Report that Wacom's pen tab driver is collecting names of all applications launched on PC


by

stevepb

It turned out that Wacom 's tablet driver, a PC peripheral maker focusing on pen tablets and CAD-related products, sent the name of the application launched on the PC to Google Analytics. A security engineer, Robert Heaton, who clarified this fact, blogs about how he checked the traffic of Wacom drivers.

Wacom drawing tablets track the name of every application that you open | Robert Heaton
https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/


Heaton set up a new MacBook with a Wacom tablet to post blog illustrations. When installing the tablet driver, Heaton was asked to agree to Wacom's privacy policy .

Generally, when you are asked to agree to the privacy policy, many people will click 'Yes' without reading the privacy policy and go on to the next. But Heaton wondered, 'Why a tablet device needs a privacy policy?' And decided to read it carefully.

Heaton found in his privacy policy that 'send data, including usage data, technical session information, and hardware information, from users' PCs to Google Analytics.' Since the privacy policy did not completely clarify `` what is the data being sent '' and there was no other person wondering when searching the Internet, Heaton said that Wacom I wanted to figure out what information I was sending.

Heaton used Wireshark , which monitors the contents of packets sent and received by PCs, to investigate how Wacom drivers communicate. As a result, it was found that the PC was making a request to the DNS server for www.google-analytics.com, and that the returned IP address was sending TLS-encrypted traffic. This means that something is actually communicating with Google Analytics.



Heaton set up a proxy server with the Burp Suite on his MacBook to look at the data that Wacom drivers are sending. This leaves a communication log on the proxy server. Heaton configured his MacBook's global HTTP / HTTPS proxy to point to a proxy built with Burp Suite. The Wacom driver will now follow the proxy profile and send traffic through the Burp Suite proxy.



Since Wacom drivers communicate with Google Analytics via TLS, the proxy server must also provide a valid root certificate. Burp Suite can generate and sign a certificate for any domain, but by default there are no computers or programs that trust Burp Suite as a certificate authority, so certificates signed by Burp Suite will be rejected. You.

So Heaton added a Burp Suite root certificate to the

keychain that stores passwords and account information on macOS. If Wacom's driver reads a list of authenticated root certificates from Mr. Heaton's MacBook, he recognizes Burp Suite's certificate as a `` trusted certificate '' and expects Heaton to complete the TLS handshake with the proxy .



And when Heaton restarted the Wacom driver, he found that all of the information collected by the driver had been sent to Google Analytics. Looking at the contents, it was said that the information transmitted was a record of starting the application on the MacBook. The following image shows the Google Chrome startup log included in the driver traffic.



The information collected by the driver was also sent to Wacom's server. When Mr. Heaton first checked the traffic, it seems that a 404 code was returned for the driver's request, probably because of a server management mistake, but when he checked again on February 3, 2020, the Wacom server and It seems that communication was resumed.



'Wacom does not believe that recording the names of all applications launched on a PC will be acceptable to users, so I think Wacom does not specify traffic content in its privacy policy. If pointed out, he might argue that 'information about application launch is included in total information and technical session information.' In the privacy policy, information provision is written, admitting that most people just do not read the privacy policy, `` As for the intention of recording the names of all applications launched on PCs by individuals, Unless mentioned, Wacom will not even be able to grant any technical rights. '

'We certainly trust these data to be used for product development purposes,' said Heaton, 'but the very existence of the program is confidential. What happens if you know that is under development? '

2020/02/07 16:23 postscript

According to Wacom PR,

The following are published as official Wacom opinions.
https://www.wacom.com/ja-jp/about-wacom/news-and-events/2020/1414

`` Wacom employees will know that the latest work of popular games is under confidential development, '' from the data collected by Google Analytics
You can't know it, and you can't know any personally identifiable information.

We have implemented the Wacom Experience Program to improve the user experience of our pen tablet products and provide better products and services that match user needs.
We collect data only for those who have agreed to this program (agree to the privacy notice).
You can change this setting later.
Click here for 'How to change the settings of the tablet driver privacy notice'.
https://www.wacom.com/ja-jp/support?&guideId=150-907



... apparently ...

in Software,   Security, Posted by log1i_yk