Main Menu

 

Introduction

I recently read a blog, posted by DoctorBeet, in reference to his LG TV sending channel viewing and file tracking information to a remote site. The article is quite informative, and if you own a LG SmartTV, I highly recommend reading it before you continue with this article. The original blog can be found here:

http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

I decided to investigate how far LG had gone to gather tracking information, even though I do not own an LG TV myself. I was, however, able to glean some additional details using the information provided in DoctorBeet's article.

 

Expanding the List of Domains

The basis of my research was around the format LG was using for the domain name, mainly:

GB.ibis.lgappstv.com.

This had me thinking the GB tag was being used as a reference to “Great Britain”, which made sense as the original article was based around someone living in the UK.

I decided to parse out all of the available country codes provided by the IANA via their website. I included all domains that were tagged as a “country-code”, but ignored the sponsoring organization portion of the list, as that is not needed for the task at hand. In addition, I limited the list to simply English character based country domains, to simplify the exercise a bit.

The sampling garnered 254 top level domains, of which a small listing is provided here:

ac
ad
ae
af
ag
ai
al
am

I'm ashamed to admit that I did this manually, my morning coffee had not yet kicked in, but it revealed how large the root trees had become for country specific domains. I stored these country codes in a file called “country_codes.txt”, which I have provided as part of this article.

With this data in hand, I executed the following command against the file:

for i in `cat country_codes.txt | tr a-z A-Z`; do dig ${i}.ibis.lgappstv.com | grep ibis.lgappstv.com | grep IN | grep A | grep -v "^;"; sleep 10; done

The above command takes the input of the “country_codes.txt” file, and converts each country code into capital letters, to match the pattern already defined above. It then executes a DIG (domain information groper) on the concatenated domain name. This results in a response that looks something like this:

; <<>> DiG 9.9.3-rpz2+rl.156.01-P2 <<>> GB.ibis.lgappstv.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63200
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;GB.ibis.lgappstv.com. IN A
 
;; ANSWER SECTION:
GB.ibis.lgappstv.com. 21600 IN A 193.67.216.128
;; Query time: 303 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 19 13:12:14 AST 2013
;; MSG SIZE rcvd: 65

The next part of the command forces a “pause” of 10 seconds, to ensure I limit the traffic to the domain server. It then strips out invalid responses and unimportant details not associated with the task at hand, via a chain of grep commands. The chain I use is to ensure clarity of the requirements, and so others who may not be familiar with the grep command can see what is happening.

In addition, the order of the grep commands ensures I eliminate empty lines or failed query responses such as this:

lgappstv.com. 10 IN SOA prmns.lg.co.kr. root\@prmns.lg.co.kr. 2013111501 86400 3600 604800 10

This resulted in 142 positive responses out of the possible 254 that were identified earlier. I stored these results in a file called “dns_lookup_results.txt”, which has also been posted as part of this article. It contains the entire list of identified domain names that returned an IP address, of which a small sample looks like:

SL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SN.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
SV.ibis.lgappstv.com. 21600 IN A 63.123.46.71
SY.ibis.lgappstv.com. 21600 IN A 193.67.216.128

The first field is the domain name we queried, the second field represents the time a domain server will cache the look up results, in seconds. The IN and A fields simply tell us the domain name is not an alias, and is configured to return a direct IP response. If it was an alias, we would be seeing a CNAME reference in the field where the A reference exists. The last field is the IP Address returned by our query. I was only interested in the first and last fields, but it is interesting to see that all of the IP addresses were A records.


Narrowing Down the Zones

While the domain queries were running, I noticed another bit of information that I needed to confirm. There was a commonality between the IP address results, leading me to think LG had created “zones” to collect the data. I executed another quick command to confirm there was a relatively small number of IP Addresses in use:

cat dns_lookup_results.txt | awk '{print $5}' | sort | uniq

This command uses the “dns_lookup_results.txt” file as input to the awk command. The awk command ignores all data except the last field in the file, specifically the IP Address. It spits the results of the field parsing to a sort command, which is in turn stripped of all duplicates via the uniq command.

