The Wacom digital drawing tablet appears to be silently exfiltrating user data, according to an investigation by software engineer Robert Heaton – and the company responded on Friday, downplaying the report. However, security researchers say the tablets still pose a risk and a privacy problem.
Wacom devices hook up to a laptop or desktop computer as a plug-and-play peripheral device, just like a keyboard or mouse would. It allows users to “paint,” draw, create photo montages, sketch and more, all to be digitally rendered on the associated computer. It’s aimed at commercial graphics designers as well as amateur enthusiasts.
The downside, according to Heaton’s investigation, is that its drivers also silently track the name of every application that users open while the devices are running.
Heaton scoured the privacy agreement for the device and found that in section 3.1, Wacom asks permission to send information to Google Analytics “[including] aggregate usage data, technical session information and information about [my] hardware device.”
The phrase “aggregate usage data” gave Heaton pause due to its vagueness. After investigating, he found that Wacom was recording some innocuous operational data, such as timestamps for “driver started” and “driver shutdown.” But it was also recording every time he opened a new application, including the time, “a string that presumably uniquely identifies me,” and the application’s name.
That information is sent off to Google Analytics, and according to a Wacom statement to the Verge, is used “for quality assurance and development purposes only.” The company said that it only tracks which software applications are used when tablets are “in use,” and that the data is accessible only in anonymized and unidentifiable formats.
“Our development and customer-care teams could review across all aggregated users of a product, for instance, the most common function settings for pen buttons (e.g. ‘right click’ or ‘undo’) or the most frequently viewed tabs or selected links in the Wacom apps,” the company said.
Nonetheless, security experts noted that concerning issues linger.
Security Concerns
Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that one concern is that such monitoring could be exploited by cybercriminals. “Unfortunately, there are…bad actors who take advantage of this dynamic to collect and sell data without the knowledge of the user, which can have massive [security] repercussions.”
Heaton concurred: Conceivably, anyone intercepting and decrypting the TLS traffic coming from the driver could use the information to “fingerprint” a user, he noted, based on the applications they use. And though the data seen by Wacom is supposedly aggregated, Heaton said that it could use the “User Explorer” tool in Google Analytics to drill deeper, possibly to build a fairly rich profile that could be used for phishing or scam attacks.
Further, “maybe the very existence of a program is secret or sensitive information,” Heaton wrote. “What if a Wacom employee suddenly starts seeing entries spring up for ‘Half Life 3 Test Build?’ Obviously I don’t care about the secrecy of Valve’s new games, but I assume that Valve does.”
Meanwhile, Matias Katz, CEO at BYOS, said that giving drivers the ability to collect information in the first place is something that sophisticated hackers could exploit, if they’re able to compromise the peripheral device itself.
“Data exfiltration executed by a driver is a major concern, since drivers have a much more privileged access to the kernel than a normal app (like a browser) normally has,” he told Threatpost. “This allows the driver to access more critical information of user’s devices and session, or even execute privileged code on the device itself.”
Threatpost reached out to Wacom to weigh in on the concerns, and will update this post accordingly.
Smart Exfiltration by Dumb Devices
Heaton falls into the “amateur enthusiast” camp of the Wacom user base; and he said that he invested in a tablet to do some drawings to go with his blogs. While setting up the device drivers for his new tablet last week, he was surprised to be asked to agree to a privacy policy.
“Being a mostly normal person I never usually read privacy policies,” he wrote in his breakdown of the situation this week. “Instead, I vigorously hammer the ‘yes’ button in an effort to reach the game, machine or medical advice on the other side of the agreement as fast as possible. But Wacom’s request made me pause. Why does a device that is essentially a mouse need a privacy policy?”
Using a Wireshark device that sniffs packets being sent out from a computer, Heaton was able to see that his laptop was talking back and forth to www.google-analytics.com in the form of “lots of TLS-encrypted traffic.” He then set up a Burp Suite proxy server on his computer to intercept and log the specific data being sent to and from the Wacom tablet drivers.
“I configured my laptop’s global HTTP and HTTPS proxies to point to Burp Suite. This meant that every program that respected these global settings would send its traffic through my proxy,” Heaton explained. However, the proxy quickly started logging “client failed TLS handshake” messages from the Wacom drivers, meaning that he needed to present a valid TLS certificate for www.google-analytics.com. He got around this by using the Keychain function on his Mac to temporarily add Burp’s certificate to the laptop’s list of root certificates.
After restarting the drivers, “the driver fired off everything it had collected to Google Analytics. This data materialized in my Burp Suite.”
He added, “Remember, this information is coming from a device that is essentially a mouse.”
Building such capabilities into devices has become a worrying trend, according to researchers.
“The amount of tools used to collect data has risen exponentially in the last decade, and can now be found in everything from household appliances to infant monitors,” Lopes noted.
“Remember the aughts, that simpler time when plug-and-play devices were not yet data-mining machines?” Colin Bastable, CEO of Lucy Security, told Threatpost. “Personal data is a gold mine for big corporations and they are boring their way into our privacy in a way that would have been shocking only a decade ago. The problem with this erosion of privacy is that eventually there won’t be any left to speak of, and they’ll say we consented.”
Worst Practices
Some researchers – including Heaton himself – postulated that the privacy issue was very likely an oversight with no intentional harm – but it makes it no less concerning.
This likely has a legitimate troubleshooting purpose (which app caused the driver to crash?), and I suspect that developers underestimate or ignore the potential to identify individual users if this “anonymous” data fell into the wrong hands.
— 🦡 Badger Tamer ~ Springtime Collection™ (@badg_er) February 6, 2020
“Many analytics and diagnostics tools leak sensitive user and system data,” Jack Mannino, CEO at nVisium, told Threatpost. “As we enable smart capabilities for traditionally ‘dumb’ devices, we have to be aware of the data we’re generating and the consequences of how we collect, transmit and store this information. When building privacy policies, it’s important that they match the technical realities of your systems and how they behave in production.”
Wacom said that users can choose to opt out of data collection by going to settings: Desktop Center —> clicking “More” on the top-right corner —> Privacy Settings —> and selecting “off” in the “Participate Wacom Experience Program” box.
Heaton and Katz noted that the option to opt out is completely unclear to users, many of whom would think that accepting the privacy policy is compulsory. Heaton highlighted its “attempts to look like the kind of compulsory agreement that must be accepted in order to unlock the product behind it,” while Katz explained that mixing the privacy policy with driver installation could confuse even more technical users.
“You cannot opt out of using a driver like you would do with an unwanted app,” he told Threatpost. “No driver means no usable Wacom device. So [users think they have to] choose between not being able to do their work, or allowing sensitive information to be shared with third parties.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.