Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
HaxRob Profile picture
@haxrob
Jul 5, 2023 16 tweets 8 min read Read on X
Scrolly
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.

The Android grid connect app has 500k+ downloads.

Let’s take a quick look! 🧵
(1/n)
The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.

The app is forcing this even though we are on v31.

(2/n)

Let's allow it "for science". The device is paired. We also have the option to enter our Wifi credentials. I assume this is so the light can be remotely controlled over the Internet. It's automatable too. One condition is "when location changes". Let's not touch these.

(3/n)

Time to fire up trusty #mitmproxy to look at the network traffic. Traffic is going to . Familiar domain. I came across Tuya used in a Mirabella Genio Smart light I got at a supermarket.

Tuya is an IoT OEM found everywhere.

postData is encrypted.

(4/n) https://t.co/OuNOulw8nltuyaeu.com
Let's pull the .apk from the device and take a look at the manifest. We could of course grab it from APK Pure.


Yikes! recording audio, access to camera, location..
Assume there is a legitimate functional use for all of this. Trust but verify?

(5/n) https://t.co/jDPPrTBbuAm.apkpure.com/grid-connect/c…
Our focus here is what is happening with location permission other then BLE scanning. We need quick wins as this app isn't trivial and is obfuscated. Crypto routines related to the postData appear to implemented in native arm64 within a shared library.
(6 / n)

Dynamic instrumentation with #frida will really speed things up. JADX can emit a boiler plate hooking .js snippet to use in Frida. We just need to modify to to convert the plaintext byte array passed into encryptPostData from signed integers into a readable string.

(7/n)
Looks like it worked! We have visibility on any data that is passed as a parameter to encryptPostData().

No need to reverse the encryption function to figure out how to decrypt the data - we have it before it's encrypted and sent over the wire.

MASSIVE TIME SAVER. 🙏

(8/n)
So far no location data. Are we looking in the right place?

Remember we are after "quick wins". The minimum time investment possible to answer my friend's question "what's it doing with my location" ?

The developer's logging class seems perfect to hook into -… https://t.co/RocbDYlOW4twitter.com/i/web/status/1…
You beauty - it worked. We now have visibility into what is encrypted in the postData form field.

We can account for the data in HTTP post towards the Tuya cloud API endpoint.

But what are we exactly looking for?

(10/n)
Probably these parameters? "lat" and "lon".

hmm.. KEY_IMEI and KEY_IMSI are probably worth looking into too at some point. 🧐🧐

But alas, we must stay on track. KEY_LAT and KEY_LON it is for now.

Live tweeting this enquiry keeping me on track🤣

(11/n)
ok, we got a match. GPS co-ordinates of where I am - although this was data *received* from the cloud server. How did my location get there in the first place? Perhaps when the application was first installed? Back to square one - but this time we know what to log.

(12/n)
Application reinstalled.

Boom! we see the exact packet where our GPS co-ordinates are sent to Tuya's remote server over the Internet.

We can identify this in packets that have the "a" field "b.m.sys.location.get".

(13/n)
So what do we make of all this?
The developer discloses on the app store that the precise location data collection is optional.
Is this misleading?

What we have discovered in this Twitter thread is that if you try to pair one of their devices via Bluetooth scanning, the app… https://t.co/2IPhlaum0Dtwitter.com/i/web/status/1…
Going to wrap up the live tweeting on this one.

If you found this interesting/helpful, feel free to like/retweet. We need as many people as we can to be encouraged to discover and call out companies that harvest location data from their devices. 15/15

It doesn't feel complete with out a map.

Coverage map using advertised BLE device name "TY" and the mac address prefix A8:80:5 (Tuya Smart Inc.) - beaconed out from my lightbulb.

This is why Google (rightfully so) considers Bluetooth scanning "location data"

(..16/15)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with HaxRob

HaxRob Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @haxrob

HaxRob Profile picture
Jul 13, 2025
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
Let's start with the most simple example. Select a mount namespace that is not used by systemd/init.

Migrate the current shell into that process's mount namespace and mount a tmpfs file system.

Anything that writes the mounted path is concealed from users on the host. (2/7) Image
As a bonus, commands in this shell will not be written to the history file as we mounted over the user's home directory.

No need to set HISTFILE=/dev/null.
Once the shell exits, artifacts evaporate. Nothing touches the disk.

Now how to do this as an unprivileged user? (3/7)
Read 7 tweets
HaxRob Profile picture
Jun 2, 2025
Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SKT telco breach. (1/20) Image
Perhaps it's only looking for UDP magic packets? Not so fast. Let's look at what changed.

BPF filter is used as before, but the socket is opened with type SOCK_DGRAM, but the protocol is ETH_P_IP.

What's the defined behaviour here?
(2/20) Image
man socket.7 gives some clues. It hints with AF_PACKET, the protocol may have priority over the socket type. So ETH_P_IP overrides SOCK_DGRAM. Also, the layer 2 (ethernet) frame will be removed. (3/x) Image
Read 23 tweets
HaxRob Profile picture
May 28, 2024
When pairing your mobile phone to that Wifi / Bluetooth device and it forces you to grant it location permissions, pause for a moment to think who may be the beneficiaries of this information. Image
Case in point:

The Dyson app refuses to pair to their devices such as this fan/heater/air purifier - unless you give in and give them your location data.

This is a premium product at a high price point. Surely they are not monetising this ?

What’s the privacy policy say? … Image
Dyson disclose in the fine print that the app will continue to “collect and use data about your location in order to provide you with more relevant and personalised information.”

It’s a fan. A fan. Image
Read 15 tweets
HaxRob Profile picture
Mar 26, 2024
If you needed yet another reason not to trust VPN providers or proxy services...

Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.

storage.courtlistener.com/recap/gov.usco…
Image
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.

At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.

en.wikipedia.org/wiki/Onavo
Image
Checking the archived APK listing for "Onavo Protect" from 2019, likely just before it was pulled from the Play store, the description discloses some information on what they are up to, but then proceeds to gaslight the user.

apkpure.com/onavo-protect-…Image
Read 19 tweets
HaxRob Profile picture
Feb 28, 2024
I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 Image
One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.

These were uploaded 4 to 5 months ago.

(2/n)
Image
Image
As they binaries were not stripped, they contain some artifacts that give us an idea of the intended platforms they were to be run on - Very outdated Red Hat Linux machines.

Someone hasn't been keeping their systems up to date .. 🤔

(3/n)) Image
Read 19 tweets
HaxRob Profile picture
Feb 20, 2024
The Chinese APT contractor leak contained a few interesting files; namely:

- CDRs (Call Detail Records)
- LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

Some background: (1/5)🧵 Image
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.

It's these central databases that are often targeted. Data for a subscriber is generated in many systems:

(2/5) Image
Looking at the leak data: For example, this one is from old school circuit switched 2G voice calls.

What's of value from an intelligence perspective is is who talked to who and from where. Origin of data likely from MSC CDRs.

(3/5)
Image
Image
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(