-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
850 lines (616 loc) · 35.9 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Jose Carlos Norte Personal Blog</title>
<meta name="author" content="Jose Carlos Norte">
<!-- Enable responsive viewport -->
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Le styles -->
<link href="/assets/resources/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<link href="/assets/resources/font-awesome/css/font-awesome.min.css" rel="stylesheet">
<link href="/assets/resources/syntax/syntax.css" rel="stylesheet">
<link href="/assets/css/style.css" rel="stylesheet">
<!-- Le fav and touch icons -->
<!-- Update these with your own images
<link rel="shortcut icon" href="images/favicon.ico">
<link rel="apple-touch-icon" href="images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="72x72" href="images/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="114x114" href="images/apple-touch-icon-114x114.png">
-->
<link rel="alternate" type="application/rss+xml" title="" href="/feed.xml">
</head>
<body>
<nav class="navbar navbar-default visible-xs" role="navigation">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a type="button" class="navbar-toggle nav-link" href="http://github.com/jcarlosn">
<i class="fa fa-github"></i>
</a>
<a type="button" class="navbar-toggle nav-link" href="http://twitter.com/jcarlosnorte">
<i class="fa fa-twitter"></i>
</a>
<a type="button" class="navbar-toggle nav-link" href="mailto:[email protected]">
<i class="fa fa-envelope"></i>
</a>
<a class="navbar-brand" href="/">
<img src="http://www.gravatar.com/avatar/726351295ec82e145928582f595aa3aa?s=35" class="img-circle" />
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav">
<li class="active"><a href="/">Home</a></li>
<li><a href="/categories.html">Categories</a></li>
<li><a href="/tags.html">Tags</a></li>
</ul>
</div><!-- /.navbar-collapse -->
</nav>
<!-- nav-menu-dropdown -->
<div class="btn-group hidden-xs" id="nav-menu">
<button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown">
<i class="fa fa-bars"></i>
</button>
<ul class="dropdown-menu" role="menu">
<li><a href="/"><i class="fa fa-home"></i>Home</a></li>
<li><a href="/categories.html"><i class="fa fa-folder"></i>Categories</a></li>
<li><a href="/tags.html"><i class="fa fa-tags"></i>Tags</a></li>
<li class="divider"></li>
<li><a href="#"><i class="fa fa-arrow-up"></i>Top of Page</a></li>
</ul>
</div>
<div class="col-sm-3 sidebar hidden-xs" style="">
<!-- sidebar.html -->
<header class="sidebar-header" role="banner">
<a href="/">
<img src="/assets/media/jcarlosn.png" class="img-circle" />
</a>
<h3 class="title">
<a href="/"></a>
</h3>
</header>
<div id="bio" class="text-center">
Enterpreneur, Thinker, Agilist, Technology enthusiast, Computer programmer, I.T. security expert and FOSS supporter.
</div>
<div id="contact-list" class="text-center">
<ul class="list-unstyled list-inline">
<li>
<a class="btn btn-default btn-sm" href="https://github.com/jcarlosn">
<i class="fa fa-github-alt fa-lg"></i>
</a>
</li>
<li>
<a class="btn btn-default btn-sm" href="https://twitter.com/jcarlosnorte">
<i class="fa fa-twitter fa-lg"></i>
</a>
</li>
<li>
<a class="btn btn-default btn-sm" href="mailto:[email protected]">
<i class="fa fa-envelope fa-lg"></i>
</a>
</li>
</ul>
<ul id="contact-list-secondary" class="list-unstyled list-inline">
<li>
<a class="btn btn-default btn-sm" href="https://linkedin.com/in/jcarlosn">
<i class="fa fa-linkedin fa-lg"></i>
</a>
</li>
<li>
<a class="btn btn-default btn-sm" href="/feed.xml">
<i class="fa fa-rss fa-lg"></i>
</a>
</li>
</ul>
</div>
<!-- sidebar.html end -->
</div>
<div class="col-sm-9 col-sm-offset-3">
<div class="page-header">
<h1>Jose Carlos Norte Personal Blog </h1>
</div>
<article class="home">
<span class="post-date">
March
6th,
2016
</span>
<h2>
<a href="/security/2016/03/06/hacking-tachographs-from-the-internets.html">Hacking industrial vehicles from the internet</a>
</h2>
<div>
<p>It is possible to <strong>monitor and control float trucks, public bus or delivery vans from the internet</strong>, obtaining their speed, position, and a lot
other parameters. You can even control some parameters of the vehicle or hack into the canbus of the vehicle remotely.</p>
<p>Those vehicles have a <strong>Telematics Gateway Unit (TGU)</strong>
