Since its rise Windows was a natural habitat for all kinds of malware. Now the OS itself seems to have become one big trojan. Right after being installed it starts acting weird. The data flows in rivers to dozens of servers belonging to Microsoft and its partner companies. We will try to look into complaints of espionage manners of Windows 10 and find out what data it sneaks and where it sends it.
All the information was obtained through author’s personal research and is published for educational purposes. Neither the editorial staff nor the the author bear any responsibility for any damage caused by the intervention in the OS performance.
Microsoft > NSA
The first reports of new Windows’ strange behavior have emerged as early as the technical preview was delivered. Windows 10 creates a considerable amount of internet traffic even if there are no web applications running whatsoever. At the time this issue was pinned on diagnostics and statistics collected for software debugging. Microsoft experimented on the new product’s operation with various configurations and users acted as beta-testers. Well, it seems quite sensible. Although, nothing has changed after the release: even more complaints have risen.
«This weekend we upgraded my 14-year-old son’s laptop from Windows 8 to Windows 10. Today I got a creepy-ass email from Microsoft titled ‘Weekly activity report for [my son]’, including which websites he’s visited, how many hours per day he’s used it, and how many minutes he used each of his favorite apps. I don’t want this. I have no desire to spy on my boy. Microsoft advised me to turn off activity reporting in my account’s Family section if I did not want to receive such e-mails. There was no such issue in Windows 8.» This quotation from an e-mail send to writer and activist Cory Doctorow by his friend was posted on Boing Boing blog. Many reviewers claim that user data is still being collected – regardless of the account preferences set otherwise. The only thing you can really turn off is the activity reporting itself, in other words you will not receive the e-mails.
It is remarkable that the Privacy Statement particularly declares the gathering of various information by certain means embedded into Windows 10. Of course the overwhelming majority of Windows users will not even skim through the document, and those few who will read it, might feel perplexed. This lengthy document is full of vaguely and intricately worded statements, that make it hard to recognize the changes in privacy policies that will occur after installing Windows 10. The answer is: you can simply forget about your privacy, you won’t have it anymore. Human rights activists are unison in the opinion that the system immediately starts to gather all data it can get hold of. The data is mostly of the following types.
- Samples of voice and pronunciation of certain words;
- samples of handwriting (via handwriting input);
- text samples (typed in any application).
- Current location;
- locations history including temporary location marks.
- Information on equipment including ID numbers of the devices;
- information on networks joined both wireless and by cable;
- telemetric data;
- data from any built-in sensors.
- Web search history;
- visited websites log;
- Windows startup and shut down time;
- startup and shutdown time of every application.
- Applications downloaded from Windows Store;
- clicking on contextual ads;
- clicking on personalized ads.
The list can go on although the above is quite enough for our research. Running ahead, I should mention that not all the accusations against Windows 10 were proven true. For example, Czech news portal AE News claimed that OS sends images from the webcam to the Microsoft servers. Whereas during our test once we connected the webcam, the system only installed the drivers. We have detected no irrelevant or unauthorized actions with the camera at all.
Watching the watchman
There are plenty of tools a hacker can use to scrutinize any software. For our test we prepared a computer with an empty SSD, a virtual machine, Wireshark sniffer, an HTTP-proxy and Fiddler debugger, TCP View bandwidth monitoring tool, a registry snapshot tool and several auxiliary utilities. We preferred the versions that run without installation. Wireshark and Fiddler are the only applications that require installation so they were last to be put to use. Hence, the system remained virginal over the most part of the test. We have analyzed network traffic both with default Windows 10 settings and after gradually turning off all the “spying” features.
According to the official documents the user is spied by: Windows, its ever integrated search engine Bing, voice assistant Cortana, MSN services, Microsoft Office suite, cloud storage client OneDrive, Outlook, Skype, Silverlight and Xbox Live. You can read more about it on Microsoft website. Now let’s see how the information is gathered.
After installing the 10240 build we began watching its networking behavior using TCPView. There was no activity except for listed above. At first nothing happened – just like in Windows 7. Only the Windows Store was ready to download new content from Akamai Technologies.
Just as we grew tired to lie in wait, suddenly \Windows\System32\svchost.exe process has come to life. It has connected to the remote host 18.104.22.168 and has sent some 7.5 KB to that host.
We could have found out some info on that host address using WHOIS but Shodan’ results are more informative.
From the description we found out it was some Bing’s bot. Well, that connection would have been justified, if we had made any search, even a local one. But that was not the case, we were just sitting and monitoring computer’s spying activity via TCPView.
Getting ready for a packet storm
It might take a long time to wait for sleeping services to start. It is time to get active and wake them up. After hitting the Start button the information blocks on the right started to perk up. Weather forecast, news and ads have appeared there. TCPView shows that all this stuff is downloaded via Akamai network and looks legitimate. Once we run the Notepad app and start typing, everything changes at once.
Six connections appear at one stroke and close right away. More than 100 packets travel somewhere unknown. We have turned off the Internet search option allowing Windows to perform only a local search. Although, once we ran Notepad and began typing, SearchUI process launched anyway and started transferring data.