Privacy is probably one of the most debated arguments when dealing with the Internet, we discussed several times the way to protect anonymity online and which are the attacks law enforcement and intelligence agencies carry on in order to de-anonymize users.
Most users believe that just blocking scripts and advertisements is enough to avoid being tracked, but this is false. Some websites are able to monitor and track users through fingerprinting techniques based on the HTML Canvass API and WebRTC local IP discovery.
Today we will discuss a new web-tracking technique called Audio Fingerprinting.
The Audio Fingerprinting tracking technique represents a valid solution for the advertising industry and for law enforcement agencies. It could be used to de-anonymized users surfing through a VPN network without decrypting the traffic.
A group of researchers from the Princeton University have conducted a study on multiple Google domains and discovered the company is tracking users on nearly 80 percent of all Top 1 Million Domains by leveraging on a variety of tracking and identification techniques.
“We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and the exchange of tracking data between different sites (“cookie syncing”). Our findings include multiple sophisticated fingerprinting techniques never before measured in the wild” states the paper published by the researchers.
One of these tracking methods is the Audio Fingerprinting technique that relies on the audio stack of the machine through the use of the AudioContext API.The researchers discovered that it is possible to harvest the audio signals of the each machine that is using the AudioContext API to reveal unique browser and device combinations.
The technique is devious as efficient, a third-party tracker could use the AudioContext API to send low-frequency sounds to a user’s machine and then measures the way it processes the data in order to create a unique fingerprint.
“A script from the company Liverail checks for the existence of an AudioContext and OscillatorNode to add a single bit of information to a broader fingerprint. More sophisticated scripts process an audio signal generated with an OscillatorNode to fingerprint the device.” wrote the researchers.”This technique appears conceptually similar to that of canvas fingerprinting. Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines while the same combination of machine and browser will produce the same output.”
The team of researchers has published a live demo page of the technique to show to fingerprint users exploiting the AudioContext API.
Fortunately, the Audio fingerprinting technique is not widespread.
The researchers used the open-source tool OpenWPM to perform their tests, is implements numerous advanced features, including the ability to automatically log into websites using specified credentials. It loads sites in common browsers (i.e. Chrome, Firefox and Internet Explorer) collecting data on the tracking loaded on each page.
The work of the researchers is precious, such kind of analysis will help privacy defenders against the proliferation of tracking techniques.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – Audio Fingerprinting, privacy)