26 December, 2013

Xbox One - Capturing the Configuration Traffic

Xbox One - Capturing the Configuration Traffic
Jason Wood
Author: Jason Wood

Before launching into the setup of the X1, here are some of what we are interested in on this gaming platform:

  • Facial recognition – What privacy concerns are involved with this feature and are there any problems with how it is implemented?
  • Social media – Xbox Live Gold is a social network for gamers.  What privacy concerns are here?
  • Microphone and camera in your living room – The X1 microphone is always on and listening.  I’m not sure what the state of the camera is while the X1 is off.  How could this be abused?  Can some creep turn on recording of what’s going on and access it some how?
  • Implementation flaws – Are there any security problems with the way the X1 has its features implemented?  Is data in the clear that shouldn’t be? 
The first thing I wanted to do was collect as much information as I could about the X1’s setup process.  To do that, I used the wired network connection to setup the X1 and put a Throwing Star LAN Tap Pro in the middle.
 Throwing Star LAN Tap Pro
 The bi-directional arrows indicate the ports that traffic will be flowing through.  One of these ports was connected to the X1 and the other to my switch.  I then added two Ethernet adapters to a spare Mac and plugged them into the read-only ports of the tap.  In this case, these are the two ports with the single direction arrows.  One thing to keep in mind is that each of my network adapters are only seeing half of the conversation as it goes by.  For example, en5 will only see the traffic leaving the X1 and en6 only sees the data going to the X1.  
With the physical setup complete, it was time to start my packet captures and fire up the X1!  I decided to just use tcpdump to capture the data and use Wireshark for analysis later.  (Xquartz wasn’t setup on the system I used to capture the traffic, hence the decision to use tcpdump.)  I opened up two terminals and ran: 
sudo tcpdump -i <ethernetAdapter> -nnvvXSs 0 -w /path/to/files.pcap
Each option translates as follows:
  • -i  =  Interface to capture on
  • -nn  =  Don’t convert addresses, protocol and port numbers etc. to names
  • -vv  =  Even more verbose output.
  • -X  =  When  parsing  and printing, in addition to printing the headers of each packet, print the data of each packet  (minus  its  link level  header)  in  hex  and  ASCII.   This  is  very  handy for analysing new protocols.
  • -S  =  Print absolute, rather than relative, TCP sequence numbers
  • -s  =  Snarf  snaplen  bytes  of  data from each packet rather than the default of 65535 bytes.  I set this to 0 to capture a data available in each packet.
  • -w  =  Write the captured data out to a file rather than displaying to standard out.
Each command referenced a different network adapter and wrote to a separate pcap.  With tcpdump up and running, I turned on the X1 and started the setup process.  
Analysis of the data I collected is still to come and will be in a future blog post.  However, the setup process allowed me to capture a lot of data.  For example, I captured a large system update, setting up my profile and the ability to sign in by just being in the room.  (The facial sign in feature has already been fun as it creeped my wife out by signing her in when she sat on the couch next to me last night.  🙂
More to come soon!

Jason Wood is a Senior Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Join the professionally evil newsletter

Related Resources