device and a 3g/4g/gprs/lte/edge/HDSPA modem to connect to the internet, with a public I.P. address.</p>
<p>There are thousands of TGU connected to the internet, with no authentication at all and with administrative interfaces
through a web panel or a telnet session.</p>
<h3 id="finding-publicly-exposed-tgus-in-the-internets">Finding publicly exposed TGUs in the internets</h3>
<p>There are tons of open TGU and similar vehicle appliances on the internet. One very interesting and easy to find
is the <strong><a href="http://www.mobile-devices.com/our-products/c4-max-smartbox/">c4max</a></strong>.</p>
<p>The c4max smartbox is a TGU with powerful capabilities, a simple console on port 23, and is easy to identify while scaning the
internet.</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/C4max-365.png" />
</div>
<p>A quick search with shodan, reveals 733 open c4max devices on the internet, at the time of scanning. Because of the nature of these devices,
connected to the internet using mobile data plans and in industrial vehicles, the devices you can find vary a lot from time to time.</p>
<p>Scanning the internet yourself with masscan finds different industrial vechicles working at different hours.</p>
<p>The c4max can be found looking for port 23, and the banner ‘gps’ or ‘welcome on console’ or similar strings from the telnet console they provide.</p>
<p>An example with shodan:</p>
<p><strong><a href="https://www.shodan.io/search?query=port%3A23+gps+%22on+console%22">https://www.shodan.io/search?query=port%3A23+gps+%22on+console%22</a></strong></p>
<h3 id="what-can-be-done-inside-a-c4max-tgu">What can be done inside a c4max TGU</h3>
<p><strong>The c4max devices that I found on the internet are not password protected, and there is no security that prevents anyone from connecting to them.</strong></p>
<p>The telnet interface has 3 screns: basic, advanced, and commands.</p>
<p>The basic interface:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/c4max_basics.png" />
</div>
<p>The advanced interface:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/c4max_advanced.png" />
</div>
<p>Commands:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/c4max_advanced.png" />
</div>
<p>Some interesting commands:</p>
<pre><code>Basics[C4E]> iostate
Input 1 : Disconnected
Output 1 : Disconnected
Output 2 : Disconnected
Alarm : Disconnected
Ignition : Connected
Basics[C4E]>
</code></pre>
<p>Retriving gps coordinates of the vehicle (removed some info from the output, replaced by XXX…):</p>
<pre><code>Basics[C4E]> gpspos
Internal antenna
GPRMC Frame value is
$GPRMC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
GPGGA Frame value is
$GPGGA,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Basics[C4E]>
</code></pre>
<p>And with the gps coordinates, we can locate the vehicle in google maps, for example:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/geoloc.png" />
</div>
<p>List available modules:</p>
<pre><code>Basics[C4E]> list
dbg
pdm
sql
wdg
boot
dhcpServer
sshTunnel
serialPPP
cpnManager
netMonitoring
boardsInfo
messageBrokerProxy
versionManager
messageBroker
config
dnsProxy
fileManager
dictionary
can
gps
ios
usb
bootReason
batt
leds
onewire
wifi
smartCardManager
j1587
j1708
j1850
j1939
kline
modem
nvram
usbHfk
chronoTachyGraph
sensors
dtc
jvm
obd
ibutton
dataEmitter
jbinaryGate
ledManager
network
adminProtocol
crashSensor
timeZoneManager
instantFixII
modemOperatorDriver
gpsOdometer
smartSensors
relayControl
driverBehavior
obdStacks
locales
fileSync
pwrManager
gpsMvtDetector
geoFencing
sensorsCalibration
updateManager
companionSoftwareClient
urlServer
gpsEcho
binaryGateMonitor
sensorsRecorder
messageGate
binaryGate
deadReckoning
speedDropControl
criticalCommandManager
cacheManager
update
acceleroMvtDetector
history
commandManager
dataRecorder
eeprom
Basics[C4E]>
</code></pre>
<p>The can bus module:</p>
<pre><code>Basics[C4E]> list can
com::mdi::drivers::can.activateDebug=0
com::mdi::drivers::can.active_protocols=255
Basics[C4E]>
</code></pre>
<p>And with listdb, we can get a lot of information from the vehicle, the company that operates the vehicle, the driver etc, that
I will not post here, for obvious reasons, but some of the information form listdb:</p>
<pre><code>...
