Register Guidelines E-Books Today's Posts Search

Go Back   MobileRead Forums > E-Book Readers > Onyx Boox

Notices

Reply
 
Thread Tools Search this Thread
Old 12-14-2020, 08:28 PM   #16
diabl0w
Connoisseur
diabl0w will become famous soon enoughdiabl0w will become famous soon enoughdiabl0w will become famous soon enoughdiabl0w will become famous soon enoughdiabl0w will become famous soon enoughdiabl0w will become famous soon enough
 
Posts: 87
Karma: 527
Join Date: Sep 2019
Device: Max3
Quote:
Originally Posted by Ken Maltby View Post
There are a number of functions on my new Onyx Boox Note 2 (10.3") that won't work without phoning home. This includes the fingerprint detection, screensaver app. (still can add your own locally), and others.

Luck;
Ken
FWIW fingerprint works fine on Max3 without internet, im surprised to hear that internet is required for fingerprint on other devices. I don't use screensaver, just whatever default one pops up, so I don't know about that.

I have decompiled some onyx system apks and they include a lot of references to companies like Tencent, among others, that are very uneccessary. As far as exactly what these libraries are doing, I haven't looked into that
diabl0w is offline   Reply With Quote
Old 12-15-2020, 02:17 AM   #17
Galunid
Zealot
Galunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and graceGalunid herds cats with both ease and grace
 
Posts: 122
Karma: 43580
Join Date: Apr 2016
Device: KPW3, Kobo Clara HD, Onyx Boox Nova 2
Quote:
Originally Posted by diabl0w View Post
I have decompiled some onyx system apks and they include a lot of references to companies like Tencent, among others, that are very uneccessary. As far as exactly what these libraries are doing, I haven't looked into that
When playing around with onyxsdk, I decompiled it and took a look around. Other than Tencent one everything else was alright. The Tencent stuff seems to be WeChat SDK. How problematic it is for non-chinese people I have no idea. I took a look at the obfuscated parts and there didn't seem to be anything malicious, but that doesn't mean, there isn't.
Galunid is offline   Reply With Quote
Advert
Old 12-16-2020, 05:31 PM   #18
this_is_sus
Junior Member
this_is_sus began at the beginning.
 
Posts: 5
Karma: 10
Join Date: Dec 2020
Device: none
Quote:
Originally Posted by diabl0w View Post
FWIW fingerprint works fine on Max3 without internet
Same on Note 3. Fingerprint works fine for me with WiFi off.
this_is_sus is offline   Reply With Quote
Old 12-17-2020, 11:53 AM   #19
rantanplan
Weirdo
rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.rantanplan ought to be getting tired of karma fortunes by now.
 
Posts: 836
Karma: 11003000
Join Date: Nov 2019
Location: Wuppertal, Germany
Device: Kobo Sage, Kobo Libra 2, Boox Note Air 2+
Quote:
Originally Posted by Galunid View Post
When playing around with onyxsdk, I decompiled it and took a look around. Other than Tencent one everything else was alright. The Tencent stuff seems to be WeChat SDK. How problematic it is for non-chinese people I have no idea. I took a look at the obfuscated parts and there didn't seem to be anything malicious, but that doesn't mean, there isn't.
It's likely only used when you set the server to china. Which some fools on this forum do to get updates earlier 🙈
rantanplan is offline   Reply With Quote
Old 12-26-2020, 08:39 PM   #20
rpvreviews
Enthusiast
rpvreviews began at the beginning.
 
Posts: 31
Karma: 10
Join Date: Mar 2018
Device: Boox Note 10.3; Various Kindles in past
do you consider ipad pro as better in this regard compared to onyx boox. what if I create a dummy gmail account and install apps. I am mainly interested in reading pdfs and will not use fingerprint also
rpvreviews is offline   Reply With Quote
Advert
Old 12-26-2020, 11:34 PM   #21
Question Mark
Wizard
Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.Question Mark ought to be getting tired of karma fortunes by now.
 
Question Mark's Avatar
 
Posts: 1,419
Karma: 6513838
Join Date: Mar 2016
Device: More than I need, but not as many as I would like.
Quote:
Originally Posted by rpvreviews View Post
do you consider ipad pro as better in this regard compared to onyx boox. what if I create a dummy gmail account and install apps. I am mainly interested in reading pdfs and will not use fingerprint also
Personally, I wouldn't lose too much sleep over the matter. If you're just using it primarily to read, there's really not much need to connect it to the internet. Updates to firmware and apps can be installed manually. If you are never connected to the internet, apart from the initial setup, no need to worry. My Onyx devices are seldom connected to the internet, not that I'm all that worried anyways.
Question Mark is offline   Reply With Quote
Old 11-06-2024, 03:28 PM   #22
macallik
Member
macallik began at the beginning.
 
Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
Receiving some funky queries from my Boox device:

https://i.imgur.com/Kmqw3os.png
Talking to an LLM and they suggested that it is this and likely malware:
https://en.wikipedia.org/wiki/Domain...tion_algorithm

Last edited by macallik; 11-06-2024 at 03:45 PM.
macallik is offline   Reply With Quote
Old 11-06-2024, 04:39 PM   #23
Renate
Onyx-maniac
Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.Renate ought to be getting tired of karma fortunes by now.
 
