SilverPush Code : TV Ads Can Sent & Execute Ultrasonic Secret Commands To SmartPhone!

Learn about Silverpush code that executes on TV ads, invading privacy. Know how to protect yourself from this intrusive technology on HackCave

About SilverPush

SilverPush is an Indian company which has developed and patented a technology known as Audio Beacon Technology, which uses inaudible audio waves for bridging multiple devices used by a single user. By employing this technology into Apps, Television adverts can ping Ultrasonic commands to smartphones and tablets.

How It works

Apps made by SilverPush's SDK are able to pick up near-ultrasonic sounds (SilverPush patented audio beacons) which are watermarked in Television/Radio ad commercials, or even web browser ADs. These inaudible signals can be decoded only by software. Therefore any application that is made using SilverPush's SDK can capture these ultrasonic messages from the phone or tablet's built-in microphone. These messages can be crafted in such a way that it instructs the app to grab sensitive info like the device IMEI number, location, operating system version, and potentially any personal data to the application's backend servers.

Privacy issues

Such technologies always rises privacy issues. For example you were watching TV, an ad came and your smartphone picked up the inaudible beacon . Now this can let the app to show ads in your smartphone similar to the TV Ad you just watched. Not just that, there are unlimited possibilities how this feature can be misused. Only a few apps tell the users that this technology is used and for majority of the users, even the existence of such a technology is new. It was known only recently, when a warning issued by Center for Democracy and Technology (CDT) came to light earlier this week. This makes the App illegal in Europe and possibly other countries. 

"This kind of technology is fundamentally surreptitious in that it doesn't require consent; if it did require it then the number of users would drop. It lacks the ability to have consumers say that they don't want this and not be associated by the software.",says Joe Hall, the chief technologist at CDT. 

SilverPush Code Unmasked

Some researchers have attempted to reverse engineer SilverPush apps and code. Kevin Finisterre of security consultancy Digital Munition, has analysed the code and published his findings on GitHub. According to his findings each high-pitch tones were assigned different tones, eg: an 18kHz sound represents the letter 'A', and 19.125kHz is a 'P' and so on. TV ads were recognized by pairs of these characters. For instance 'AP' is used to recognize a Geico ad and display an image and link to the insurance biz. Sound-playing online adverts use a fingerprint of five characters.

Hacking SilverPush System.

Kevin Finisterre has tried to disrupt the ultrasonic signals. He tried sending some junk data by spoofing the sound signals that could be recognized by the app. According to him it would also be possible to write a program that randomly sent out ultrasonic tones to disrupt the system. However these signals can be heard by animals though they are inaudible to human ears. This might disturb your cat or dog, he says.

"There are lots of possibilities. It really depends on which aspect of it you are trying to protect against. The audible beacon triggers themselves (audio driver-based protections, spoofing tones, etc), or the data collection process (think blocking the IPs of the servers), or the monetization of the data collection (think spoofing randomized invalid data at the backend)." he added. 

For further updates and findings you can follow the GitHub page of Kevin Finisterre

Also Read SpiderFoot – Automated Intelligence Gathering Tool.