MDI_EXT_BATT_VOLTAGE='12687'
MDI_GPS_SPEED='0000090'
...
</code></pre>
<p>Modem information:</p>
<pre><code>Basics[C4E]> modem
ppp0 XXXXXXXXXXX
APN: XXXXXXXXXXX
autoAPN: XXXXXXXXXXX
Your IMEI is : XXXXXXXXXXX
Your IMSI is : XXXXXXXXXXX
DNS servers are
nameserver XXXXXXXXXXX
nameserver XXXXXXXXXXX
In case of problem, check your configuration (with "list all" command)
Basics[C4E]>
</code></pre>
<p>We can even geofence the vehicle (I don’t know what it would cause):</p>
<pre><code>com::mdi::services::geoFencing.periodInMs=5000
com::mdi::services::geoFencing.directory[0]=/mnt/user/writeDir/geofencing
com::mdi::services::geoFencing.directory[1]=/mnt/user/data/geofencing
com::mdi::services::geoFencing.directory[2]=/mnt/user/mmc/geofencing
com::mdi::services::geoFencing.areaModeSearch=0
</code></pre>
<h3 id="conclusion">Conclusion</h3>
<p>Telematic Gateway Units exposed to the internet with public addresses and no authentication can be used to remotely track
industrial vehicles, geofence them, change the mission route, if you read the schematics of these units:</p>
<p><strong><a href="http://www.neweagle.net/ProductDocumentation/Telematics/C4MAX_datasheet.pdf">http://www.neweagle.net/ProductDocumentation/Telematics/C4MAX_datasheet.pdf</a></strong></p>
<p>You can see this device is connected to the bus of the vehicle, to the ignition, to the battery… and the theoretical things that could cause
are very scary. Of course, not having one of these available and just testing in the wild is not responsible and of course I will not do it, so I still don’t know how far
one can go with access to one of these devices. Caution is advised.</p>
<p><strong>IMPORTANT NOTE: ALL THE INFORMATION CONTAINED IN THIS POST IS INTENDED FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY. MANIPULATING
REAL AUTOMOTIVE DEVICES FROM THE INTERNET IS NOT ETHICAL AND COULD BE ILLEGAL UNDER YOUR JURISDICTION.
ANY VIEWS OR OPINIONS EXPRESSED IN THIS ARTICLE ARE ONLY MY OPINIONS AND NOT RELATED TO MY EMPLOYER OR ANY ORGANIZATION I BELONG TO.
ALL THE INFORMATION PROVIDED IN THIS POST HAS BEEN COLLECTED USING PUBLICLY AVAILABLE RESOURCES, LIKE MANUFACTURER MANUALS AND SPECIALIZED SEARCH ENGINES.
