E.T. Phone Home

It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice's ipwatch solution, tcpdump, netstat, Burp proxy and other software.

The bugreports should be submitted and linked.

It's interesting that I usually can't find anyone on the web who cares.

Please note that some people use bugs described on this page for evil. However, we finally decided not to limit the disclosure.

Direct further questions regarding privacy and security to your operating system vendor.

Mozilla

Chromium

udp 0 0 0.0.0.0:5353 0.0.0.0:* 12358/chromium --password-store=detect

All WebKit browsers: ignore user-agent settings, send real information to Google domains

Debian (systemd/resolved)

Uses 8.8.8.8 DNS server if no other is available: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

Stardict

As of 12/2015, the default configuration of Stardict in Debian Sid uses dict.cn as the default dictionary. Additionally, as clipboard scanning is enabled by default, this means that as you start Stardict, your clipboard contents gets sent in the following HTTP request:

GET HTTP://dict.cn/ws.php?utf8=true&q=HESLO HTTP/1.1\r\n

It has been confirmed that if you use KeePassX, which by default uses “copy password to clipboard”, this password is immediately sent by Stardict.

Bug:

Related, but not the same:

GNOME

  • gitg leaks e-mail addresses from commit messages to gravatar
  • gnome-contacts leaks physical address of your contact to proxy.gnome.org, Akamai and OSM Nominatim
  • clock-applet leaks your current TZ location via HTTP (1, 2)

https://bugzilla.gnome.org/show_bug.cgi?id=744159, https://bugzilla.gnome.org/show_bug.cgi?id=750192

Linux

By default Linux replies to ARP queries on all interfaces. This seems to be in accordance with RFC 826 from 1982, part “Am I the target protocol address?”. It has two consequences:

  • It breaks things. Connect your computer to two networks and let another one use colliding IP range. You will act as an ARP-poisoning host involuntarily!
  • It allows an external attacker to decloak which other addresses you are using. They can fingerprint you and they can test for well-known VPNs of competing intelligence agencies.

Example decloak: arping -i br0 10.1.10.1

Defense: echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

Fedora + NetworkManager

Gets a file when you connect to the network to check if there is a captive portal.

OpenWRT

 1842 root       788 S    htpdate -D www.google.com www.yahoo.com www.linux.org www.freebsd.org

Btw. there used to be a root shell on ttyS0.

OpenBSD

Sends out configuration during installation (stores timezone and mirror settings for sysadmins with lazy fingers). FIXME more details

LibreOffice

Ubuntu (desktop)

Ubuntu (Phone)

Calls home upon connection. This probably leaks unique information in the “login” thing. We have not conducted MitM (yet).

It calls to Canonical, Google and YouTube. It downloads advertisements to “music” and “video” “pages”. There does not seem to be a straightforward option to turn them off.

CyanogenMod

A stock CM 12.1 was installed. During installation, all possible spy settings were turned off. Upon each boot, the device connects to android.pool.ntp.org despite having time synchronization disabled in settings.

Additionally, the following HTTP request was observed:

GET /generate_204 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 4 Build/LMY48B)
Host: connectivitycheck.android.com
Connection: Keep-Alive
Accept-Encoding: gzip

This request has been disabled by “settings put global captive_portal_detection_enabled 0”. The NTP thing does not seem to be possible to disable. Strangely, we find no users solving this in public forums.

Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment.

colord

Sends broadcasts when changing monitors. Seems to be scanning for network printers.

Sublime text

Checks for updates

Chirp

Checks for updates

Arduino

Checks for updates

GQRX

Sends broadcasts upon startup, so others can sniff while you sniff.

Psi+

Listens to the world for file transfer, even when it's turned off. And even when status is offline.

Android

Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition)

Traffic collected during 30 minutes of idle phone laying on the desk includes:

  • mobile-gtalk.l.google.com:5228
  • hxxp://clients3.google.com/generate_204
  • hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/AAA/?label=BBB&muid=CCC
  • android.l.google.com
  • api.samsungosp.com:443

…despite all services are disabled in system settings and the phone has never been connected to any Google service.

Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking allow for full remote compromise.

I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself.

iptables -N CHECKALLOWED
 
for ip in 46.167.245.0/24 77.87.241.0/24 77.240.96.0/24 37.46.80.0/24 91.213.160.0/24 90.183.101.0/24 192.168.0.0/16; do
  iptables -I CHECKALLOWED -d $ip -j ACCEPT
done
 
iptables -I OUTPUT -j CHECKALLOWED
iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
iptables -A CHECKALLOWED -j REJECT

Info on CyanogenMod and how to turn it off.

Windows

 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki