CyberWire Daily - Application tracking in Wacom tablets. [Research Saturday]
Episode Date: February 29, 2020Today's Research Saturday features our conversation with Robert Heaton, a software engineer with Stripe who penned a blog post about his disappointing discovery involving his Wacom tablet tracking his... applications. The post struck a nerve and has since been widely distributed. The research can be found here:Â Wacom drawing tablets track the name of every application that you open Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Well, I've had one of these Wacom tablets for a while, and then I had to reinstall it to get it
working on a new computer. That's Robert Heaton. He's a software engineer with Stripe.
The research we're discussing today is titled
Wacom Drawing Tablets Track the Name of Every Application That You Open.
So I downloaded the drivers, I plugged it in,
and as I was installing the drivers, it said,
please could you accept our privacy policy?
And I found that quite surprising because a tablet is essentially a mouse. So I was like, well, why does a mouse need a privacy policy. And I found that quite surprising because a tablet is essentially a
mouse. So I was like, well, why does a mouse need a privacy policy? So I know no one ever actually
reads these things, but I did. And to be fair, it was quite clear sort of in the standard of these
kinds of things. But it said, we sort of want to send a bit of information to Google Analytics.
It's not very much, don't worry. And so I was like, this seems worth looking into. So I did. It was quite simple to do. I just
set up a proxy to route the traffic through a program called Burp Suite so that I could have
a look at the information. And as I wrote, it turned out that they were sending, most
interestingly, the name of every program that I opened, that I tabbed to,
which I found quite surprising.
Yeah, I mean, let's dig into that.
I think like you, on the one hand, I think I would be surprised that something like a tablet like this,
as you say, similar to a mouse, would require some sort of privacy statement.
I suppose, on the other hand, it doesn't surprise me that anything has a privacy statement
these days in the world we live in. Is that your sense as well? I suppose so, but I still did find
it quite jarring. I think I would say if it didn't connect to the internet in any way and didn't send
any information anywhere, I'm very much not a lawyer, but I would expect it not to need one.
Well, let's go through some of the details of how you were able to see what exactly they were
sending home. Sure. Using a technique and a tool called a proxy. And it just means that instead of
having the traffic go directly from the program, from the Wacom driver to their servers,
I instead said, okay, could you please just send it
via something, a program that I was running
on my local computer.
As I mentioned before, this program's called Burp Suite.
So the way you use it is you start Burp Suite
on your laptop or your computer,
and you say, okay, listen on local host, just locally on the
computer on a port, it doesn't really matter what port. And then you tell your system in this case,
just saying, okay, could you send all HTTP or HTTPS traffic via this proxy? So that means that
instead of, again, instead of sending his traffic directly to Wacom or to Google Analytics, the
driver, because it was well behaved, it it respected these settings it would send that traffic to Burp
Suite and Burp Suite could could log it just to the screen so that I could see what it was and
then it would just send it off to the place where it was originally intended to go. One sort of other
interesting thing you have to make sure to get right here is because this traffic is TLS encrypted,
that means that the Wacom driver is expecting to receive a TLS certificate, it's called, that is valid for www.google-analytics.com.
And obviously, because I'm not Google, I don't have that kind of certificate available.
analytics.com. And obviously, because I'm not Google, I don't have that kind of certificate available. So you have to self sign a certificate, meaning you generate a fake authority who is
allowed to sign these things, you tell your computer, it's okay, trust certificates that
come from this authority. And then you tell BIRP to present this certificate. So the Wacom driver
receives this, this certificate that is signed
by your sort of fake certificate authority, but it's fine with that. It says, okay, this looks
great. I'm happy to complete a TLS connection with you. And then everything proceeds as I
described it before. And so in terms of the information that was being sent back and forth,
what sort of view did you have into that? You could just see the exact contents of the HTTP requests
that were going out to Google Analytics.
So you could just see the exact data that was going.
As I said, the most interesting part was very much
the names of the programs that you were tabbing to.
I suppose on the one hand, I could see a company like Wacom
being able to use this sort of information.
I could see them saying,
well, we want to make sure that our product
works with a variety of software packages out there.
And one of the best ways for us to do that
is to know what people are using our products with
so that we don't end up having a bunch of people
using something that we haven't tested for.
I can see that being a reasonable explanation
from their point of view,
but still raises some flags for you.
Yeah, exactly.
I mean, I absolutely believe
that that was the purpose behind this
and that it's not like they were getting this data
and then doing something evil or horrendous with it.
They did just want to know how their product works and that's sort of a natural thing to want to do. I feel like that
just doesn't give you the right to take this information. This is still surprising information
that people were quite unhappy that was being taken from them. And I think something that I was
thinking about is that it's almost unfortunate for Wacom that their product in its
natural state, the natural way that it works, doesn't require them to send these HTTP requests.
If you're just some kind of SaaS product, then like, I don't know, Asana or Trello or literally
anything, then in order to use your products, the users have to send you data. They have to
tell you how they want to
interact with your product. So you get this usage information automatically. And it's almost just
unfortunate for Wacom that their product doesn't require that. So when they try and do that,
it seems surprising and jarring. Now, with the tools that you were using,
would it have been within your capabilities to simply shut off the flow, to interrupt that data being sent back to them?
Yeah, certainly.
There's several ways to do that.
And again, to Wacom's credit, I very much think this is not something they should do.
But to their credit, it's something you can just turn off in the driver settings.
You can say, I think it's called the Wacom Experience Program.
I don't want to participate in this.
And if you click no, as far as I know,
I'm sure it just stops sending this data.
But then alternative ways, if you didn't trust that
or you wanted something more sort of broad and far-reaching,
you could, for example, probably the easiest way
is if you've used something like a device,
some software called a Pi-Holehole that I believe you put on your network and you do your
DNS resolutions and via that so DNS is when you say you want to talk to a
domain say Google Analytics comm your computer or the the internet backbone it
doesn't really understand domain names it doesn't say okay I'm gonna route this
to to Google Analytics comm It only understands IP addresses.
So in order to send data to Google Analytics, first your computer does a DNS lookup.
So it asks a DNS server, what is the IP address for this domain?
And then it will say, oh, it's 152.14.whatever.
And I believe the way that these kinds of devices work is that you send your DNS requests via them,
which means that it can either send the request onto a real DNS server to get a real response,
or it can just black hole it and say, I'm going to throw this away or just return gibberish or
something like that. And that would mean that your entire computer or potentially any device
on your network would be unable to figure out where on the internet Google Analytics.com is,
which means that none of them would ever be able to talk to it.
Now, when you posted this blog post,
did you expect to get the attention that you've gotten here?
There's been quite some widespread light shown on what you discovered.
I actually sort of did.
I felt like I've found a couple of things like this in the past,
which have all been quite received similar sorts of interest.
I think my favorite one was, I think, a year or two ago,
which was another Chrome extension called Stylish,
which was a wonderful Chrome extension
where you could add custom CSS rules
to change the way that different websites look. And it was a wonderful Chrome extension where you could add custom CSS rules to change the way that different websites look.
And it was just wonderful.
It means you could hide distracting bits of Facebook or hide, change the color of a background or something like that.
But at the same time, it just secretly logged the URL, the full URL of every single website that you visited and sent it back to their servers and nefarious tracking reasons.
And so this was something I discovered just by chance. And I wrote about it and published it.
And that was, it was a very similar reaction where people were just sad and upset that this
thing they liked was taking data from them. I think that is much more nefarious, in my opinion,
than what this Wacom product is doing. But I think it's something
that people find suspicious and don't like and get upset when they find out what's happening.
Has there been any response from Wacom themselves?
I think they did write a blog post that I actually only found recently, just explaining
basically what you were suggesting before, where they're saying, well, look, we just want to know how our device is used.
It's all anonymous, et cetera, et cetera.
Which, again, I get it.
It's fair enough.
But I still don't think it gives you the right to take this data like that.
Ideally, how would you like to see them set this up?
What would be a way for them to do this that you would find acceptable?
Shortly after I published this, I installed, I actually set up a new iPhone. And as part of that
installation process, you set up your name and email address and all of that. And then there's
a very big screen that says, do you want to send analytics data to Apple? And I think it tells you
something about what that might involve. And you can just click yes, I do or no, I do Apple. And I think it tells you something about what that might involve. And you can just click, yes, I do, or no, I do not. And that's it. That's the end of it.
And I think that was quite pleasantly clear. I understood that. I felt like, well, I personally
never send people data like that. But I could see someone saying, well, actually, I'm happy to send
this stuff if it makes products better. So that sort of thing, rather than, I suppose,
burying it within an end-user license agreement
to be overt about it and really require
some sort of an acknowledgement or response
from the user, that's the sort of thing
that you find more appropriate.
I think so. And in this situation, to be fair,
again, installing the driver did require you to say, yes, I would like to join the Wacom experience program. But
it's no one really knows what that is. To me, it looked like something you had to click yes,
otherwise the product just wouldn't work, which is not true. You could click no,
but it very much didn't look like that. It was very unclear. In fact, someone said to me,
oh, well, if you if you're interested in this, you'll be interested in, I think it was the Logitech mouse that does something very similar.
So I got all excited. I downloaded some Logitech drivers and I started installing them. And they actually did exactly what I just described for Apple, where they said they had one big screen saying, is it OK if we send analytics to ourselves?
You can click
no if you want, and that's fine. And again, it was quite open up front. And so I think that's
a good way to approach it. Although in that situation, it did spoil my fun.
It really is interesting how it seems as though as awareness of these sorts of things increases,
there's more subtlety here. The things that people find acceptable
versus what they don't, what they find just creepy. It seems like we're establishing what
the norms should be. We're starting to settle in on what people are willing to accept and are not.
I think so. I think it's generally fair enough for an application or a device to record some information of some sort about the way that you use it specifically.
Not how you interact with other things on your system or anything like that, but just the way that you use it.
I personally, again, given a choice, I don't give anyone any of this information.
But I think at that point, it's sort of fair enough.
I don't give anyone any of this information.
But I think at that point, it's sort of fair enough.
But then I sort of think about it where I feel like this Wacom case is quite convenient, whereas it was very easy to find.
It was even in their terms of service.
And it was very surprising and upsetting to people.
But if you think about the data that the much larger companies and more ubiquitous ones like
Facebook and Google and so on are collecting,
that's much harder to track.
You can't sort of just put a proxy on your computer
and they say, ah, I've got you.
Now I can write a blog post
that will get everyone very interested and so on.
It's instead maybe they're sort of purchasing some data
from over here or they're getting this data
and joining it up from two different products
that you use both on their services.
So it's almost more concerning, I think, and has more impact,
but it's harder to pinpoint and harder to reason about because it's much murkier.
What is your advice for people who feel like they want to have a better view
into these sorts of things in their day-to-day to have a sense for what's being collected.
Do you have any tips for folks?
I would suggest just start by,
if something asks for access to something,
I personally just almost always click no
until there's some very useful reason for it.
If you want to access my contacts, no.
If you want to access the camera, no.
And eventually, maybe if you prove your reliability
and trustworthiness and usefulness,
then maybe we can start sharing some information there.
No matter what you think about the sort of economic trade-offs
of using ad blockers,
I think you just have to use ad blockers at the moment
to stop yourself getting tracked as much all around the internet.
I've noticed recently that, I don't know if this is a new thing, but the large social media
companies like Facebook and Twitter have these pages where you can view the information that
they, or at least some of the information that they have on you, which is quite eye-opening.
I think there's actually a lot that they don't show you as well, but it shows you,
for example, what companies have given them your email and said, oh yeah, this person's my customer or what companies have sent Facebook additional information about you. And that's just quite
interesting, if nothing else. Yeah. Yeah. It really is. It's eye-opening, I think.
Indeed. It's always just a trade-off with these things, I feel,
between the amount of effort you're willing to put in to get a particular kind of reward.
And that's particularly difficult here because the rewards are so vague and amorphous and difficult to evaluate.
If you're willing to use disposable email addresses for everything,
and maybe you use Tor for everything as well, then your life will be harder,
but you'll also be tracked less across the internet. So it's whether that's a worthwhile
trade-off for you. That's Robert Heaton. He's a software engineer with Stripe.
The research we discussed today is titled, Wacom Drawing Tablets Track the Name of Every Application That You Open. We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.