IN THE COURSE OF THIS FINDINGS, THE DEVICES DESCRIBED HERE NEVER HAD ANY KIND OF SECURITY IMPLEMENTED TO PREVENT CONNECTIONS TO
THE DISCOVERED INTERFACES AND THEIR SECURITY WAS NEVER CIRCUMVENTED OR BYPASSED.</strong></p>
</div>
</article>
<article class="home">
<span class="post-date">
March
6th,
2016
</span>
<h2>
<a href="/security/2016/03/06/advanced-tor-browser-fingerprinting.html">Advanced Tor Browser Fingerprinting</a>
</h2>
<div>
<h3 id="tor-browser">Tor Browser</h3>
<p>The ability to privately communicate through the internet is very important for dissidents living under authoritary regimes,
activists and basically everyone concerned about internet privacy.</p>
<p>While the <a href="https://www.torproject.org/"><strong>TOR</strong></a> network itself provides a good level of privacy, making difficult or even practically impossible
to discover the real I.P. address of the tor users, this is by no means enough to protect users privacy on the web. When browsing the web,
your identity can be discovered using browser exploits, cookies, browser history, browser plugins, etc.</p>
<p><strong><a href="https://www.torproject.org/projects/torbrowser.html">Tor browser</a></strong> is a firefox browser preconfigured and modified
to protect user privacy and identity while browsing the web using TOR. Browser plugins are disabled, history and cache aren’t persistent
and everything is erased after closing the browser, etc.</p>
<h3 id="the-user-fingerprinting-problem">The user fingerprinting problem</h3>
<p>While preventing users IP address to be disclosed is a key aspect for protecting their privacy, a lot of other things need
to be taken into consideration. Tor browser is preconfigured to prevent a lot of possible attacks on user privacy, not only
the communications layer provided by tor itself.</p>
<p>One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique
fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user
in time, for example, correlate visits of the user during an entire year, knowing that its the same user.</p>
<p>Or even worse, <strong>it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal
browser used to browse internet</strong>. It is very important for the tor browser to prevent any attempt on fingerprinting the user.</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/digital_fingerprint_small.png" />
</div>
<p>In the past, a lot of fingerprinting methods has been used and proposed and tor browser has been updated with countermeasures.
Examples of that are reading text sizes out of a canvas element, screen dimensions, local time, operating system information, etc.</p>
<p>One famous example of browser fingerprinting was <strong><a href="https://en.wikipedia.org/wiki/Canvas_fingerprinting">Canvas fingerprinting</a></strong>.
As of today, almost everything that can be used to identify the user has been disabled in tor browser.</p>
<h3 id="ubercookie">UberCookie</h3>
<p>During the last weeks I have been able to fingerprint tor browser users in controlled environments and I think it could be interesting
to share all the findings for further discussion and to improve tor browser.</p>
<p>All the provided fingerprinting methods are based on javascript (enabled by default in tor browser as of today). I have created a quick and dirty
PoC called UberCookie available as a demo here:</p>
<p><strong><a href="/assets/ubercookie/">Try ubercookie</a></strong></p>
<h3 id="measuring-time">Measuring time</h3>
<p>One interesting countermeasure for fingerprint implemented in tor browser is that javascript Date.getTime() (unix time) only updated each 100ms. So you can’t measure
events happening under 100ms. This is useful to prevent a javascript inside a webpage to measure events in order to fingerprint the user. Since for some of the things
I wanted to try needed better time accuracy than 100ms, this was the first thing to bypass.</p>
<p>There are a lot of ways to measure times smaller than 100ms using javascript in tor browser, some are obvious, or ther are intersting.</p>
<p>The first one I implemented was simply increment a variable by 1 each millisecond using setInterval. Even if the precision is not at milisecond level,
is extremly better than the 100ms accuracy provided by Date.getTime.</p>
<p>Another way you can use to measure time is to create an animation in CSS3, configured at 1ms interval and listen to the animationiteration event.</p>
<p>However, the better accuracy I could achieve was using setInterval incrementing inside a webworker.</p>
<h3 id="mouse-wheel-fingerprinting">Mouse wheel fingerprinting</h3>
<p>The mouse wheel event in Tor Browser (and most browsers) leaks information of the underlying hardware used to scroll the webpage.
