Alexa – what are you hearing that I can’t?

From Amazon Echo and Google Home to Siri and Cortana, technology is increasingly listening to what we say. And as with any new technology, people are finding ways to exploit it for nefarious purposes -- for example, when Burger King tricked Google Home into playing an advert for its Whoppers.

That Google could be duped so easily is a surprise, but the threat was minimal. However, security researchers have discovered far more sinister means of using open microphones to snoop on consumers.

According to researchers from the Technische Universitat Braunschweig in Germany, more than 230 apps on Google Play use listening technology that responds to near ultrasonic signals broadcast from a variety of sources. Beacons can be placed in offline media content, such as TV or radio ads, to let apps know what a mobile user is watching, or in shops to pinpoint their location without having to seek permission to use GPS.

The technology originally drew criticism in 2015, when developer SilverPush publicised an SDK for audio beacons that were generally outside the range of human hearing. Yet, despite criticism from the authorities, the ultrasonic beacons appear to by spreading.

SilverPush has said it no longer uses the technology, but others have taken its place. A representative sample of five of those apps identified by the German researchers have been downloaded between 2.25 million and 11.1 million times, and although the study only investigated Android devices, the team said similar tactics could theoretically also apply to iOS hardware too.

None of those apps disclosed their ability to listen for beacons and the technology is expected to be rolled out further as commercial applications develop. "Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons," Erwin Quiring, lead researcher on the Privacy Threats through Ultrasonic Side Channels on Mobile Devices report, told PC Pro.

"In particular, they embed these beacons in the ultrasonic frequency range between 18kHz and 20kHz of audio content and detect them with regular mobile applications using the device's microphone. This side channel offers various possibilities for tracking."

Privacy and permission

Google says it removes apps that don't abide by its privacy policy, but the fear is that companies could create eavesdropping apps simply by seeking permission to use the microphone during installation. Once permission has been granted, it's almost impossible to tell if the microphone is listening for prompts.

"They've been designed to be ambient, or in the background, and this makes it harder for people to know that they are often continuously recording," said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology. "We might understand why audio beacons exist or how they provide functionality for some products and services, but that understanding is not the same thing as consent. Data collection is opaque by design, and audio beacons can be particularly stealthy and silent."

Following an initial backlash, De Mooy said some companies had tried to make it clearer how customer conversations may be recorded or used, and have offered enhanced privacy settings, "but there are always one or two companies that cross privacy boundaries... and they perpetuate an atmosphere of mistrust."

That's not to say everyone employing the technology is doing so nefariously. "Legitimate audio beacon apps are increasingly used by companies that declare their presence and capabilities within the sign-up process," said Quiring.

"The mobile application Shopkick, for instance, provides rewards to users if they walk into stores that collaborate with Shopkick. In contrast to GPS, loudspeakers at the entrance emit an audio beacon that lets Shopkick precisely determine whether someone is in the shop or not."