Once my Cosmo arrives, do I actually dare to use it?

[Ninji]

I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise? The code is obfuscated, the server URLs used by the malware component use domains like 'flurrydata.com' and 'facebook-3rd.com' in an attempt to look like legitimate services, and moreover, today I discovered that Digitime actually pushed some new worker packages just 2-3 days after my email to Planet - a new empty feature-less one for the Cosmo, and a new build of the standard version for the Gretel A7.

I suspect that Planet talked to them and they went "oh crap, we've been discovered"... Curiously, they don't seem to have replaced the Gemini's (albeit I may have made a mistake in the check commands, as I don't have example packet dumps from a Gemini as I do for the Cosmo and the A7).

It's also quite amusing that the 'statistics.flurrydata.com' server that the boot module reports to appears to have stopped working; for every request it just returns a {"errinfo":"Too many connections","errcode":3} error. Probably not intentional...

I will write a follow-up blog post soon, but for now I need to catch up on university work. In the meantime, here is my reply to Planet which provides some more information:

Hello Davide,

It's great to hear from you about this, and to know that Planet is on the ball regarding the situation. My research has given me no reason to doubt Planet's privacy/security practices; my assumption all along was that Digitime was doing this without the knowledge of Planet or EastAeon.

There are more issues with the Digitime software, not just the Cosmo-only IOrgX/Y/Z backdoors. Note that there are effectively two 'sides' to the Digitime app. There is the legitimate OTA update process, which connects to the 'app.fota.digitimetech.com' server and fetches update information. This is somewhat insecure (it is vulnerable to SSL man-in-the-middle attacks) but that seems like a mistake, not malice.

The second side is the Lua service I documented in my blog posts, which is present in every Digitime SystemFota updater I have seen, including the Gemini's. It downloads arbitrary 'worker' code from domains like 'statistics.flurrydata.com' and 'facebook-3rd.com', which appears to be a deliberate attempt to hide by pretending to be part of a legitimate service. This is the system which was used to distribute malware on other devices like the Gretel A7.

There is one interesting development in this area which I only noticed today (as I had the SystemFota app disabled): Digitime have sent my Cosmo a new 'worker' package, which removes all of its functionality and leaves an empty shell. The code files in it are dated the 4th December 2019 (two days after my initial email to Planet Computers), whereas the other workers are all dated months/years older. The timing makes me wonder: did they suddenly do this in an attempt to save face after an enquiry from PC?

From my understanding, this doesn't actually disable their control over the device, as the 'boot' package (which is baked into the Android ROM's SystemFota.apk) still checks home regularly, and has the ability to download a new worker if Digitime changes their mind. This is all device-specific, so in theory, Digitime could for example decide to send a malicious code package to IP addresses connecting from certain countries, and this empty shell to IP addresses connecting from the UK (like you and I).

I have also experimented by sending requests to their server with the IDs of other known devices. If I pretend to be a Gemini, I get the regular worker that I started with on the Cosmo - not the empty shell that the Cosmo now has. If I pretend to be a Gretel A7, I get a newly built version of that worker, with a different version number, dated the 5th December 2019 - which furthers my suspicions that Digitime are trying to cover their tracks after this exposure.

I appreciate that Digitime has agreed to remove the OS backdoors, and that they seem to have disabled part of the malware-like functionality for the Cosmo, but none of these things should have been there in the first place. I personally would not trust an operator with this track record. Ultimately, however, it is Planet Computers who must decide if they want to trust Digitime with software distribution on their devices, not me - I am after all an outsider and not privy to the complex decisions that go into building a device like this.

Thank you for the detailed response and for taking my concerns seriously; it's a refreshing attitude in a world where many tech companies just sweep security issues under the carpet. Despite the teething software issues, I really enjoy the Cosmo and I can't wait to see it get better - I'm especially excited for the release of multi-boot so that I can experiment with OSes more.

Kind regards,
Ash

[vldmr]

There is one interesting development in this area which I only noticed today (as I had the SystemFota app disabled): Digitime have sent my Cosmo a new 'worker' package, which removes all of its functionality and leaves an empty shell. The code files in it are dated the 4th December 2019 (two days after my initial email to Planet Computers), whereas the other workers are all dated months/years older. The timing makes me wonder: did they suddenly do this in an attempt to save face after an enquiry from PC?

From my understanding, this doesn't actually disable their control over the device, as the 'boot' package (which is baked into the Android ROM's SystemFota.apk) still checks home regularly, and has the ability to download a new worker if Digitime changes their mind. This is all device-specific, so in theory, Digitime could for example decide to send a malicious code package to IP addresses connecting from certain countries, and this empty shell to IP addresses connecting from the UK (like you and I).

I have also experimented by sending requests to their server with the IDs of other known devices. If I pretend to be a Gemini, I get the regular worker that I started with on the Cosmo - not the empty shell that the Cosmo now has. If I pretend to be a Gretel A7, I get a newly built version of that worker, with a different version number, dated the 5th December 2019 - which furthers my suspicions that Digitime are trying to cover their tracks after this exposure.

It would be interesting to extend you testing as you suggested to other regions to see if there is a difference in 'workers' sent to different regions. Could you put some quick instructions how others could do such test?

I've run your python script from December 1 post, output is below, I am not up to the task to interpret this response, I am in US.