The event provides information about the delta scrolled, however if you are using a normal computer mouse with a mouse wheel, the delta is always three, but
if you are using a trackpad, the deltas are variable and related to your trackpad and your usage patterns.</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/mousehweel.png" />
</div>
<p>Another leak in the mouse wheel, is the scroll speed that is linked to the configuration of the operating system and the
hardware capabilities itself.</p>
<p>I have created a little experiment as a proof of concept, available here:</p>
<p><strong><a href="/assets/fingerprint/">Mouse wheel information leak demo</a></strong></p>
<p>This demo creates three graphs, one with the scrolling speed, another with the scrolling delta, and another one with the number
of times the user scrolled in the red box.</p>
<h3 id="mouse-speed-fingerprinting">Mouse Speed fingerprinting</h3>
<p>Another interesting fingerprint that could reveal some entropy is the speed of the mouse moving acrross the webpage. Since the
speed of the mouse is controlled by the operating system and related to hardware, and can be read using javascript if you can measure time
using the mentioned strategies.</p>
<p>It could be interesting also to measure average mouse speed while the user is in the page moving the mouse.</p>
<h3 id="cpu-benchmark-fingerprinting">CPU Benchmark fingerprinting</h3>
<p>With the improved accuracy on time provided by the setInterval inside the WebWorker, it is easy to create a CPU intensive
script (or even memory intensive) and measure how long it takes for the user browser to execute it.</p>
<p>I have done some tests with different computers, getting completely different results, all of them using the same tor browser
version.</p>
<h3 id="getclientrects-fingerprinting">getClientRects fingerprinting</h3>
<p>The most intersting fingerprinting vector I found on Tor Browser is <a href="https://developer.mozilla.org/en-US/docs/Web/API/Element/getClientRects">getClientRects</a>.
Is strange that reading back from a canvas has been prevented but simply asking the browser javascript API how a specific DOM elements has been drawn on the screen
has not been prevented or protected in any way.</p>
<p>getClientRects allows to get the exact pixel position and size of the box of a given DOM element. Depending on the resolution, font configuration and lots of other factors,
the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed.</p>
<p>Example of getClientRects on the same page with same Tor Browser version on different computers:</p>
<p>Computer 1:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/rect1.png" />
</div>
<p>Computer 2:</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/rect2.png" />
</div>
<p>As you can see, there is a lof of difference in the results of getClientRects between two computers using the same tor browser on the same page
and on the same DOM Element.</p>
<h3 id="results">Results</h3>
<p>An example of running ubercookie PoC in one computer (computer 1):</p>
<pre><code>Client rects: {"x":131.5,"y":462,"width":724,"height":19,"top":462,"right":855.5,"bottom":481,"left":131.5}
scrolling milis: [2,2,0,3,0,1,0,2,3,0,0,3,1,2,2,1,2,1,4,4,35,2,1,3,0,1,0,3,0,1,0,3,0,1,0,3,1,0,3,1,3,0,1,3,2,4,4,8,44,4,1,4,4,405,2,3,2,1,3,1,3,57,2,0,2,2,0,2,2,4,60,2,0,2,2,0,2,2,6,54,2,2,2,0,2,1,4,8]
scrolling deltas: [3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Biggest mouse step: 65
In a few seconds, the result of the CPU benchmark will appear, please wait...
CPU Mean: 3245
</code></pre>
<p>And the result of running it in a different computer (computer 2), same Tor browser version:</p>
<pre><code>Client rects: {"x":159.51666259765625,"y":465.25,"width":664.6500244140625,"height":18.449996948242188,"top":465.25,"right":824.1666870117188,"bottom":483.6999969482422,"left":159.51666259765625}
scrolling milis: [0,3,0,2,2,2,2,0,3,0,2,1,2,2,1,3,1,1,4,1,2,1,1,3,1,2,2,3,2,5,3,3,5,3,0,0,2,0,2,0,1,1,0,2,0,3,2,1,1,3,1,3,2,3,1,3,2,2,2,2,0,2,3,2,2,2,244,0,2,1,2,1,3,2,0,2,0,1,2,1,0,2,0,3,1,0,2,1,1,1,2,1,1,1,1,1,1,2,2,1,2,2,2,2,1,4,2,2,2,2,2,4,2]
scrolling deltas: [3,0.975,1.65,1.5,1.725,2.25,2.775,2.4,3.15,3.375,3.975,3.675,4.35,4.95,5.625,5.55,5.25,5.25,4.2,6.3,9.975,13.95,7.575,6.9,2.85,5.925,8.85,0.9,4.425,3.675,4.725,2.625,2.4,5.475,2.625,3.675,5.4,5.775,7.275,6.975,8.175,9,8.475,3.45,2.475,2.25,0.6,1.8,11.1,8.4,8.475,8.1,7.5,6.375,8.175,4.95,4.8,4.275,3.525,3.375,1.125,2.7,2.175,1.95,1.65,1.2,1.05,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Biggest mouse step: 40
In a few seconds, the result of the CPU benchmark will appear, please wait...
