Check device network usage

Set up a system to monitor device network activity.

created: 2020-05-23 | topic: computer | tag: privacy,network | author: Jason Lenz

Motivation

I enjoy electronic devices and all the capabilities and connectivity that come with them, however whenever I obtain a new network enabled device I usually have the following types of questions in the back of my mind:

• What servers does this device communicate with?

• How often is it sending or receiving information?

• What type of information is being sent?

For general users it’s almost impossible to know the answers to these questions. Most devices connect constantly to servers owned by large internet companies and many of these companies don’t exactly have the best track record for respecting privacy and being trustworthy with user data…

This page describes how to set up a customized router that can detect and record all wireless connections from a device. With this setup it’s possible to answer the first two questions above. The third one is frequently not possible since connections are often encrypted. With that said, addressing the first two questions goes a long way in determining how trustworthy a device is.

What’s needed

• The wifi enabled device to be tested.

• An openwrt based router.

• A separate computer from the device to be tested. This is used to access and analyze network logs using wireshark.

The remainder of these instructions are based on my experience with the following hardware, but these should be easily adapted to other combinations:

• My test device - A Kindle Paperwhite with a clean factory reset. Firmware version 5.12.2.

• A Netgear WNDR3800 router using LibreCMC version 1.5.1 (an OpenWRT derivative).

• A Lenovo X230 laptop running Linux.

Prerequisite skills

For others interested in analyzing network traffic for a device you own, it’s helpful to have the following knowledge/background:

• Comfortable using unix from the command line.

• Familiarity with basic network configuration and terminology.

At some point maybe someone will create an easy way for general users to do a similar analysis, but for now it’s not trivial to set up. A router appliance with all the software pre-installed, and a web based user interface to view the analysis would be useful for general users, but for now it doesn’t exist (at least that I’ve found).

Router setup

This assumes you already have Openwrt (or LibreCMC) installed on your router of choice.

• Set up a guest wireless access point on your router. I named mine “check” instead of guest, but name it as desired. The following links describe how to do it using the terminal or Luci (web interface). Also I put a password on this access point so I could control who connected.

  https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

  https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

• Make sure you can ssh into your router.

• Once you’ve accessed the terminal in your router, install the tcpdump program.

    # opkg install tcpdump
  

• Also from the terminal make note of the interface name for your guest network from the terminal. You can recognize it after entering the “ip addr” command as the inet address will match the one you set up earlier. In my case it was the “wlan1-1” interface on the 192.168.11.1 subnet.

    # ip addr
    ...
    wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
       link/ether ab:cd:ef:ab:cd:ef brd ff:ff:ff:ff:ff:ff
       inet 192.168.11.1/24 brd 192.168.11.255 scope global wlan1-1
          valid_lft forever preferred_lft forever
       inet6 fe80::c404:15ff:fe9b:570d/64 scope link 
          valid_lft forever preferred_lft forever
    ...
  

Record network activity

1. Connect your test device to the access point you just created. In this case I connected my Kindle Paperwhite to the “check” access point and entered the password for access. Ensure that it is the only device connected to that access point. This will make your life easier when analyzing traffic later.

2. Confirm that your test device is connected to the internet by using it to access a web page or browse a book store, etc.

3. ssh into your router from your computer.

4. Use tcpdump to start recording network activity on the interface identified earlier. Name the file as desired.

    # tcpdump -lnni wlan1-1 -w my-network-activity.bin
   

5. After the desired period of time has elapsed hit Ctrl-C to stop tcpdump.

6. Exit the ssh terminal on from your router and then copy the file over to your main computer.

    $ scp my-router-address:my-network-activity.bin .
   

Analyze network activty

Make sure wireshark is installed on your main computer if it isn’t already. Start it up and open up your network activity file (File -> Open). You will most likely have an overwhelming amount of network activty to sift through.

In my case analyzing the Kindle Paperwhite over a period of 114 seconds there were 280 unique network events (rows) displayed in wireshark.

The addresses will all be displayed in raw IP format, so one of my first steps was to turn on the option to resolve network addresses (View -> Name Resolution -> Resolve Network Addresses). Click on the Source or Destination columns at the top to sort on those and make note of all of the server addresses that were accessed. In my case, I found that the Kindle Paperwhite was accessing the following servers (sending and receiving):

a4k.amazon.com
api.amazon.com
device-messaging-na.amazon.com
pins.amazon.com
todo-ta-g8g.amazon.com
ec2-23-23-189-14.compute-1.amazonaws.com

This in itself is useful information and not unexpected. All of the servers are Amazon owned. It’s also interesting to note that I was not using the Kindle at all. I just booted it up and left it on the table during the 114 second capture period.

You can further try and inspect the raw data in the network packets to see if anything intelligible resides there. Click on a row or cycle through them using the up/down arrow keys and look at the bottom window. In my case it was mostly unreadable either due to being encrypted or stored in a proprietary format.

Another useful option within wireshark to consider includes the (Statistics -> Capture File Properties) menu option which will display high level information such as below:

Also the (Statistics -> I/O Graph) menu option is interesting to see as well. In my case most of the communication happened at boot up with a few sporadic network events happening later on.

This barely scratches the surface of what wireshark is capable of in terms of analysis. The user manual in the reference links below provides details on all the capabilities if you are interested in digging further.

Conclusion

This method proves very useful in answering the first two questions mentioned at the beginning (who is the device communicating with and how often). As expected it’s almost impossible to determine exactly what information is being sent, but regardless this is still a valuable method to have in the toolkit.

Limitations

• The prerequisite skills are needed to setup and interpret results.
• This setup only monitors traffic. A separate firewall config is needed to block certain device traffic (a topic for another post).
• Info is from a slice in time. The device could have a delayed communication that is undetected during the time window being tested here.
• Limited info on content of transmissions (when encrypted). Mainly shows what internet addresses and ports are accessed.

References

• https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface
• https://www.tcpdump.org/manpages/tcpdump.1.html
• https://www.wireshark.org/docs/wsug_html_chunked

Other links

• Magnifying glass image