Posts: 3,924
Karma: 17500001
Join Date: Feb 2012
Device: Nook NST, Glow2, 3, 4, '21, Kobo Aura2, Poke3, Poke5, Go6
Can you trace this to a process? How are you getting this list?
Renate is online now   Reply With Quote
Old 11-06-2024, 05:09 PM   #24
macallik
Member
macallik began at the beginning.
 
Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
The screenshot is from AdGuardHome



Then I used an LLM to walk me through digging deeper for the first time, and then analyzing the output. Here are the highlights.


Code:
#snooping on the boox device and trying to visit a website

tcpdump -i br-lan host 192.168.1.221 -w capture.pcap >> output.txt

scp router:output.txt .
Then I uploaded output.txt to Claude AI:

(After uploading the same file to ChatGPT w/o context, I think that the response below is a false positive on what is actually being shared, but that its prior identification of potential domain generation algorithms still seems probable)
Quote:
Looking at this DNS traffic and subsequent data transfers, there are several concerning patterns:
  1. The DGA-like (Domain Generation Algorithm) domains seen earlier appear to be communicating with your local DNS server (192.168.1.223) on port 8232
  2. The large data transfers following these DNS queries are significant:
    • Multiple TCP connections being established
    • Large amounts of data being transferred (2MB+ in one session)
    • Consistent patterns of data transfer sizes (1448 byte chunks)
    • Multiple sequential connections in a short timeframe
  3. The traffic pattern suggests command & control (C2) behavior:
    • Initial DNS queries to establish connectivity
    • Follow-up large data transfers
    • Multiple connections in sequence
    • Predictable timing patterns
  4. The device seems to be regularly beaconing out:
  • DNS queries every few seconds
  • Followed by data transfers
  • Very systematic and automated looking behavior
Given that this is a Boox device (Chinese e-reader), this strongly suggests built-in data collection/exfiltration functionality. I'd recommend:
  1. Block outbound traffic from this device at the router level
  2. Create firewall rules to block the suspicious port 8232 traffic
  3. Consider isolating the device to a separate VLAN
  4. Monitor for similar patterns from other devices
Would you like me to help create specific firewall rules to block this traffic or suggest how to isolate the device on your network?

Last edited by macallik; 11-06-2024 at 05:25 PM.
macallik is offline   Reply With Quote
Old 11-06-2024, 05:15 PM   #25
macallik
Member
macallik began at the beginning.
 
Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
I can DM you the output file if you' like to investigate further. LLM's analyses are not infallible, so it might be misinterpreting something. I don't recall seeing any attempts to phone the potential DGA domains but I was admittedly more focused on following instructions instead of scanning the logs.

The only other quirk that comes to mind was that I sent my device in for a screen fix last month. It's possible that is when the malware exposure happened if it's new, but that's just conjecture. I ran hypatia and it didn't find any malware. Is the assumption therefore that the malware runs from a system level instead of a scannable level, or is it too soon to tell?

For the time-being, the LLM walked me through blocking outgoing traffic for Boox, and I will eventually use it to figure out how to create a VLAN and isolate the device further, while still allowing it to sync w/ syncthing.

Last edited by macallik; 11-06-2024 at 05:23 PM.
macallik is offline   Reply With Quote
Old 11-06-2024, 07:38 PM   #26
macallik
Member
macallik began at the beginning.
 
Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
OK, the LLM thinks I solved it, but would like feedback.

Here is a better screenshot of the AGH logs. The area of interest occurs @ 11:17:51 According to the LLM, the context/proximity to Google API calls, insinuates that they may be launched in tandem:
https://i.imgur.com/DuHMfLF.png

Being generally privacy-conscious, I have trackercontrol enabled and cross-referenced its logs. One caveat is that the dates aren't shown, so I'm assuming that it's for 11/5 but cannot tell definitively. Relatively sure I didn't use the tablet yesterday morning tho.

If I'm reading things right, push.boox.com conveniently launches @ 11:17:51 as well:
https://i.imgur.com/TCUsWym.png

Edit: Then again, there are both ivp4 and ipv6 DGA domains, but only ipv4 push.boox.com...

Last edited by macallik; 11-06-2024 at 08:13 PM.
macallik is offline   Reply With Quote
Old 11-07-2024, 11:40 AM   #27
Frogm4n
Evangelist
Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.Frogm4n ought to be getting tired of karma fortunes by now.
 
Posts: 458
Karma: 3579113
Join Date: Jul 2023
Device: Scribe 2022, OA2, PRS-350
I'd check any apps for recent updates and validate any APKs that you've sideloaded. A bunch of DGA lookups is most likely 3rd party malware and not the Onxy firmware itself.
Frogm4n is offline   Reply With Quote
Reply


Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Firmware Update Instructions and the latest Firmware Versions mitchwah Ectaco jetBook 113 10-24-2023 09:02 PM
Trojan spyware in calibre mac OS build zaster Calibre 9 06-28-2019 03:38 AM
Firmware glitch - typing text slow on some firmware+device combinations mdp Onyx Boox 11 11-11-2017 12:48 AM
candy.js spyware embedded in ebooks fjtorres News 69 08-13-2015 11:52 PM
Kindle 3 scans 2 worms and 1 spyware after using Calibre? dancingbacon Devices 4 06-13-2011 08:05 AM


All times are GMT -4. The time now is 10:53 AM.


MobileRead.com is a privately owned, operated and funded community.