CPU Mean: 4660.5
</code></pre>
<p>It is evident that the getClientRects are completly different, providing an interesting fingerprinting vector.
The scrolling speed (milis) is also different.
The scrolling deltas are very different, because of hardware differences. The mouse of computer 1 is faster, as you can see in ‘biggest mouse step’.
The CPU benchmark provides different results, computer 1 being faster than computer 2.</p>
<h3 id="conclusion">Conclusion</h3>
<p>It is easy to fingerprint users using tor browser to track their activity online and correlate their visits to different pages.
getClientrects provides a very interesting vector for fingerprinting TOR Browser users. The CPU benchmark and the Mouse wheel and mouse speed
methods provide even more information to distinguish between similar users.</p>
</div>
</article>
<article class="home">
<span class="post-date">
February
21st,
2016
</span>
<h2>
<a href="/security/2016/02/21/date-leak-gzip-tor.html">HTTP GZIP Compression remote date and time leak</a>
</h2>
<div>
<h3 id="hidden-services-in-tor">Hidden Services in TOR</h3>
<p><strong><em><a href="https://www.torproject.org/">Tor</a></em></strong> is a service run by a network of volunteers to allow people to use internet anonymously. Normally tor is used to browse the web
without being tracked or identified.</p>
<p>One less known feature of the tor service is the ability to provide what is known in tor as <strong><em><a href="https://www.torproject.org/docs/hidden-services.html.en">hidden services</a></em></strong>.
Hidden services are basically servers that provide services through the tor network. When you think about tor the first thing you think of
is anonymous web browsing. However, for hacktivists and dissidents it is very useful not only to be able to browse the web without being identified,
but also providing web pages for people in a way that such webpages can not be tracked or shutdown easily.</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/torlogo.png" />
</div>
<p>In the tor network there are thousands of ‘hidden services’ accessible only for people using the tor network, providing access to forbidden information about very different topics.
Those sites have a hidden DNS address with the .onion tld, for example example.onion. Sites ending in .onion can not be easily tracked or shutdown, and the owner can not be easily identified.</p>
<p>One of the most complex things about setting up a hidden service, is configuring the web server in a way that doesn’t leak information about the real IP address of the server, or the country location etc.
The more complex the site, the more difficult it becomes to setup a real hidden service that doesn’t leak service information in any way.</p>
<p>During the last years, the F.B.I. has been able to identify and shutdown certain hidden services, using social engineering, information leaks and browser vulnerabilities. The most famous example is
<strong><em><a href="https://en.wikipedia.org/wiki/Silk_Road_(marketplace)">The Silk Road</a></em></strong>,
a well known black market hidden inside tor, used for selling drugs and similar stuff.</p>
<p>Of course, the administrators behind hidden services try its best to not leak any information about the physical location of the server providing the service, or any other information
that could lead to the identification of the owner of the hidden service.</p>
<h3 id="leaking-the-timezone">Leaking the timezone</h3>
<p>The HTTP protocol allows the client to inform the server about its compression capabilities. If the client and server share support for a specific compression format, the server can decide to compress the http
response in order to save bandwidth and time. All major web servers and browsers support compression. The most common formats used for
<strong><em><a href="https://en.wikipedia.org/wiki/HTTP_compression">HTTP compression</a></em></strong> are <strong><em><a href="http://www.gzip.org/">gzip</a></em></strong> and <strong><em><a href="http://zlib.net">deflate</a></em></strong>.</p>
<p>Gzip is a compression format that allows relative fast data compression with decent compression ratios.</p>
<p>As a compression format, gzip specifies a data header to be included in the resulting compressed data, this header includes information about the compressed data, the operating system that compressed the data, and
most importantly: <strong>the date when the data was compressed</strong>, in theory in universal time (UTC).</p>
