Windows 8 Tells Microsoft About Everything You Install, Not Very Securely

Nadim Kobeissi may be young, but already the hacker and programmer has done more to fight for privacy and internet rights than most of us ever will. Now, he sheds light on the fact that Microsoft knows everything we install on our Windows 8 devices.

I've recently been using the final, released To manufacturing (RTM) version of Windows 8 on one of my computers, to much delight. I've been very impressed by how fast, well-designed, functional and capable this latest iteration of Windows is. However, my tinkering around from a security/privacy perspective has left me concerned.

Windows 8 has a new featured called Windows SmartScreen, which is turned on by default. Windows SmartScreen's purpose is to "screen" every single application you try to install from the Internet in order to inform you whether it's safe to proceed with installing it or not. Here's how SmartScreen works:

1. You download any application from the Internet. Say, the Tor Browser Bundle.

2. You open the installer. Windows SmartScreen gathers some identifying information about your application, and sends the data to Microsoft.

3. If Microsoft replies saying that the application is not signed with a proper certificate, the user gets an error that looks something like this.

There are a few serious problems here. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.

This problem can however get even more serious: It may be possible to intercept SmartScreen's communications to Microsoft and thus learn about every single application downloaded and installed by a target. Here is my analysis:

A quick packet capture showed the following activity happening immediately when I tried to install the Tor Browser Bundle.

SmartScreen appeared to connect over HTTPS to a server in Redmond (apprep.smartscreen.microsoft.com,65.55.184.60, run by Microsoft) in order to communicate information about the application I was trying to install.

After running some tests onthis Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from "GTE CyberTrust Global Root" to "Microsoft Secure Server Authority." The Certificate Authority model is itself susceptible to some serious problems.

I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it.

To recap, here are the concerns posed by SmartScreen in Windows 8:

1. Windows 8 will, by default, inform Microsoft of every app downloaded and installed by every user. This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern. The user is not informed of this while installing and setting up Windows 8, even though they are given the option to disable SmartScreen (which is enabled by default.)

2. Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication. It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.

I find Microsoft's decision to design SmartScreen in such a privacy-free fashion to be a very bad choice, and I really hope that these concerns regarding SmartScreen will be addressed in near-future updates.

Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user's IP address is still enough to identify that IP address x attempted to install software y.

Update 2:Another researcher has discovered that a filename of the app you're trying to install is indeed sent to Microsoft. This severely strengthens privacy concerns.

Republished with permission from Nadim Kobeissi. In addition to developing Cryptocat, hee writes regularly on Twitter and his personal blog.


Comments

    Give me proof they are keeping record of what programs I install and that they are in fact using SSLv2 and then I'll be worried. Sounds more like speculation based on a few facts right now.

      Give me proof that they don't.
      WTF you really think you ar not BEEING tracked and everything you have and do in your pc or phone or tablet ,doesn't belong to the goverment?!
      Your opinion doesn't even have facts oh kili your so young :D

    I am not really sure I want Microsoft to know that I am installing "Jiggly Booby Dance Party" on my PC.

    What rubbish. This article is the equivalent of saying "you're young and male, you must be a drunken bogan".

    Smartscreen has been around for years, it's not new to Windows 8. Frankly I'm really happy MS checks every app I install for malware. If I wanted an insecure swiss cheese operating system I'd buy a Mac.

      This comment has been deemed inappropriate and has been deleted.

        Stay in school

    You're dreaming if you don't think Apple already knows what you are installing on their devices. They even tell you what you can and can't install!

    Well, even if it has been around for awhile, it's the first I've heard of it and I started playing with PC when Dos was all the rage.
    Bottom line,.. just turned it off..!!

    i think your spacebar is broken

    Well about time someone else was looking over our shoulder, I mean its not like we dont already have face book and google watching our every move, P.S. please pass on site for jiggly booby dance party :p

    "Welcome to The Internet": The age where YOU are self deteriorating YOURSELF by selling off YOUR privacy. The age where you born "Human Being" but die like a fool.

    Its not metro apps only, its desktop too! Its not Windows 8 only its all version of Windows. Its not Windows only, its all operating systems connected to Internet. Even the folks at Redhat know what are you up to. Anything running on BGP protocol is threat to privacy. Like it or not The Internet sucks on privacy!

    Coz when you are connected, "You have been watched"..

    Steve Balmer himself keeps paper notepad and pen in his pocket (during his trip to Korea he hinted on it).

    The biggest privacy selling corporation in the name of openness known to mankind is Google. Microsoft and Apple sell their products Office, Windows, Mac, iPads and Google selling your search history, thinking pattern, choices you make, links you tap, routes you take, your moods, the Gmail email you sent, the email you receive, the email you read, the email you saved in draft...everything is sold for dimes to the interesting parties; intelligence collectors etc. While you are getting inspired and wowing the technology and you have been told that its for your own good, you are basically screwing yourself in a bigger picture..

    It was the part of Illuminates' new world order. The idea really is to spot and profile anyone at anytime in the entire world.. so they can control humans like their little b....es and "disinfect" anyone at anytime who is against their rules.

    ~ the more rapidly countries adapt IPv6, the more quickly the entire humanity will tear apart.. nobody wins eventually but many people will get hurt by it.

      Here's your tin foil hat. Also, IPV6 is making it HARDER to track people, not easier, as there are virtually limitless addresses in IPV6 (3.4×(10 to power of 38)) where IPV4 has 4,294,967,296.

    Where to start? This is an IE9+ feature, not windows 8 (although obviously included there with IE10). IE9 has SSLv2 disabled by default and appears to use TLSv1 for the connection for smartscreen so no issue there. This is also a fairly useful feature and is widely implemented (see: chrome's application reputation). Security features shouldn't be off by default, so that's an inane argument. Obviously they need to send the filename to get a system like this to work - how else would said application reputation system be updated. CA's aren't ideal, but what else would they use? What roots do they trust? Would other certificates work?

    And so on. I'm not sure why this "researcher" didn't bother checking any of this but I can guess.

    The next time Microsoft goes on about how much it loves privacy by defaulting to the No No Track on IE10, now you know where to tell them to stick it. That whole effort is designed to screw Google, period.

    Windows has and always will be the inferior OS, eons beyond linux, very user friendly and that's it, security aint their strong point just like spelling aint mine.

    I'm sure MS could have got all the App install info out of people's registry data in pre-Win8 OS versions. Not quite sure what the concern is.

    Who cares? What do any of you do that you don't want anyone else to know about? You could post the info from my PC up on a billboard in Times Square for all I care.

    "This situation isexacerbatedwhen" yes please

    There is a lot of misleading info in this article, if you want a proper analysis of this read this: http://arstechnica.com/information-technology/2012/08/windows-8-privacy-complaint-misses-the-forest-for-the-trees/

Join the discussion!

Trending Stories Right Now