wiki

User Tools

Site Tools

Trace:
et

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
et [2018-08-17 08:16:06]
 et [2021-02-09 03:36:58] (current)
jenda
Line 1: Line 1:
 +====== E.T. Phone Home ======
 +
 +It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice'​s [[http://​jenda.hrach.eu/​f/​ipwatch/​|ipwatch]] solution, tcpdump, netstat, Burp proxy and other software.
 +
 +The bugreports should be submitted and linked.
 +
 +It's interesting that I usually can't find anyone on the web who cares.
 +
 +<note warning>​Please note that [[https://​www.reddit.com/​r/​privacy/​comments/​3w07kg/​doubleclick_tracking_by_ssl_client_certificates/​|some]] [[https://​www.theguardian.com/​technology/​2016/​aug/​02/​battery-status-indicators-tracking-online|people]] use bugs described on this page for evil. However, we finally decided not to limit the disclosure.
 +
 +Direct further questions regarding privacy and security to your operating system vendor.
 +</​note>​
 +
 +===== Mozilla =====
 +
 +[[https://​brmlab.cz/​project/​spyzilla|has separate page]]
 +
 +===== Chromium =====
 +
 +<​code>​udp 0 0 0.0.0.0:​5353 0.0.0.0:* 12358/​chromium --password-store=detect</​code>​
 +
 +All WebKit browsers: ignore user-agent settings, send real information to Google domains
 +  * https://​www.abclinuxu.cz/​zpravicky/​google-chrome-32/​diskuse#​14
 +  * https://​chromium.googlesource.com/​external/​Webkit/​+/​master/​Source/​WebKit/​gtk/​webkit/​webkitwebsettings.cpp#​1602
 +
 +===== Debian (systemd/​resolved) =====
 +
 +Uses 8.8.8.8 DNS server if no other is available: https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=761658
 +
 +===== Stardict =====
 +
 +As of 12/2015 (update: 07/2018: the bug is still there), the default configuration of Stardict in Debian Sid uses dict.cn as the default dictionary. Additionally,​ as clipboard scanning is enabled by default, this means that as you start Stardict, your clipboard contents gets sent in the following HTTP (unencrypted) request:
 +
 +<​code>​GET HTTP://​dict.cn/​ws.php?​utf8=true&​q=clipboard_content HTTP/​1.1\r\n</​code>​
 +
 +It has been confirmed that if you use KeePassX, which by default uses "copy password to clipboard",​ this password is immediately sent by Stardict in plaintext to this .cn server.
 +
 +Bug:
 +  * https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=806960
 +
 +Related, but not the same:
 +  * https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=613236
 +  * https://​web.nvd.nist.gov/​view/​vuln/​detail?​vulnId=CVE-2009-2260
 +
 +===== GNOME =====
 +
 +  * gitg leaks e-mail addresses from commit messages to gravatar
 +  * gnome-contacts leaks physical address of your contact to proxy.gnome.org,​ Akamai and OSM Nominatim
 +  * clock-applet leaks your current TZ location via HTTP ([[https://​bugzilla.redhat.com/​show_bug.cgi?​id=1242007|1]],​ [[https://​forums.fedoraforum.org/​showthread.php?​t=277699|2]])
 +
 +https://​bugzilla.gnome.org/​show_bug.cgi?​id=744159,​ https://​bugzilla.gnome.org/​show_bug.cgi?​id=750192
 +
 +===== GnuPG/​dirmngr =====
 +
 +(at least) in Debian, an automatically spawned service (dirmngr) seems to periodically checks key updates on keyserver //over plain HTTP//, exposing list of your friends to the network.
 +
 +<​code>​
 +Aug 17 07:55:13 localhost dirmngr[11304]:​ error accessing '​http://​pgp.mit.edu:​11371/​pks/​lookup?​op=get&​options=mr&​search=0x191B300C733BBEA2':​ http status 404
 +</​code>​
 +
 +Use
 +<​code>​systemctl --user disable dirmngr.service
 +systemctl --user mask dirmngr.service</​code>​
 +to disable this.
 +===== Linux =====
 +
 +By default Linux replies to ARP queries on **all** interfaces. This seems to be in accordance with RFC 826 from 1982, part "Am I the target protocol address?"​. It has two consequences:​
 +
 +  * It breaks things. Connect your computer to two networks and let another one use colliding IP range. You will act as an ARP-poisoning host involuntarily!
 +  * It allows an external attacker to decloak which other addresses you are using. They can fingerprint you and they can test for well-known VPNs of competing intelligence agencies.
 +
 +Example decloak: arping -i br0 10.1.10.1
 +
 +Defense: echo 1 > /​proc/​sys/​net/​ipv4/​conf/​all/​arp_ignore
 +
 +===== Fedora + NetworkManager =====
 +