<p>The header is as follows, as you can see in <strong><em><a href="http://www.forensicswiki.org/wiki/Gzip">Foreniscs Wiki</a></em></strong>:
<br /><br /></p>
<table>
<thead>
<tr>
<th style="text-align: center">Offset</th>
<th style="text-align: center">Size</th>
<th style="text-align: center">Value</th>
<th style="text-align: center">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center"> 0 </td>
<td style="text-align: center"> 2 </td>
<td style="text-align: center"> 0x1f 0x8b </td>
<td style="text-align: center">Magic number to idenitfy gzip streams</td>
</tr>
<tr>
<td style="text-align: center"> 2 </td>
<td style="text-align: center"> 1 </td>
<td style="text-align: center"> </td>
<td style="text-align: center">Compression method</td>
</tr>
<tr>
<td style="text-align: center"> 3 </td>
<td style="text-align: center"> 1 </td>
<td style="text-align: center"> </td>
<td style="text-align: center">Flags</td>
</tr>
<tr>
<td style="text-align: center"> 4 </td>
<td style="text-align: center"> 4 </td>
<td style="text-align: center"> </td>
<td style="text-align: center"><strong>Compression Date</strong></td>
</tr>
<tr>
<td style="text-align: center"> 8 </td>
<td style="text-align: center"> 1 </td>
<td style="text-align: center"> </td>
<td style="text-align: center">Compression flags</td>
</tr>
<tr>
<td style="text-align: center"> 9 </td>
<td style="text-align: center"> 1 </td>
<td style="text-align: center"> </td>
<td style="text-align: center">Operating system</td>
</tr>
</tbody>
</table>
<p><br /><br />
So, if this header is present in any gzip compressed data, we can make a gzip compressed request to any webserver, wait for the gzip compressed response, check if the bytes starts with 0x1f 0x8b, and check for
the compression date to know the exact date configured at the server that serves the page.</p>
<div style="text-align:center;margin:25px">
<img src="/assets/media/posts/timezone.jpg" />
</div>
<p>With normal webservers, this is only useful in a very limited scenarios, because the geopraphical position of the server is not hidden in any way, and can be known easily knowing the server IP address, that is not hidden at all.
However, in a <strong>Hidden Service</strong>, the information about the server timezone can be very useful to identify the possible countries where the server is running.</p>
<p>The GZIP specification clearly states that universal time should be used instead of local time for the MTIME header field. However, I have found lots of sites sending local times instead of universal times.
It seems that <strong>maybe</strong> the flaw is in Microsoft Windows, but further investigation is needed to clarify which implementations are not following the specification and are leaking the local time.</p>
<p>This, of course, <strong>its NOT a TOR fault and its not a bug in the tor protocol</strong> and <strong>IS NOT a problem with the GZIP spec</strong>, but with certain implementations.
Its just a obscure feature of the gzip format that has ben wrongly implemented by some vendors, and made available in the HTTP Protocol by default in most web servers.</p>
<p>The good news is that lots of webservers are preconfigured to fill the date field of the gzip header with ‘0’s, maybe because of performance issues, who knows. After some research, I found that around 10%
of the webservers leak the remote date when compressing HTTP Responses with gzip, and only some of the servers that includes the remote date in the headers fails to use UTC instead of local time.</p>
<h3 id="clock-skew-identification">Clock Skew identification</h3>
<p>Even the implementations that are sending the universal time instead of the local time, in other words, even the correct implementations that
are not filling the MTIME with zeros, but sending the correct universal time are prone to identification through clock skew attacks as you can read in the previous work by
<strong><em><a href="http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf">Murdoch, 2006</a></em></strong></p>
<p>However, in this scenario the universal time provided in correct gzip implementations is just another side channel to mount the attack</p>
<h3 id="proof-of-concept">Proof Of Concept</h3>
<p>I have developed a little php script that uses curl (command line) to get the remote server date if available in the gzip compressed HTTP Response. It will only work in web server that
allows for compression of HTTP Responses, and fills the ‘date’ field of the gzip header with the correct date instead of zeroes.</p>
