Main Menu

 

Introduction

I recently read a blog, posted by DoctorBeet, in reference to his LG TV sending channel viewing and file tracking information to a remote site. The article is quite informative, and if you own a LG SmartTV, I highly recommend reading it before you continue with this article. The original blog can be found here:

http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

I decided to investigate how far LG had gone to gather tracking information, even though I do not own an LG TV myself. I was, however, able to glean some additional details using the information provided in DoctorBeet's article.

 

Expanding the List of Domains

The basis of my research was around the format LG was using for the domain name, mainly:

GB.ibis.lgappstv.com.

This had me thinking the GB tag was being used as a reference to “Great Britain”, which made sense as the original article was based around someone living in the UK.

I decided to parse out all of the available country codes provided by the IANA via their website. I included all domains that were tagged as a “country-code”, but ignored the sponsoring organization portion of the list, as that is not needed for the task at hand. In addition, I limited the list to simply English character based country domains, to simplify the exercise a bit.

The sampling garnered 254 top level domains, of which a small listing is provided here:

ac
ad
ae
af
ag
ai
al
am

I'm ashamed to admit that I did this manually, my morning coffee had not yet kicked in, but it revealed how large the root trees had become for country specific domains. I stored these country codes in a file called “country_codes.txt”, which I have provided as part of this article.

With this data in hand, I executed the following command against the file:

for i in `cat country_codes.txt | tr a-z A-Z`; do dig ${i}.ibis.lgappstv.com | grep ibis.lgappstv.com | grep IN | grep A | grep -v "^;"; sleep 10; done

The above command takes the input of the “country_codes.txt” file, and converts each country code into capital letters, to match the pattern already defined above. It then executes a DIG (domain information groper) on the concatenated domain name. This results in a response that looks something like this:

; <<>> DiG 9.9.3-rpz2+rl.156.01-P2 <<>> GB.ibis.lgappstv.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63200
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;GB.ibis.lgappstv.com. IN A
 
;; ANSWER SECTION:
GB.ibis.lgappstv.com. 21600 IN A 193.67.216.128
;; Query time: 303 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 19 13:12:14 AST 2013
;; MSG SIZE rcvd: 65