A Traffic Analysis of Windows 10

All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to:
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
Telemetry is sent once per 5 minutes, to:
vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net

typing the name of any popular movie into your local file search starts a telemetry process that indexes all media files on your computer and transmits them to:

df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
cs1.wpc.v0cdn.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com

When a webcam is first enabled, ~35mb of data gets immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net

Everything that is said into an enabled microphone is immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.urs.microsoft.com
cs1.wpc.v0cdn.net
statsfe1.ws.microsoft.com
If this weren’t bad enough, this behaviour still occurs after Cortana is fully disabled/uninstalled. It’s speculated that the purpose of this function to build up a massive voice database, then tie those voices to identities, and eventually be able to identify anyone simply by picking up their voice, whether it be a microphone in a public place or a wiretap on a payphone.
Interestingly, if Cortana is enabled, the voice is first transcribed to text, then the transcription is sent to:
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
df.telemetry.microsoft.com
While the inital reflex may be to block all of the above servers via HOSTS, it turns out this won’t work: Microsoft has taken the care to hardcode certain IPs, meaning that there is no DNS lookup and no HOSTS consultation. However, if the above servers are blocked via HOSTS, Windows will pretend to be crippled by continuously throwing errors, while still maintaining data collection in the background. Other than an increase in errors, HOSTS blocking did not affect the volume, frequency, or rate of data being transmitted.
localghost.org/
aeronet.cz/news/analyza-windows-10-ve-svem-principu-jde-o-pouhy-terminal-na-sber-informaci-o-uzivateli-jeho-prstech-ocich-a-hlasu/
AC
 

We are primarily funded by readers. Please subscribe and donate to support us!
Views:

16 thoughts on “A Traffic Analysis of Windows 10”

  1. Linux. Windows is dead; they jumped the shark on Wintendo 8 deliberately, so people would welcome something “better”. If better is emulating the cowards, thieves, and traitors at Facebook, then you get what you deserve for upgrading.

    Reply
    • Microsoft is terrible for this, but you’re just as bad for that avatar so don’t try to talk from some type of high ground. Racist traitor rag deserves to be burned.

      Reply
      • You call me racist without knowing anything about me. The flag is not about racism, you moral coward. People like you, who try to steer the conversation with vituperation and ignorance, are the real problem in this country.

        Reply
      • To CPJ, re: uncleszip’s avatar:
        Your intolerance and wrist-wringing progressive mentality are the very tools being employed to send this country to the bottom of the heap.
        If you don’t want to see the flag, don’t look at it.
        If you don’t like the flag, don’t buy one.
        But do not tell me that if I do, I cannot.
        At that point, you have then crossed boundaries into the “totalitarianism-rules and I must insist your rights are to be infringed upon & demand you agree with me” never-never land.
        Believe whatever you want, like or dislike whatever you will, and I shall respect that, but please, please, allow me the same courtesy.
        Beware: The coming backlash is going to snap your stiff, intolerant neck.

        Reply
    • ????????????????????????????????????? my amigo’s sister makes 83$$/hour on the web……..on saturday I got a top of the degree audi since getting a check for 4216$$ this most recent 4 weeks in addition, ten thousand last-munth . irrefutably about it, this really is the most enamoring occupation Ive had . I really began six months/earlier and on an extremely fundamental level straight away was making more than 87$$ p/h . endeavor this site……..
      ????? tinyurl.com/Work2nReportOnlineao1 ???????????????????????????????? GO TO THIS AND CLICK NEXT LINK INSIDE IT FOR WORK DETAILS AND HLP

      Reply
  2. Hi IWB, I just have a few questions on the methodology you used here, because this is some scary stuff.
    I was under the impression that Win 10 encrypts all the stuff it “sends home”, so can you let us know how you discovered the actual content being sent?
    If it’s actually sending everything you type (including passwords?) as plain text — yikes!
    If it was encrypted, how did you decrypt it? MITM your machine on the local network or something?
    Thanks.

    Reply
    • I forget how it was done, but there is a trick you can use to get all data that any program would send to drop what’s being transmitted via HTTPS in pre-encrypted form. The data is then stored in a file you can peruse at your leisure. This is using tools that are all readily available in Windows, so you wouldn’t even need any special software to break the encryption. Just some specific technical knowledge that not many people possess.

      Reply
      • Thanks Kage.
        Can you (or anyone else?) expand on how to do this “preview the data that will be sent” trick? I’ve been looking around but can’t find any mention of it on the web.
        Cheers.

        Reply
        • It was in a comments section for another article, turns out you do need one program that doesn’t come with Windows, it’s called Wireshark. The comment was left anonymously, so can’t really credit anyone for it. The trick used is below.
          Create an environment variable called SSLKEYLOGFILE. Point it to a text
          file for SSL keys. Reboot the Windows computer. Open up Wireshark. Set
          Protocol -> SSL -> (Pre)-Master-Secret log file to the text doc.
          Filter on the IP to decode 😉

          Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.