DEV Community

chaanli
chaanli

Posted on

AudioContext Fingerprinting: The Underrated Signal for Bot Detection

Everyone talks about Canvas fingerprinting. But AudioContext is equally powerful and much harder to spoof.

How AudioContext Fingerprinting Works

The Web Audio API processes audio differently based on hardware and software. By creating a specific audio signal and measuring the output, you get a fingerprint that's:

  • Unique per device/browser combo
  • Stable across sessions
  • Very hard to fake in headless browsers

Implementation 

async function getAudioFingerprint() {
    const ctx = new (window.AudioContext || window.webkitAudioContext)();
    const oscillator = ctx.createOscillator();
    const analyser = ctx.createAnalyser();
    const gain = ctx.createGain();
    const scriptProcessor = ctx.createScriptProcessor(4096, 1, 1);

    gain.gain.value = 0; // silent
    oscillator.type = 'triangle';
    oscillator.frequency.setValueAtTime(10000, ctx.currentTime);

    oscillator.connect(analyser);
    analyser.connect(scriptProcessor);
    scriptProcessor.connect(gain);
    gain.connect(ctx.destination);

    oscillator.start(0);

    return new Promise(resolve => {
        scriptProcessor.onaudioprocess = (e) => {
            const data = new Float32Array(analyser.frequencyBinCount);
            analyser.getFloatFrequencyData(data);
            const hash = hashArray(data);
            oscillator.disconnect();
            resolve(hash);
        };
    });
}
Enter fullscreen mode Exit fullscreen mode

Bot Detection Application 

class AudioFingerprintAnalyzer:
    HEADLESS_SIGNATURES = {
        '0000000000': 'no audio support',
        'ffffffffff': 'default headless',
    }

    def analyze(self, audio_fp, claimed_browser):
        if audio_fp in self.HEADLESS_SIGNATURES:
            return {'bot_probability': 0.95}

        # Check consistency with claimed browser
        expected = self.get_expected_range(claimed_browser)
        if not expected.matches(audio_fp):
            return {'bot_probability': 0.80}

        return {'bot_probability': 0.05}
Enter fullscreen mode Exit fullscreen mode

Why Bots Fail

  • Headless Chrome: No audio hardware = no fingerprint or default values
  • Spoofing tools: Can't replicate hardware-specific audio processing
  • Virtual audio: Produces detectable patterns

Resources

Listen to your traffic. The audio tells the truth.

Top comments (0)