 +[[https://​apps.fedoraproject.org/​packages/​NetworkManager-config-connectivity-fedora|Gets a file]] when you connect to the network to check if there is a captive portal.
 +
 +===== OpenWRT =====
 +
 +<​code>​ 1842 root       788 S    htpdate -D www.google.com www.yahoo.com www.linux.org www.freebsd.org</​code>​
 +
 +Btw. there used to be a root shell on ttyS0.
 +
 +===== OpenBSD =====
 +
 +Sends out configuration during installation (//stores timezone and mirror settings for sysadmins with lazy fingers//). FIXME more details
 +
 +===== LibreOffice =====
 +
 +[[https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=749770|Listens to the world, so NSA can listen to you]]
 +
 +It [[https://​brooksreview.net/​2013/​09/​dropbox-opens-your-files/​ | also seems to leak when looking for embedded content]] or links.
 +
 +===== Ubuntu (desktop) =====
 +
 +https://​help.ubuntu.com/​community/​AutomaticConnections
 +
 +===== Ubuntu (Phone) =====
 +
 +[[https://​www.abclinuxu.cz/​data/​prilohy/​2/​8/​217482-mobil-7640263943796579053.pcap|Calls home]] upon connection. This probably leaks unique information in the "​login"​ thing. We have not conducted MitM (yet).
 +
 +It calls to Canonical, Google and YouTube. It downloads advertisements to "​music"​ and "​video"​ "​pages"​. There does not seem to be a straightforward option to turn them off.
 +
 +===== CyanogenMod =====
 +
 +A stock CM 12.1 was installed. During installation,​ all possible spy settings were turned off. Upon each boot, the device connects to android.pool.ntp.org despite having time synchronization disabled in settings.
 +
 +Additionally,​ the following HTTP request was observed:
 +<​code>​GET /​generate_204 HTTP/1.1
 +User-Agent: Dalvik/​2.1.0 (Linux; U; Android 5.1.1; Nexus 4 Build/​LMY48B)
 +Host: connectivitycheck.android.com
 +Connection: Keep-Alive
 +Accept-Encoding:​ gzip</​code>​
 +
 +This request has been disabled by "​settings put global captive_portal_detection_enabled 0". The NTP thing does not seem to be possible to disable. Strangely, we find no users solving this in public forums.
 +
 +Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment.
 +
 +===== colord =====
 +
 +Sends broadcasts when changing monitors. Seems to be scanning for network printers.
 +
 +===== Sublime text =====
 +
 +Checks for updates
 +
 +===== Chirp =====
 +
 +Checks for updates
 +
 +===== Arduino =====
 +
 +Checks for updates
 +
 +===== GQRX =====
 +
 +Sends broadcasts upon startup, so others can sniff while you sniff.
 +
 +===== Psi+ =====
 +
 +Listens to the world for file transfer, even when it's turned off. And even when status is offline.
 +
 +===== Android =====
 +
 +Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition)
 +
 +Traffic collected during 30 minutes of idle phone laying on the desk includes:
 +  * mobile-gtalk.l.google.com:​5228
 +  * hxxp:​%%//​%%clients3.google.com/​generate_204
 +  * hxxp:​%%//​%%googleads.g.doubleclick.net/​pagead/​viewthroughconversion/​AAA/?​label=BBB&​muid=CCC
 +  * android.l.google.com
 +  * api.samsungosp.com:​443
 +
 +…despite all services are disabled in system settings and the phone has never been connected to any Google service.
 +
 +Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking [[https://​www.nowsecure.com/​blog/​2015/​06/​16/​remote-code-execution-as-system-user-on-samsung-phones/​|allow for full remote compromise]].
 +
 +I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself.
 +
 +<code bash>​iptables -N CHECKALLOWED
 +
 +for ip in 46.167.245.0/​24 77.87.241.0/​24 77.240.96.0/​24 37.46.80.0/​24 91.213.160.0/​24 90.183.101.0/​24 192.168.0.0/​16;​ do
 +  iptables -I CHECKALLOWED -d $ip -j ACCEPT
 +done
 +
 +iptables -I OUTPUT -j CHECKALLOWED
 +iptables -I OUTPUT -m conntrack --ctstate RELATED,​ESTABLISHED -j ACCEPT
 +
 +iptables -A CHECKALLOWED -j REJECT
 +</​code>​
 +
 +[[https://​brmlab.cz/​project/​android/​grouper#​first_start_traffic_analysis|Info on CyanogenMod and how to turn it off.]]
 +===== Windows =====
 +
 +However, spying features in Windows are much more advanced, for example:
 +  * https://​twitter.com/​m8urnett/​status/​866359656930607104
 +  * http://​www.theinquirer.net/​inquirer/​news/​2425381/​microsoft-is-downloading-windows-10-to-your-machine-just-in-case
 +  * http://​blog.superuser.com/​2011/​05/​16/​windows-7-network-awareness/​
  

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki