As SecurityScorecard’s researchers continually expand our massive malware sinkhole, they encounter purchasable domains with significant traffic but lacking an owner. While we largely focus on purchasing domains related to malware, adware, or phishing, we often encounter other available domains that are not as overtly nefarious but that can still pose just as serious of a security risk to users.
Domain infrastructure expiration
Almost all modern software and devices regularly connect to the internet, for a variety of purposes such as delivering advertisements, tracking usage, updating configurations, or searching for security updates. This is almost always accomplished via “calling back” to a domain name that is registered via a domain registrar. Although a potential privacy concern, most of this behavior does not necessarily constitute a security concern as long as the owners continue to maintain the domain.
Unfortunately, many software or device maintainers forget to renew their domains. For example, a user’s device contacts the device company’s website domain daily, “www.companydomain.com,” for updates or to provide user metrics. However, if the device company fails to renew the domain or maintain it, then the device is sending the user’s information to an “orphaned” domain, creating a security risk. The “orphaned” domain is no longer controlled by the device’s company, but the device is still sending information that can be collected by anyone else who purchases the domain. These “anyone elses” can be malicious actors who then have the capability of inserting malicious code or collecting user information outside of the original terms and conditions to which the user agreed.
Just like your car registration or driver’s license, these records must be periodically renewed. Typically a domain name is purchased for 1 year from a domain registrar or network information center (NIC) and must be renewed annually. If a domain name is not renewed, then ownership reverts to the original registrar leaving it available for the general public to purchase.
There are well-known examples of large organizations letting their main domains expire, such as the Dallas Cowboys and Foursquare, but researchers at SecurityScorecard are finding this occurs more frequently than people would think. Also, since these are less obvious but still critically important domain infrastructures, the consequences of not renewing these domains go beyond corporate embarrassment to present serious privacy and security concerns.
Three examples we have uncovered in just the past three weeks include:
- An expired domain within an Android software development kit (SDK) used to serve advertisements (EraSuper)
- An expired domain used by Android-based Smart TVs manufactured by a Chinese Technology Company (SoundInk)
- An expired domain used to track configuration updates within a discontinued web camera.
When the domains are purchased and the web server used to receive requests is stood up, both the intended usage of this domain and scale of devices communicating back becomes clear.
1. Expired domain within an Android SDK (EraSuper)
When users play games that use this EraSuper advertising SDK, their device sends requests to a web server containing an IP address, device type, a unique identifier, a current consent status, a request of type GDPR_sync, and a boolean flag seemingly indicating if GDPR applies to this specific user.
Everyday SecurityScorecard researchers receive 155 million requests from devices using these applications and now sending this data to us. This information leak is quite troubling for several reasons. First, by simply buying a specific domain name researchers were able to obtain a lot of user information. Second, if we were malicious actors, we could likely serve our own advertising, change users’ GDPR consent status, and potentially send damaging code or data back to these devices. Third, if we revoked GDPR status, the GDPR consent functionality could be broken for the million+ users who installed the games.
A request from an application that uses this advertising SDK looks like:
2. Expired domain used by Android-based Smart TVs (SoundInk)
It’s not just Android games either. So-called “smart devices” often lack security and privacy considerations, making them some of the biggest culprits of these rampant deployments. SecurityScorecard researchers discovered over a million Chinese smart TVs beaconing to a purchasable domain. Once we acquired this domain, we observed authorization and registration requests coming from these smart televisions.
Again, this presents a security risk. Malicious actors could have purchased this domain and respond to these requests with well-crafted data or code. That malicious action could then turn the devices into a botnet, cryptocurrency mining net, or more. Our researchers, however, used this domain to increase security, responding with benign responses and sending alerts to SecurityScorecard customers and their vendors that these types of devices existed on their networks.
A request from this SoundInk Smart Television appears as:
Although SoundInk seems to have gone out of business, it presents an interesting case study and warning about the potential dangers that can arise when smart device creators or maintainers cease maintenance or business operations. By letting these domains, which are programmed into your devices, expire users’ security and privacy is severely compromised!
Disclosure prevents risk and secures consumer devices
Although many companies place consumers at risk by failing to maintain or monitor domains, other companies accept and act upon vulnerabilities disclosed to them as part of their continued risk management activities.
3. Expired domain for discontinued web camera tracked configuration updates.
Although similar to the other instances in that the developer allowed a domain to expire, an American video surveillance company reacted quickly when SecurityScorecard disclosed the potential threat. After accidentally letting the domain used to communicate updates and configurations expire, the developer of the now-discontinued web camera responded responsibly to SecurityScorecard’s finding.
SecurityScorecard contacted the company’s support desk. The company’s director of technology immediately contacted us because he understood the high risk arising from the mistake. Since then, we have been working to help transfer the domain back to the company.
As part of our commitment to responsible disclosure and because the company is taking actions to mitigate the risk, we will not share any more details about this finding. However, it presents a different example – one that shows the prevalence of these errors while also presenting a responsible response.
Recommendations
SecurityScorecard has attempted to reach out to the purported owners of these domains and is willing to transfer these domains to the proper owners. With that said – we currently do not recommend the usage of SoundInk Televisions and the following Android games:
In addition, we recommend device manufacturers add additional security measures such as Certificate Pinning or other authentication measures that would limit the ability of nefarious behavior in the event the domain change hands.