As we can see there are, in fact, only 3 IP Addresses the 142 domains point to, lending weight to a “zoned” style of data tracking. The IP Addresses are:

165.244.150.126
193.67.216.128
63.123.46.71

Breaking this down further, I pulled all of the domains that reference a specific IP Address, and summarized their results as follows:

The 193.67.216.128 IP is used to capture data from Europe and some surrounding countries, as per the list below:

AE.ibis.lgappstv.com. 21162 IN A 193.67.216.128
AF.ibis.lgappstv.com. 21152 IN A 193.67.216.128
AL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
AM.ibis.lgappstv.com. 21600 IN A 193.67.216.128
AO.ibis.lgappstv.com. 21600 IN A 193.67.216.128
AT.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BE.ibis.lgappstv.com. 20983 IN A 193.67.216.128
BF.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BH.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BJ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
BY.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CD.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CF.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CH.ibis.lgappstv.com. 20754 IN A 193.67.216.128
CI.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CM.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CV.ibis.lgappstv.com. 21600 IN A 193.67.216.128
CZ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
DE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
DJ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
DK.ibis.lgappstv.com. 20594 IN A 193.67.216.128
DZ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
EE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
EG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ES.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ET.ibis.lgappstv.com. 21600 IN A 193.67.216.128
FI.ibis.lgappstv.com. 21600 IN A 193.67.216.128
FR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GB.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GH.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GM.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GN.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GQ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
GR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
HR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
HU.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IQ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IS.ibis.lgappstv.com. 21600 IN A 193.67.216.128
IT.ibis.lgappstv.com. 21600 IN A 193.67.216.128
JO.ibis.lgappstv.com. 21600 IN A 193.67.216.128
KE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
KG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
KW.ibis.lgappstv.com. 21600 IN A 193.67.216.128
KZ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LB.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LT.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LU.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LV.ibis.lgappstv.com. 21600 IN A 193.67.216.128
LY.ibis.lgappstv.com. 21600 IN A 193.67.216.128
MA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ME.ibis.lgappstv.com. 21600 IN A 193.67.216.128
MK.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ML.ibis.lgappstv.com. 21600 IN A 193.67.216.128
MR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
MW.ibis.lgappstv.com. 21600 IN A 193.67.216.128
NG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
NL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
NO.ibis.lgappstv.com. 21600 IN A 193.67.216.128
OM.ibis.lgappstv.com. 21600 IN A 193.67.216.128
PK.ibis.lgappstv.com. 21600 IN A 193.67.216.128
PL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
PS.ibis.lgappstv.com. 21600 IN A 193.67.216.128
PT.ibis.lgappstv.com. 21600 IN A 193.67.216.128
QA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
RO.ibis.lgappstv.com. 21600 IN A 193.67.216.128
RS.ibis.lgappstv.com. 21600 IN A 193.67.216.128
RU.ibis.lgappstv.com. 21600 IN A 193.67.216.128
RW.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SD.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SI.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SK.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SL.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SN.ibis.lgappstv.com. 21600 IN A 193.67.216.128
SY.ibis.lgappstv.com. 21600 IN A 193.67.216.128
TG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
TN.ibis.lgappstv.com. 21600 IN A 193.67.216.128
TR.ibis.lgappstv.com. 21600 IN A 193.67.216.128
TZ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
UA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
UG.ibis.lgappstv.com. 21600 IN A 193.67.216.128
UZ.ibis.lgappstv.com. 21600 IN A 193.67.216.128
YE.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ZA.ibis.lgappstv.com. 21600 IN A 193.67.216.128
ZM.ibis.lgappstv.com. 21600 IN A 193.67.216.128


The IP 165.244.150.126 IP address appears to only be capturing Korea at this time, but that may expand in the future:

KR.ibis.lgappstv.com. 21600 IN A 165.244.150.126

While the last IP, 63.123.46.71 appears to be capturing data from North and South America, the Caribbean, and a few surrounding areas:

AG.ibis.lgappstv.com. 21600 IN A 63.123.46.71
AI.ibis.lgappstv.com. 21132 IN A 63.123.46.71
AN.ibis.lgappstv.com. 21600 IN A 63.123.46.71
AR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
AW.ibis.lgappstv.com. 21600 IN A 63.123.46.71
BB.ibis.lgappstv.com. 21600 IN A 63.123.46.71
BO.ibis.lgappstv.com. 21600 IN A 63.123.46.71
BR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
BS.ibis.lgappstv.com. 21600 IN A 63.123.46.71
BZ.ibis.lgappstv.com. 21600 IN A 63.123.46.71
CA.ibis.lgappstv.com. 21600 IN A 63.123.46.71
CL.ibis.lgappstv.com. 21600 IN A 63.123.46.71
CO.ibis.lgappstv.com. 21600 IN A 63.123.46.71
CR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
CU.ibis.lgappstv.com. 21600 IN A 63.123.46.71
DM.ibis.lgappstv.com. 21600 IN A 63.123.46.71
DO.ibis.lgappstv.com. 21600 IN A 63.123.46.71
EC.ibis.lgappstv.com. 21600 IN A 63.123.46.71
GD.ibis.lgappstv.com. 21600 IN A 63.123.46.71
GP.ibis.lgappstv.com. 21600 IN A 63.123.46.71
GT.ibis.lgappstv.com. 21600 IN A 63.123.46.71
GY.ibis.lgappstv.com. 20233 IN A 63.123.46.71
HN.ibis.lgappstv.com. 21600 IN A 63.123.46.71
HT.ibis.lgappstv.com. 21600 IN A 63.123.46.71
JM.ibis.lgappstv.com. 21600 IN A 63.123.46.71
KN.ibis.lgappstv.com. 21600 IN A 63.123.46.71
KY.ibis.lgappstv.com. 21600 IN A 63.123.46.71
LC.ibis.lgappstv.com. 21600 IN A 63.123.46.71
MF.ibis.lgappstv.com. 21600 IN A 63.123.46.71
MQ.ibis.lgappstv.com. 21600 IN A 63.123.46.71
MS.ibis.lgappstv.com. 21600 IN A 63.123.46.71
MX.ibis.lgappstv.com. 21600 IN A 63.123.46.71
NI.ibis.lgappstv.com. 21600 IN A 63.123.46.71
PA.ibis.lgappstv.com. 21600 IN A 63.123.46.71
PE.ibis.lgappstv.com. 21600 IN A 63.123.46.71
PR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
PY.ibis.lgappstv.com. 21600 IN A 63.123.46.71
SR.ibis.lgappstv.com. 21600 IN A 63.123.46.71
SV.ibis.lgappstv.com. 21600 IN A 63.123.46.71
TC.ibis.lgappstv.com. 21600 IN A 63.123.46.71
TT.ibis.lgappstv.com. 21600 IN A 63.123.46.71
US.ibis.lgappstv.com. 5699 IN A 63.123.46.71
UY.ibis.lgappstv.com. 21600 IN A 63.123.46.71
VE.ibis.lgappstv.com. 21600 IN A 63.123.46.71
VG.ibis.lgappstv.com. 21600 IN A 63.123.46.71
VI.ibis.lgappstv.com. 21600 IN A 63.123.46.71

Additional evidence of “zoned” data collection was discovered by finding out what registry manages the IP Addresses. Using the whois command, we can see what regions the IP Addresses are assigned to, and glean an indication of their location. I expanded on my previous command, and added a whois lookup request:

for i in `cat dns_lookup_results.txt | awk '{print $5}' | sort | uniq` ; do whois ${i} > ${i}.txt; done

This command uses the same steps as the sorting command posted earlier, but adds the whois request, and stores the results into a file, separated by IP address. I've attached the three result files at the end of the article for review, but a sample of the whois details for the 63.123.46.71 IP is as follows:

LG CNS UU-63-123-46-D2 (NET-63-123-46-0-1) 63.123.46.0 - 63.123.47.255

MCI Communications Services, Inc. d/b/a Verizon Business UUNET63 (NET-63-64-0-0-1) 63.64.0.0 – 63.127.255.255

The 165.244.150.126 IP Address is registered under APNIC, which manages IP Addresses for the Asia Pacific region, confirming the location is near Korea. In fact, it appears that LG has registered the location as being in Seoul, Korea.

The 193.67.216.128 IP Address is registered under the RIPE registry, which manages European IP Addresses confirming it is located within Europe. Specifically, the IP itself appears to be located in Amsterdam, Netherlands.

Sadly, the 63.123.46.71 IP Address contains the least information via the simple whois request. According to the file, it is registered by MCI Communications/Verizon Business and resides on their network. Additional searches using the myip.ms website, has revealed it may be located in Englewood Cliffs, New Jersey, USA. However, any trace route requests are being blocked by MCI in Virginia, so I cannot confirm that.


 

Confirming Services

Lastly, DoctorBeet pointed out the method of transport is via a plain text HTTP request. Standardized unsecured HTTP requests are done using port 80, so it was easy to determine if all three of the IP Addresses had some form of web server running. Simply executing a telnet to port 80 for each IP Address confirmed this:

> telnet 193.67.216.128 80

Trying 193.67.216.128...

Connected to 193.67.216.128.

 

> telnet 63.123.46.71 80

Trying 63.123.46.71...

Connected to 63.123.46.71.

 

> telnet 165.244.150.126 80

Trying 165.244.150.126...

Connected to 165.244.150.126.

 

I was simply looking to confirm a response of the presence of a web server, so I did not gather any banner specific information.


Mitigation

Limiting information leakage can be controlled as long as the correct network devices and configurations are in use. In all cases, having a router that is capable of blocking or filtering out-going network traffic is required. Multiple vendors support this ability, D-Link, Cisco/Linksys, and Netgear are some examples. Specifically, keyword and website filters are what need to be configured, while sometimes blocking a known IP Address at the firewall itself will also work.

DoctorBeet has already provided a starting list of domains to look into blocking, if there are concerns about what data is leaked to LG. I would, however, still permit “llnwd.net” as they are a content delivery network used by some companies.

Even through LG has declared they are going to fix the issue, it is still possible for a mistake to be made and non-approved data to leak out of a network, and it is always best to minimize this leakage.

 

Conclusion

The information gathered expands upon DoctorBeet's article, and exposes a broader scope to the data capturing network. Three zones have been created to capture the viewing habits of people in 142 countries who own an LG SmartTV.

The UK and Canada have relatively strict provisions for what data is exempt from the privacy laws, and many other countries may also have laws in place that LG may be in violation of. Our societies have been bleeding far too much personal information through other methodologies used by advertising companies, and I personally think it is time to start closing as many of them off as possible.

 


 

Raw Data File

The following is all of the raw data files that were used in this article.

Country Codes

DNS Lookup Results

Whois Lookup - 63.123.46.71

Whois Lookup - 165.244.150.126

Whois Lookup - 193.67.216.128

 

References

The following is a list of all online references used in the research of this article.

Country code top-level domain (n,d,). In Wikipedia Online. Retrieved from http://en.wikipedia.org/wiki/Country_code_top-level_domain
Root Zone Database (n.d.). In Internet Assigned Numbers Authority Online. Retrieved from http://www.iana.org/domains/root/db
Whois IP Live Results for 63.123.46.71 (November 21, 2013). In Hosting Info, Websites & IP Database Online. Retrieved from http://myip.ms/info/whois/63.123.46.71
Site Report for kr.ibis.lgappstv.com (n.d.). In Netcraft.com. Retrieved from http://toolbar.netcraft.com/site_report?url=http://KR.ibis.lgappstv.com.
Site Report for bj.ibis.lgappstv.com (n.d.). In Netcraft.com. Retrieved from http://toolbar.netcraft.com/site_report?url=http://BJ.ibis.lgappstv.com.
Site Report for br.ibis.lgappstv.com (n.d.). In Netcraft.com. Retrieved from http://toolbar.netcraft.com/site_report?url=http://BR.ibis.lgappstv.com.