this post was submitted on 02 Sep 2024
231 points (96.4% liked)

Pulse of Truth

464 readers
106 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 1 year ago
MODERATORS
 

Comments

top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 63 points 2 months ago (1 children)

In the same slideshow, CMG counted Facebook, Google, and Amazon as clients of its "Active Listening" service. After 404 reached out to Google about its partnership, the tech giant removed the media group from the site for its "Partners Program," which prompted Meta, the owner of Facebook, to admit that it is reviewing CMG to see if it violates any of its terms of service.

So not just Facebook.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago)

So the scammy company listed some known names for their fake tech ad, knowing they are full of shit and they don't have any partners in this, then deleted the ad when called out. Meanwhile it never existed because they were probably hoping to get someone's money to develop it. Except everyone knew this is massively stupid so they didn't.

[–] I_Miss_Daniel 46 points 2 months ago (3 children)

Would this trigger the 'mic in use' indicator on Android and iPhone platforms?

[–] [email protected] 26 points 2 months ago* (last edited 2 months ago) (2 children)

It has to. The only way that it wouldn’t trip the indicator is if it was built into the operating system itself or somehow had an exploit to get around OS security protections.

The information is fascinating but by and large should no longer be applicable because the OS has been designed to prevent using the microphone without the users knowledge. An app doesn’t have access to the microphone hardware without going through the OS first. Google could modify the OS to do such a thing, but of course, they have to hide this in the proprietary parts of Android, and the generally open nature of the platform give security researchers quite good access to observe such activity. I’d be surprised such activity would go unnoticed. It seems unlikely.

I think this type of approach might have worked on older OS versions but I don’t see how it could work today in general.

[–] [email protected] 10 points 2 months ago (1 children)
[–] [email protected] 7 points 2 months ago* (last edited 2 months ago) (2 children)

Starting with version 12, the Android operating system introduced a limit of 200Hz to help mitigate such attacks, but as you indicate research shows that some reconstruction may be possible in some scenarios. This is an ongoing area and future mitigations continue to be considered.

From Kaspersky:

In 92% of cases, the accelerometer data made it possible to distinguish one voice from another. In 99% of cases, it was possible to correctly determine gender. Actual speech was recognized with an accuracy of 56% — half of the words could not be reconstructed.

The monitoring application would also need to run in the foreground to access the data on a continuous basis.

Overall it does look like an interesting theoretical concern.

[–] [email protected] 1 points 2 months ago

Here's an exotic conspiracy theory: advertisers are performing sensor fusion / superresolution on many colocated gyrophones to exceed the per-device 200Hz cap. Phone clocks are certainly not aligned to the millisecond, so this would enable them to get a higher time resolution.

[–] Reddfugee42 1 points 2 months ago

Background app can request "disable battery optimization" aka continuous operation. Users will just click okay

[–] [email protected] 5 points 2 months ago (1 children)

What about Google Play Services? A pre-installed Swiss army knife of a system app with proprietary code and apps relying on it as a dependency seems to check the box.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

That might be possible. I’m not an expert in the wide ranging permissions that preinstalled system apps can access. It would require Google complicity. We haven’t seen this behavior in various sandbox versions of Google play running on custom ROMs, nor hasn’t been seen in any teardowns, but it cannot be completely ruled out.

I feel like there are better places to hide such malicious code. For example, down in the hardware abstraction layer, or another proprietary demons that aren’t part of AOSP. At the end of the day, you need to have some trust in the company that develops your OS.

[–] [email protected] 6 points 2 months ago

If it existed, yes. They probably didn't realize before making this failed "pitch", which is why they never developed this.

[–] WoahWoah 2 points 2 months ago* (last edited 2 months ago) (2 children)

Don't think so. Wait until you find out what your smart TV is doing.

[–] [email protected] 10 points 2 months ago

Nah it got banned from the network when it started inserting ads into my YouTube feed that I already pay for.

[–] [email protected] 2 points 2 months ago

Heh. My TV has never been online, not even once. I'd rather suffer the occasional firmware bug than have it act as a sensor.

[–] [email protected] 29 points 2 months ago

Can't wait for all the seven day old accounts to pop up and explain how this is actually just the magic algorithm and confirmation bias at work.

[–] HootinNHollerin 20 points 2 months ago (1 children)

Someone that still uses Facebook should post this there

[–] _sideffect 16 points 2 months ago (1 children)

It'll probably get removed due to misinformation

[–] HootinNHollerin 1 points 2 months ago

Still worth it

[–] Malidak 13 points 2 months ago (1 children)

Can someone develop a tool that automatically screens TOS and small print for apps and warns you of agreeing to shit like this?

[–] [email protected] 6 points 2 months ago

This would be amazing! Unfortunately, it requires us to trust that the TOS is truthful and specific.

[–] [email protected] 12 points 2 months ago* (last edited 2 months ago)

Do we have any info about this being used by any app, or any details about the tech at all? We have an archived version of a deleted ad from a suspicious company. Do we know it even exists and wasn't a prospective ad to judge interest that went nowhere?

[–] Reddfugee42 8 points 2 months ago

This is why app permissions are a thing.

[–] Lemminary 7 points 2 months ago (1 children)

Yeah, that's how you creep me the fuck out and I don't buy your shit.

[–] WoahWoah -1 points 2 months ago
[–] plz1 3 points 2 months ago

Wasn't this a thing like 1-2 years ago, that was completely unverified, from a different Facebook advertiser?

[–] [email protected] 3 points 2 months ago* (last edited 2 months ago) (1 children)

a lot of people called me crazy for saying that.

google does it too.

apple definitely does it too.

[–] [email protected] 1 points 2 months ago

I'm not crazy about ads, it can be nice when they're effective for the right reasons. That said, a break in happened at my estate once and the only evidence I needed or could secure was because I left my phone at home that day