QIF-T0075

high

Ultrasonic sonar vital sign extraction (inaudible Doppler physiological sensing)

Tier 3 — Demonstrated (Lab-proven)

Legacy status: DEMONSTRATED

A phone or earbud speaker emits an inaudible continuous-wave ultrasonic tone (18-22 kHz, within transducer bandwidth but above human hearing threshold). The built-in microphone captures the reflected signal. Chest wall motion from breathing (amplitude: ~5mm) and heartbeat (amplitude: ~0.1mm) create Doppler shifts in the reflected ultrasound that are demodulable with standard DSP. The technique is: (1) covert — the ultrasonic tone is inaudible to the target, (2) contactless — works from across a room (demonstrated up to 0.5m for heart rate, several meters for respiration), (3) requires NO hardware modification — stock smartphone speakers and microphones are sufficient, and (4) can be deployed as a background process in any app with microphone permission. Google's Nest Hub Sleep Sensing and academic research (UltraSense, Nandakumar et al.) have demonstrated production-quality vital sign extraction via this method. Attack scenario: any app with mic access silently emits ultrasound and extracts heart rate, breathing rate, and movement patterns. Combined with QIF-T0079 (ear canal fingerprinting), the attacker gets identity + vitals from the same acoustic pipeline.

Technique Details

Tactic: QIF-S.HV
Status: DEMONSTRATED
Bands: S1, S2, S3

✚ Therapeutic Application

Inaudible ultrasonic continuous-wave emission from consumer speaker with Doppler shift analysis of reflected signal to extract cardiac and respiratory micro-movements

Clinical Analog

Contactless vital sign monitoring for sleep studies and elder care

Treats

sleep apnea detection (FDA-cleared: Google Nest Hub)
contactless infant breathing monitoring
elder care fall detection and vital signs
post-surgical respiration monitoring

Neural Impact

3 of 7 neural bands affected

S1 S2 S3

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:N/CD:N/CV:E/RV:F/NP:N

CVSS v4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

1.4Low

Governance

Neurorights at Risk

This technique threatens 2 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy DI DI

Consent Complexity

0.48 / 4.0

FDORA §3305 Compliance

Cyber Device

Regulatory Coverage

0.7 / 1.0

524B Requirements

TM VA SBOM SA PM

Regulatory Gaps

! CVSS partially captures risk; neural dimensions missing

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population	NISS Base	Adjusted	Severity	Delta
Adult (Default)	1.4	1.4	Low	-
Child (10yr) + ADHD	1.4	1.6	Low	+0.25
Adult with ALS	1.4	1.6	Low	+0.23

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub