Zero-Permission Acoustic Cross-Device Tracking

Adversaries today can embed tracking identifiers into ultrasonic sound and covertly transmit them between devices without users realizing that this is happening. To prevent such emerging privacy risks, mobile applications now require a request for an explicit user permission, at run-time, to get access to a device's microphone. In this paper, however, we show that current defenses are not enough. We introduce a novel approach to acoustic cross-device tracking, which does not require microphone access, but instead exploits the susceptibility of MEMS gyroscopes to acoustic vibrations at specific (ultrasonic) frequencies. Currently, no permissions are needed to access the gyroscope's data, and the gyroscope can be accessed from apps or even from a web browser. In this manner, gyroscopes in modern smartphones and smartwatches can be used as zero-permission receivers of ultrasonic signals, making cross-device tracking completely unnoticeable to users. We evaluate our approach on several mobile devices using different audio hardware, achieving 10-20bit/s transmission bandwidth at distances from 35cm to 16m in realistic attack scenarios. Finally, we discuss potential countermeasures against the presented attack.