====== E.T. Phone Home ======
It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice's [[http://jenda.hrach.eu/f/ipwatch/|ipwatch]] solution, tcpdump, netstat, Burp proxy and other software.
The bugreports should be submitted and linked.
It's interesting that I usually can't find anyone on the web who cares.
Please note that [[https://www.reddit.com/r/privacy/comments/3w07kg/doubleclick_tracking_by_ssl_client_certificates/|some]] [[https://www.theguardian.com/technology/2016/aug/02/battery-status-indicators-tracking-online|people]] use bugs described on this page for evil. However, we finally decided not to limit the disclosure.
Direct further questions regarding privacy and security to your operating system vendor.
===== Mozilla =====
[[https://brmlab.cz/project/spyzilla|has separate page]]
===== Chromium =====
udp 0 0 0.0.0.0:5353 0.0.0.0:* 12358/chromium --password-store=detect
All WebKit browsers: ignore user-agent settings, send real information to Google domains
* https://www.abclinuxu.cz/zpravicky/google-chrome-32/diskuse#14
* https://chromium.googlesource.com/external/Webkit/+/master/Source/WebKit/gtk/webkit/webkitwebsettings.cpp#1602
===== Debian (systemd/resolved) =====
Uses 8.8.8.8 DNS server if no other is available: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
===== Stardict =====
As of 12/2015 (update: 07/2018: the bug is still there), the default configuration of Stardict in Debian Sid uses dict.cn as the default dictionary. Additionally, as clipboard scanning is enabled by default, this means that as you start Stardict, your clipboard contents gets sent in the following HTTP (unencrypted) request:
GET HTTP://dict.cn/ws.php?utf8=true&q=clipboard_content HTTP/1.1\r\n
It has been confirmed that if you use KeePassX, which by default uses "copy password to clipboard", this password is immediately sent by Stardict in plaintext to this .cn server.
Bug:
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960
Related, but not the same:
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613236
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2260
===== GNOME =====
* gitg leaks e-mail addresses from commit messages to gravatar
* gnome-contacts leaks physical address of your contact to proxy.gnome.org, Akamai and OSM Nominatim
* clock-applet leaks your current TZ location via HTTP ([[https://bugzilla.redhat.com/show_bug.cgi?id=1242007|1]], [[https://forums.fedoraforum.org/showthread.php?t=277699|2]])
https://bugzilla.gnome.org/show_bug.cgi?id=744159, https://bugzilla.gnome.org/show_bug.cgi?id=750192
===== GnuPG/dirmngr =====
(at least) in Debian, an automatically spawned service (dirmngr) seems to periodically checks key updates on keyserver //over plain HTTP//, exposing list of your friends to the network.
Aug 17 07:55:13 localhost dirmngr[11304]: error accessing 'http://pgp.mit.edu:11371/pks/lookup?op=get&options=mr&search=0x191B300C733BBEA2': http status 404
Use
systemctl --user disable dirmngr.service
systemctl --user mask dirmngr.service
to disable this.
===== Linux =====
By default Linux replies to ARP queries on **all** interfaces. This seems to be in accordance with RFC 826 from 1982, part "Am I the target protocol address?". It has two consequences:
* It breaks things. Connect your computer to two networks and let another one use colliding IP range. You will act as an ARP-poisoning host involuntarily!
* It allows an external attacker to decloak which other addresses you are using. They can fingerprint you and they can test for well-known VPNs of competing intelligence agencies.
Example decloak: arping -i br0 10.1.10.1
Defense: echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
===== Fedora + NetworkManager =====
[[https://apps.fedoraproject.org/packages/NetworkManager-config-connectivity-fedora|Gets a file]] when you connect to the network to check if there is a captive portal.
===== OpenWRT =====
1842 root 788 S htpdate -D www.google.com www.yahoo.com www.linux.org www.freebsd.org
Btw. there used to be a root shell on ttyS0.
===== OpenBSD =====
Sends out configuration during installation (//stores timezone and mirror settings for sysadmins with lazy fingers//). FIXME more details
===== LibreOffice =====
[[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749770|Listens to the world, so NSA can listen to you]]
It [[https://brooksreview.net/2013/09/dropbox-opens-your-files/ | also seems to leak when looking for embedded content]] or links.
===== Ubuntu (desktop) =====
https://help.ubuntu.com/community/AutomaticConnections
===== Ubuntu (Phone) =====
[[https://www.abclinuxu.cz/data/prilohy/2/8/217482-mobil-7640263943796579053.pcap|Calls home]] upon connection. This probably leaks unique information in the "login" thing. We have not conducted MitM (yet).
It calls to Canonical, Google and YouTube. It downloads advertisements to "music" and "video" "pages". There does not seem to be a straightforward option to turn them off.
===== CyanogenMod =====
A stock CM 12.1 was installed. During installation, all possible spy settings were turned off. Upon each boot, the device connects to android.pool.ntp.org despite having time synchronization disabled in settings.
Additionally, the following HTTP request was observed:
GET /generate_204 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 4 Build/LMY48B)
Host: connectivitycheck.android.com
Connection: Keep-Alive
Accept-Encoding: gzip
This request has been disabled by "settings put global captive_portal_detection_enabled 0". The NTP thing does not seem to be possible to disable. Strangely, we find no users solving this in public forums.
Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment.
===== colord =====
Sends broadcasts when changing monitors. Seems to be scanning for network printers.
===== Sublime text =====
Checks for updates
===== Chirp =====
Checks for updates
===== Arduino =====
Checks for updates
===== GQRX =====
Sends broadcasts upon startup, so others can sniff while you sniff.
===== Psi+ =====
Listens to the world for file transfer, even when it's turned off. And even when status is offline.
===== Android =====
Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition)
Traffic collected during 30 minutes of idle phone laying on the desk includes:
* mobile-gtalk.l.google.com:5228
* hxxp:%%//%%clients3.google.com/generate_204
* hxxp:%%//%%googleads.g.doubleclick.net/pagead/viewthroughconversion/AAA/?label=BBB&muid=CCC
* android.l.google.com
* api.samsungosp.com:443
…despite all services are disabled in system settings and the phone has never been connected to any Google service.
Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking [[https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/|allow for full remote compromise]].
I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself.
iptables -N CHECKALLOWED
for ip in 46.167.245.0/24 77.87.241.0/24 77.240.96.0/24 37.46.80.0/24 91.213.160.0/24 90.183.101.0/24 192.168.0.0/16; do
iptables -I CHECKALLOWED -d $ip -j ACCEPT
done
iptables -I OUTPUT -j CHECKALLOWED
iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A CHECKALLOWED -j REJECT
[[https://brmlab.cz/project/android/grouper#first_start_traffic_analysis|Info on CyanogenMod and how to turn it off.]]
===== Windows =====
However, spying features in Windows are much more advanced, for example:
* https://twitter.com/m8urnett/status/866359656930607104
* http://www.theinquirer.net/inquirer/news/2425381/microsoft-is-downloading-windows-10-to-your-machine-just-in-case
* http://blog.superuser.com/2011/05/16/windows-7-network-awareness/