Code: [Select]

(b'3T',
b'\x00\x01',
 b'{"state":0,"gen":{
  "is_gdpr":1,
  "state_device":1,
  "phone_id":"200109EC110001186199",
  "auth_priv":0,
  "auth_level":0,
  "interval_hour":0,
  "path2":"",
  "project_id":"FTPRO16945",
  "count_succ":31,
  "path1":""
 }
}')

[spook]

That's awesome Ninji! Nice work!

[Daniel W]

I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise?

You may very well be right. I was using a Hanlon's razor, roughly "do not attribute to malice that which can be adequately explained by folly". Say management once ordered these capabilities for semi-reasonable purposes, neither seeing the slippery slope nor how it could come back bite them, but the developer(s) did, and tried to hide things. Either way, it probably means Digitime should be replaced and, if not feasible, that they need to stay under close scrutiny. Thanks again Ninji for digging through all of this muck.

[ianisthewalrus]

wohoo! thanks for all the detective work on this. i am also relieved/glad that planet isnt sweeping it under the rug.

[Ninji]

So, amusingly, Digitime have now even taken down their websites. Caught red-handed??

I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote. I think Planet may also be shifting away from Digitime in the long term, but regardless of that, the changes in the next update get rid of Digitime's ability to download arbitrary code and applications, so the app behaves like the legitimate updater it purported to be all along.

(While in theory, Digitime could push a rogue update through it, the Android recovery system will reject OTA packages that are not signed with the manufacturer's certificate and private key, so unless they got hold of those keys, that should not be possible...)

[Zarhan]

I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote. I think Planet may also be shifting away from Digitime in the long term, but regardless of that, the changes in the next update get rid of Digitime's ability to download arbitrary code and applications, so the app behaves like the legitimate updater it purported to be all along.

I'm sort of glad that I hadn't received my device yet (despite being locked since before Christmas). I just would have hoped that they would have given info on this immediately as an update either on support site or in Indiegogo.

At least we now have a confirmed Brexit with a deal so no customs duties will get tacked on even if the shipping date slips all the way to February.

[vldmr]

I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote.

Would you be able to confirm that for updates targeted to different regions than yours?

[Ben10]

So good to hear PC takes this seriously and are willing to deal with it in the next(?) firmware update. --- @Ninji, I can't speek in the name of every Cosmo owner, but I feel like everyone of us owe you at least a cup of coffee or glass of beer. Without any intension to insult anyone or to break any rules of this forum, I suggest you to put your PayPal or crypto address in your signature or something, if you feel like it... Thank you anway.

[ehem]

I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise? The code is obfuscated, the server URLs used by the malware component use domains like 'flurrydata.com' and 'facebook-3rd.com' in an attempt to look like legitimate services, and moreover, today I discovered that Digitime actually pushed some new worker packages just 2-3 days after my email to Planet - a new empty feature-less one for the Cosmo, and a new build of the standard version for the Gretel A7.

I'll have to color myself a bit skeptical of being overtly malevolent.  More likely this is encouraged by intelligence agencies in China.  They're not all that likely to think they can successfully target interesting European or US people.  Likely their main target is surveillance of Chinese citizens.  If the code leaks to the wider world, they may not be all that worried and will happily gather information from whomever ends up with an appropriately contaminated device.

[Ninji]

Would you be able to confirm that for updates targeted to different regions than yours?

As far as I know the updater used in every region is exactly the same, so this should affect all Cosmo units. (Are there even region-specific Cosmo ROMs?)

That is and has always been under Planet's control; they receive a package containing the updater APK and then incorporate it into the ROM. I highly doubt they would want to keep a backdoored updater in for any devices - in my communications with Planet, they were very adamant that they wanted to get rid of it ASAP. The reason I can confirm this is because they actually allowed me to examine the new updater just to make sure Digitime were not pulling a fast one on them.

I'm a bit disappointed they've not made any public comment yet, especially considering they promised an update on Indiegogo before the end of the week and it is now Monday. Hopefully we will hear something soon.

So good to hear PC takes this seriously and are willing to deal with it in the next(?) firmware update. --- @Ninji, I can't speek in the name of every Cosmo owner, but I feel like everyone of us owe you at least a cup of coffee or glass of beer. Without any intension to insult anyone or to break any rules of this forum, I suggest you to put your PayPal or crypto address in your signature or something, if you feel like it... Thank you anway.

I'd be fearful of coming across as just wanting money because that's not the case - I do things like this for fun and for the betterment of the software/hardware I use, not to make money. If anyone really wants to throw a pound or two at me then I have some links on my website's homepage, but please don't feel obligated to!

I'll have to color myself a bit skeptical of being overtly malevolent.  More likely this is encouraged by intelligence agencies in China.  They're not all that likely to think they can successfully target interesting European or US people.  Likely their main target is surveillance of Chinese citizens.  If the code leaks to the wider world, they may not be all that worried and will happily gather information from whomever ends up with an appropriately contaminated device.

It could probably be used for that purpose, but all the evidence I've seen so far points to Digitime just using it to install adware. One of the APKs I found, distributed through their CDN, just sits in the background and occasionally opens up ads sourced from an obscure domain (omuchain[.]com) that just so happens to be registered with the same false WHOIS info as one of their corporate domains (qimingiot[.]com).

Of course, all we can do is speculate about their motives - they're a secretive business based in China that only deals with other businesses, most of which also seem to be based in China. I would for sure like to know what they are, but I don't know if I'll ever find out.

(Speaking of, today is the 6th day of all their public-facing websites being entirely dead... ?)