User Tools

Site Tools


E.T. Phone Home

It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice's ipwatch solution, tcpdump, netstat, Burp proxy and other software.

The bugreports should be submitted and linked.

It's interesting that I usually can't find anyone on the web who cares.

<note warning>Please note that some people use bugs described on this page for evil. However, we finally decided not to limit the disclosure.

Direct further questions regarding privacy and security to your operating system vendor. </note>



udp 0 0* 12358/chromium --password-store=detect

All WebKit browsers: ignore user-agent settings, send real information to Google domains

Debian (systemd/resolved)

Uses DNS server if no other is available:


As of 12/2015 (update: 07/2018: the bug is still there), the default configuration of Stardict in Debian Sid uses as the default dictionary. Additionally, as clipboard scanning is enabled by default, this means that as you start Stardict, your clipboard contents gets sent in the following HTTP (unencrypted) request:

GET HTTP:// HTTP/1.1\r\n

It has been confirmed that if you use KeePassX, which by default uses “copy password to clipboard”, this password is immediately sent by Stardict in plaintext to this .cn server.


Related, but not the same:


  • gitg leaks e-mail addresses from commit messages to gravatar
  • gnome-contacts leaks physical address of your contact to, Akamai and OSM Nominatim
  • clock-applet leaks your current TZ location via HTTP (1, 2),


(at least) in Debian, an automatically spawned service (dirmngr) seems to periodically checks key updates on keyserver over plain HTTP, exposing list of your friends to the network.

Aug 17 07:55:13 localhost dirmngr[11304]: error accessing '': http status 404


systemctl --user disable dirmngr.service
systemctl --user mask dirmngr.service

to disable this.


By default Linux replies to ARP queries on all interfaces. This seems to be in accordance with RFC 826 from 1982, part “Am I the target protocol address?”. It has two consequences:

  • It breaks things. Connect your computer to two networks and let another one use colliding IP range. You will act as an ARP-poisoning host involuntarily!
  • It allows an external attacker to decloak which other addresses you are using. They can fingerprint you and they can test for well-known VPNs of competing intelligence agencies.

Example decloak: arping -i br0

Defense: echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

Fedora + NetworkManager

Gets a file when you connect to the network to check if there is a captive portal.


 1842 root       788 S    htpdate -D

Btw. there used to be a root shell on ttyS0.


Sends out configuration during installation (stores timezone and mirror settings for sysadmins with lazy fingers). FIXME more details


Ubuntu (desktop)

Ubuntu (Phone)

Calls home upon connection. This probably leaks unique information in the “login” thing. We have not conducted MitM (yet).

It calls to Canonical, Google and YouTube. It downloads advertisements to “music” and “video” “pages”. There does not seem to be a straightforward option to turn them off.


A stock CM 12.1 was installed. During installation, all possible spy settings were turned off. Upon each boot, the device connects to despite having time synchronization disabled in settings.

Additionally, the following HTTP request was observed:

GET /generate_204 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 4 Build/LMY48B)
Connection: Keep-Alive
Accept-Encoding: gzip

This request has been disabled by “settings put global captive_portal_detection_enabled 0”. The NTP thing does not seem to be possible to disable. Strangely, we find no users solving this in public forums.

Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment.


Sends broadcasts when changing monitors. Seems to be scanning for network printers.

Sublime text

Checks for updates


Checks for updates


Checks for updates


Sends broadcasts upon startup, so others can sniff while you sniff.


Listens to the world for file transfer, even when it's turned off. And even when status is offline.


Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition)

Traffic collected during 30 minutes of idle phone laying on the desk includes:

  • hxxp://
  • hxxp://

…despite all services are disabled in system settings and the phone has never been connected to any Google service.

Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking allow for full remote compromise.

I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself.

for ip in; do
  iptables -I CHECKALLOWED -d $ip -j ACCEPT
iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Info on CyanogenMod and how to turn it off.


et.txt · Last modified: 2021-02-09 03:36:58 by jenda