Table of Contents

E.T. Phone Home

It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice's ipwatch solution, tcpdump, netstat, Burp proxy and other software.

The bugreports should be submitted and linked.

It's interesting that I usually can't find anyone on the web who cares.

<note warning>Please note that some people use bugs described on this page for evil. However, we finally decided not to limit the disclosure.

Direct further questions regarding privacy and security to your operating system vendor. </note>

Mozilla

has separate page

Chromium

udp 0 0 0.0.0.0:5353 0.0.0.0:* 12358/chromium --password-store=detect

All WebKit browsers: ignore user-agent settings, send real information to Google domains

Debian (systemd/resolved)

Uses 8.8.8.8 DNS server if no other is available: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

Stardict

As of 12/2015 (update: 07/2018: the bug is still there), the default configuration of Stardict in Debian Sid uses dict.cn as the default dictionary. Additionally, as clipboard scanning is enabled by default, this means that as you start Stardict, your clipboard contents gets sent in the following HTTP (unencrypted) request:

GET HTTP://dict.cn/ws.php?utf8=true&q=clipboard_content HTTP/1.1\r\n

It has been confirmed that if you use KeePassX, which by default uses “copy password to clipboard”, this password is immediately sent by Stardict in plaintext to this .cn server.

Bug:

Related, but not the same:

GNOME

https://bugzilla.gnome.org/show_bug.cgi?id=744159, https://bugzilla.gnome.org/show_bug.cgi?id=750192

GnuPG/dirmngr

(at least) in Debian, an automatically spawned service (dirmngr) seems to periodically checks key updates on keyserver over plain HTTP, exposing list of your friends to the network.

Aug 17 07:55:13 localhost dirmngr[11304]: error accessing 'http://pgp.mit.edu:11371/pks/lookup?op=get&options=mr&search=0x191B300C733BBEA2': http status 404

Use

systemctl --user disable dirmngr.service
systemctl --user mask dirmngr.service

to disable this.

Linux

By default Linux replies to ARP queries on all interfaces. This seems to be in accordance with RFC 826 from 1982, part “Am I the target protocol address?”. It has two consequences:

Example decloak: arping -i br0 10.1.10.1

Defense: echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

Fedora + NetworkManager

Gets a file when you connect to the network to check if there is a captive portal.

OpenWRT

 1842 root       788 S    htpdate -D www.google.com www.yahoo.com www.linux.org www.freebsd.org

Btw. there used to be a root shell on ttyS0.

OpenBSD

Sends out configuration during installation (stores timezone and mirror settings for sysadmins with lazy fingers). FIXME more details

LibreOffice

Listens to the world, so NSA can listen to you

It also seems to leak when looking for embedded content or links.

Ubuntu (desktop)

https://help.ubuntu.com/community/AutomaticConnections

Ubuntu (Phone)

Calls home upon connection. This probably leaks unique information in the “login” thing. We have not conducted MitM (yet).

It calls to Canonical, Google and YouTube. It downloads advertisements to “music” and “video” “pages”. There does not seem to be a straightforward option to turn them off.

CyanogenMod

A stock CM 12.1 was installed. During installation, all possible spy settings were turned off. Upon each boot, the device connects to android.pool.ntp.org despite having time synchronization disabled in settings.

Additionally, the following HTTP request was observed:

GET /generate_204 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 4 Build/LMY48B)
Host: connectivitycheck.android.com
Connection: Keep-Alive
Accept-Encoding: gzip

This request has been disabled by “settings put global captive_portal_detection_enabled 0”. The NTP thing does not seem to be possible to disable. Strangely, we find no users solving this in public forums.

Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment.

colord

Sends broadcasts when changing monitors. Seems to be scanning for network printers.

Sublime text

Checks for updates

Chirp

Checks for updates

Arduino

Checks for updates

GQRX

Sends broadcasts upon startup, so others can sniff while you sniff.

Psi+

Listens to the world for file transfer, even when it's turned off. And even when status is offline.

Android

Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition)

Traffic collected during 30 minutes of idle phone laying on the desk includes:

…despite all services are disabled in system settings and the phone has never been connected to any Google service.

Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking allow for full remote compromise.

I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself.

iptables -N CHECKALLOWED
 
for ip in 46.167.245.0/24 77.87.241.0/24 77.240.96.0/24 37.46.80.0/24 91.213.160.0/24 90.183.101.0/24 192.168.0.0/16; do
  iptables -I CHECKALLOWED -d $ip -j ACCEPT
done
 
iptables -I OUTPUT -j CHECKALLOWED
iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
iptables -A CHECKALLOWED -j REJECT

Info on CyanogenMod and how to turn it off.

Windows

However, spying features in Windows are much more advanced, for example: