Spyware in firmware

[diabl0w]

Quote:

Originally Posted by Ken Maltby

There are a number of functions on my new Onyx Boox Note 2 (10.3") that won't work without phoning home. This includes the fingerprint detection, screensaver app. (still can add your own locally), and others.

Luck;
Ken

FWIW fingerprint works fine on Max3 without internet, im surprised to hear that internet is required for fingerprint on other devices. I don't use screensaver, just whatever default one pops up, so I don't know about that.

I have decompiled some onyx system apks and they include a lot of references to companies like Tencent, among others, that are very uneccessary. As far as exactly what these libraries are doing, I haven't looked into that

[Galunid]

Quote:

Originally Posted by diabl0w

I have decompiled some onyx system apks and they include a lot of references to companies like Tencent, among others, that are very uneccessary. As far as exactly what these libraries are doing, I haven't looked into that

When playing around with onyxsdk, I decompiled it and took a look around. Other than Tencent one everything else was alright. The Tencent stuff seems to be WeChat SDK. How problematic it is for non-chinese people I have no idea. I took a look at the obfuscated parts and there didn't seem to be anything malicious, but that doesn't mean, there isn't.

[this_is_sus]

Quote:

Originally Posted by diabl0w

FWIW fingerprint works fine on Max3 without internet

Same on Note 3. Fingerprint works fine for me with WiFi off.

[rantanplan]

Quote:

Originally Posted by Galunid

When playing around with onyxsdk, I decompiled it and took a look around. Other than Tencent one everything else was alright. The Tencent stuff seems to be WeChat SDK. How problematic it is for non-chinese people I have no idea. I took a look at the obfuscated parts and there didn't seem to be anything malicious, but that doesn't mean, there isn't.

It's likely only used when you set the server to china. Which some fools on this forum do to get updates earlier 🙈

[rpvreviews]

do you consider ipad pro as better in this regard compared to onyx boox. what if I create a dummy gmail account and install apps. I am mainly interested in reading pdfs and will not use fingerprint also

[Question Mark]

Quote:

Originally Posted by rpvreviews

do you consider ipad pro as better in this regard compared to onyx boox. what if I create a dummy gmail account and install apps. I am mainly interested in reading pdfs and will not use fingerprint also

Personally, I wouldn't lose too much sleep over the matter. If you're just using it primarily to read, there's really not much need to connect it to the internet. Updates to firmware and apps can be installed manually. If you are never connected to the internet, apart from the initial setup, no need to worry. My Onyx devices are seldom connected to the internet, not that I'm all that worried anyways.

[macallik]

Receiving some funky queries from my Boox device:

https://i.imgur.com/Kmqw3os.png
Talking to an LLM and they suggested that it is this and likely malware:
https://en.wikipedia.org/wiki/Domain...tion_algorithm

[Renate]

Can you trace this to a process? How are you getting this list?

[macallik]

The screenshot is from AdGuardHome



Then I used an LLM to walk me through digging deeper for the first time, and then analyzing the output. Here are the highlights.

Code:

#snooping on the boox device and trying to visit a website

tcpdump -i br-lan host 192.168.1.221 -w capture.pcap >> output.txt

scp router:output.txt .

Then I uploaded output.txt to Claude AI:

(After uploading the same file to ChatGPT w/o context, I think that the response below is a false positive on what is actually being shared, but that its prior identification of potential domain generation algorithms still seems probable)

Quote:

Looking at this DNS traffic and subsequent data transfers, there are several concerning patterns:

1. The DGA-like (Domain Generation Algorithm) domains seen earlier appear to be communicating with your local DNS server (192.168.1.223) on port 8232
2. The large data transfers following these DNS queries are significant:
   • Multiple TCP connections being established
   • Large amounts of data being transferred (2MB+ in one session)
   • Consistent patterns of data transfer sizes (1448 byte chunks)
   • Multiple sequential connections in a short timeframe
3. The traffic pattern suggests command & control (C2) behavior:
   • Initial DNS queries to establish connectivity
   • Follow-up large data transfers
   • Multiple connections in sequence
   • Predictable timing patterns
4. The device seems to be regularly beaconing out:

• DNS queries every few seconds
• Followed by data transfers
• Very systematic and automated looking behavior

Given that this is a Boox device (Chinese e-reader), this strongly suggests built-in data collection/exfiltration functionality. I'd recommend:

1. Block outbound traffic from this device at the router level
2. Create firewall rules to block the suspicious port 8232 traffic
3. Consider isolating the device to a separate VLAN
4. Monitor for similar patterns from other devices

Would you like me to help create specific firewall rules to block this traffic or suggest how to isolate the device on your network?

[macallik]

I can DM you the output file if you' like to investigate further. LLM's analyses are not infallible, so it might be misinterpreting something. I don't recall seeing any attempts to phone the potential DGA domains but I was admittedly more focused on following instructions instead of scanning the logs.

The only other quirk that comes to mind was that I sent my device in for a screen fix last month. It's possible that is when the malware exposure happened if it's new, but that's just conjecture. I ran hypatia and it didn't find any malware. Is the assumption therefore that the malware runs from a system level instead of a scannable level, or is it too soon to tell?

For the time-being, the LLM walked me through blocking outgoing traffic for Boox, and I will eventually use it to figure out how to create a VLAN and isolate the device further, while still allowing it to sync w/ syncthing.

[macallik]

OK, the LLM thinks I solved it, but would like feedback.

Here is a better screenshot of the AGH logs. The area of interest occurs @ 11:17:51 According to the LLM, the context/proximity to Google API calls, insinuates that they may be launched in tandem:
https://i.imgur.com/DuHMfLF.png

Being generally privacy-conscious, I have trackercontrol enabled and cross-referenced its logs. One caveat is that the dates aren't shown, so I'm assuming that it's for 11/5 but cannot tell definitively. Relatively sure I didn't use the tablet yesterday morning tho.

If I'm reading things right, push.boox.com conveniently launches @ 11:17:51 as well:
https://i.imgur.com/TCUsWym.png

Edit: Then again, there are both ivp4 and ipv6 DGA domains, but only ipv4 push.boox.com...

[Frogm4n]

I'd check any apps for recent updates and validate any APKs that you've sideloaded. A bunch of DGA lookups is most likely 3rd party malware and not the Onxy firmware itself.