<p>I have tested it with some servers, an example of servers where a date is sent in the gzip header are <strong>instagram.com</strong>, <strong>reddit.com</strong> and <strong>bing.com</strong>. In this example
<strong>reddit.com</strong> and <strong>instagram.com</strong> are sending universal times, as the specification states. <strong>bing.com</strong> is sending local times.</p>
<p>Of course, because of privacy concerns, I’m not going to provide information on which hidden services are leaking the remote date.</p>
<p>Examples of use:</p>
<pre><code>user@localhost:~$ php time.php bing.com
The server that processed the request on: bing.com has local date set to:
Sunday 21st of February 2016 01:21:21 PM
user@localhost:~$ php time.php reddit.com
The server that processed the request on: reddit.com has local date set to:
Sunday 21st of February 2016 09:21:25 PM
user@localhost:~$ php time.php instagram.com
The server that processed the request on: instagram.com has local date set to:
Sunday 21st of February 2016 09:21:30 PM
user@localhost:~$
</code></pre>
<p>In this example all three servers are including times in the gzip headers, but <strong>reddit.com and instagram.com are providing universal times</strong>, while <strong>bing.com is providing local times</strong>.</p>
<p><br />
The Proof of concept is available here:</p>
<p><strong><em><a href="https://github.com/jcarlosn/gzip-http-time">https://github.com/jcarlosn/gzip-http-time</a></em></strong></p>
<p><br /></p>
<h3 id="gzip-in-tor-itself">GZIP in tor itself</h3>
<p>the TOR protocol itself uses gzip for some of its communications, however this issue was already known and taken into account when developing tor,
as stated by Tim Wilson-Brown in the tor-onions mailing list.</p>
<p>TOR itself does not suffer from this issue, even though it uses gzip compression internally to compress directory documents. Hidden services and clients do not produce or recompress directory documents, so they could never be affected. And tor authorities use deflateInit2 to initialise compression for votes and consensuses, which zeroes the gzip header. From the deflateInit2 documentation in zlib.h:</p>
<pre><code> "windowBits can also be greater than 15 for optional gzip encoding. Add
16 to windowBits to write a simple gzip header and trailer around the
compressed data instead of a zlib wrapper. The gzip header will have no
file name, no extra data, no comment, no modification time (set to zero), no
header crc, and the operating system will be set to 255 (unknown). If a
gzip stream is being written, strm->adler is a crc32 instead of an adler32."
</code></pre>
<p>You can see the entire conversation about this in the <strong><em><a href="https://lists.torproject.org/pipermail/tor-onions/2016-February/000081.html">tor-onions</a></em></strong> mailing lists</p>
<h3 id="thanks">Thanks</h3>
<p>From the moment I found this potential issue I was affraid that this could be affecting the privacy of tor users even in remote ways. It has been a bit complicated to understand why this was happening and why while the gzip specification clearly states that the time should be universal, some servers where sending local times instead. Even with the confusion of early sharing this findings I believe that has been more constructive to openly discuss this potential issue than to keep it secret while I try to understand better the impact. I believe that the most reponsible thing was to contact the onion tor mailing list, like I did, and to diffuse this article to raise concerns and get help understanding if this could be an issue.</p>
<p>Thanks to HDM, brlewis and Henryk Plotz for joining the discussion and providing aditional information regarding the issue and helping clarify the potential impact it could have.</p>
<p><strong><em>Last updated at: 2/22/2016 8:50:16 PM UTC. Corrected some mistakes and added more information provided in the comments</em></strong></p>
</div>
</article>
<hr/>
<ul class="pager">
<li class="previous disabled">
<a>← Newer</a>
</li>
<li>
<span class="page_number">Page: 1 of 1</span>
</li>
<li class="next disabled">
<a>Older →</a>
</li>
</ul>
<footer>
<hr/>
<p>
© 2016 Jose Carlos Norte
</p>
</footer>
</div>
<script type="text/javascript" src="/assets/resources/jquery/jquery.min.js"></script>
<script type="text/javascript" src="/assets/resources/bootstrap/js/bootstrap.min.js"></script>
<script type="text/javascript" src="/assets/js/app.js"></script>
</body>
</html>
<!-- Asynchronous Google Analytics snippet -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-74110846-1', 'auto');
ga('send', 'pageview');
</script>