. The attack then uses the AudioRecord API to record these backscattered 18-20 kHz signals. With two microphones picking up the transmissions, an attacker can receive the recorded data over Bluetooth and approximate a target’s 2D positioning using a laptop.

And you thought the Amazon Echo was scary.

But tracking a target’s 2D location is only the beginning of it. As the researchers explain in their paper:

“We show how CovertBand can potentially enable an attacker to differentiate between different classes of movements even when subjects are in different body positions and orientations. Specifically, we focus on two classes of motion: (1) linear motion (the subject walks in a straight line) and (2) periodic motion (pelvic tilt where the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise). These motions are sufficiently different that we should be able to differentiate them by looking at the spectrograms, but are also realistic enough to potentially enable privacy leakage. For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target’s culture and cultural norms or might vary depending on the target’s public visibility, e.g., celebrity status or political status.”

That’s right. Not even targets’ bedroom romps are safe from CovertBand!

In an experimental setup, the researchers had “Bob” walk around inside of a bathroom and do several activities. Using CovertBand, they were able to determine that Bob likely spent less than 20 seconds sitting on the toilet and brushing his teeth.

Subsequent tests revealed the attack could track an individual walking across a bathroom in a straight line outside of a closed wooden door at a mean tracking error of 18 cm. Even with more complex movements, the tracking error distance was less than 25 cm. (That’s also the case for tracking more than one subject at the same time.) When you start introducing windows and external doors, the tracking error goes up to about 30 cm.

With these results, an attacker could use lots of different devices like smart TVs to spy on unsuspecting targets.

Those who are concerned about CovertBand can protect themselves against the attack with counter-measures ranging from simple to seriously mental. On the saner end of the spectrum, they could use a sensor to listen for transmissions above people’s listening threshold. On the more “creative” side, people can play their own 18-20 kHz signals to jam CovertBand, something which could overload the sound space and create considerable discomfort for children or pets. Or they could take it one extra step and soundproof their homes.

Then again, these behaviors could be worth it in terms of protecting our privacy, especially if someone can use CovertBand to detect more activities, improve its range, and track more than two individuals.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.