Robb Topolski: NebuAd Uses Packet Forgery and Browser Hijacking Exploits to Plant Cookies on PCs
Robb Topolski: NebuAd Uses Packet Forgery and Browser Hijacking Exploits to Plant Cookies on PCs
Robb Topolski: NebuAd Uses Packet Forgery and Browser Hijacking Exploits to Plant Cookies on PCs

    Get Involved Today

    It's been a few weeks since our last report on NebuAd and its attempt to install Deep Packet Inspection (DPI) devices on broadband networks throughout the country for the purposes of behavioral advertising (if you're unfamiliar with NebuAd, you might want to start here). Quite a bit has happened since then: as you may have already heard, Public Knowledge, in partnership with 14 other consumer advocacy and privacy groups, urged members of Congress to open up a formal investigation into the privacy threat posed by companies like NebuAd. If such an investigation takes place, we're likely to learn a whole lot more about NebuAd and how the company does business with the ISPs. In the meantime, we decided to do a little investigating of our own. With the help of noted networking researcher Robb Topolski, Public Knowledge and Free Press conducted a technical analysis of NebuAd, in order to figure out exactly how the company's behavioral advertising technology works–and what specific risks it poses to the end user. What we found is that, in terms of actual methodology, NebuAd has more in common with hackers than it does with most web advertising companies.

    In case you're not familiar with Robb, he's been credited as the first to discover that Comcast was using TCP reset packets to interrupt BitTorrent connections, back in May 2007. Additionally, Robb has over 25 years of experience in networking protocols, has worked for Intel and Quarterdeck for 15 years and has been both CSQE and MS-MVP certified. For the past few months, he's been serving as the chief technology consultant for Public Knowledge and Free Press and has been advising both organizations on a number of technological matters.

    For the purposes of his test, Robb accessed a machine via Remote Desktop Protocol (RDP) which was directly connected to the WOW! (aka Wide Open West) cable Internet network (in March, WOW! was confirmed as having deployed NebuAd technology on its network). Before running the test, Robb performed a clean install of Microsoft Windows XP SP3 and then installed Wireshark, a network protocol analyzer, on the machine. Using Microsoft Internet Explorer 7, Robb navigated to, while monitoring his Cookies directory.

    What did he discover? Apparently some visits to the Google homepage resulted in the accumulation of cookies for other sites, including cookies that were clearly labeled with the names “nebuad” and “faireagle” (Fair Eagle is a NebuAd company). How did these cookies get onto Robb's machine? “Upon reviewing the record of TCP packets from Google’s server, it is observable that an extra packet appears in the data stream before the data stream closes,” Robb writes in the full report. “The added packet contains JavaScript code that causes a web browser to visit another site. Evidence…indicates that this packet is a forgery and did not come from Google, but from some other point within the network.”

    Apparently, the offending JavaScript code was delivered via a sixth TCP packet, which was appended onto the end of the five packets sent by Google. “The sixth packet, just like the 5 before it, identifies its source as originating from the same IP address and port number as the Google server to which my browser had been connected,” Robb writes. Essentially, NebuAd's forged packet camouflages itself as a Google packet in order to avoid being rejected by the user's browser.
    Where have we seen this kind of packet forgery before? If you've been following the controversy surrounding Phorm–a U.K.-based behavioral advertising company–much of this will sound familiar. That's because the method that NebuAd uses to deposit cookies on a user's system is virtually identical to the method described in a Phorm memo that recently landed on Wikileaks, which described Phorm's clandestine trials with U.K. service provider British Telecom (BT). Privacy concerns aside, BT users in the U.K. reported that the injected JavaScript code altered the behavior of some websites and in some cases, even caused the user's browser to crash.

    But Phorm's methodology isn't the only technique that NebuAd's system brings to mind. As Robb points out in his paper, “NebuAd exploits [the normal behavior of web browsers] by forging IP packets, allowing their own JavaScript code to be written into source code underlying pages trusted by the web browser.” As such, this packet forging technique can essentially be thought of as a hack and bears more than a passing similarity to a number of malicious attacks, including browser hijacking, Cross-Site Scripting (XSS) attacks and Man-in-the-Middle (MITM) attacks.

    Robb sums the practice up thusly: “NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software, and the owners of the servers that they visit.” In forging TCP packets, NebuAd inserts itself in-between the user and the website in a manner that is appallingly similar to that employed by the common hacker. If a hacker forged TCP packets in order to steal your personal information, that would be illegal. Let's make sure that NebuAd is held to the same standard.

    For more information, be sure to read Robb's paper (PDF Link).