 Huawei P30 and P30 Pro, everything you need to know. Huawei's impressive P series is better than ever, and this is an exciting article from the folks over at Android Central, but I don't think they give you everything you need to know. And let me talk about that a little bit more in detail and from a security aspect, and that's what I wanted to cover here. So, CIA issues warning over Huawei. Politics, politics, politics. Did they give us any detail? Probably not. The US shared claims of Britain and other parameters and the Five Eyes Intelligence, et cetera, with UK entering final stage of review next generation and I'm not gonna go into depth on that because I care about the facts. I care about what we can see. What is public information that's available or that we can use tools that we have at our hands to dig into these pieces of information. And that's exactly what PE3ZX Huawei Blocklist. This is on GitHub, I'll leave links to all this. Doing some security research this person was. Very fascinating here because they took a brand new purchase from Thailand, Huawei P30 Pro phone and noted all the Chinese including .gov connections that are made from this phone. So domain names on master.txt are captured from DNS requests from Huawei P30 Pro purchase in Thailand, all domains located in China or has IP address with China's ASNs. ASN is the system by which we understand who owns what IP address. The block list may include domains from, may include test domains from Baidu and QQ.com by relying on Technique and update PY to verify location names. See domains such as Tencent Cloud and HWCDN are not flagged. I will find a way to fix this issue later now. This is one of the things important about when you're doing any type of security is being absolutely clear to the methodologies that you're used. So there's even a follow up which is provide environment factors related to this research, which they did. So you can read through and cover exactly how they came over this list. And this is obviously where things get concerning is what is these phones doing? Much of the data that gets sent is encrypted over TLS these days. Therefore, we may only see the connections. We're seeing that metadata but not the actual meat that's going on there. But it's obviously the first level of concern is why does my phone talk to China? Should my phone talk to China? It has a lot of access. What attack vector is this? What risks are there to have nation states that have full access to something on the phone? I think that's quite concerning. And obviously you can have your own concerns with Google and places like that. But I figured why not do this test myself on my Pixel 2 phone and figure out where it's contacting? So I did. And I wanna cover the methodologies that I used as well to get this information and figure out where my phone is going. So first is I'm using PF Sense. Don't make any videos on this. And I did went over here to Diagnostics and I chose LAN, because that's the LAN where my phone lives. It's my P address of my phone is 192.168.3.31. It's a Pixel 2 XL. We set the count to zero and then we started a package to capture. But just before I started the packet capture, I turned my phone off. That way there's no connections and then started the packet capture, powered my phone on and downloaded the capture. Next step after that is Wireshark. So here we can see the Wireshark capture of the phone. So this is only, you know, not over a long time, but over what we got here, about 102 seconds of capture. So the Pixel 3 XL if you didn't know, or Pixel 2 XL if you didn't know, boots up really fast. So, but the packet capture starts at the time of capture when it started seeing traffic. So it sees graphically quickly. Long story short, this is a packet capture, but not for over like a day's time to see if there's anything that happens. Like it pings at 11 p.m., some weird server. I'll do something more in depth later, but nothing, I've so far researched my phone and found no weird connection, especially not to China. And one of the other things I want to point out right away when you start looking at the protocols, TLS 1.2, TLS 1.2, G-quick, G-quick, these are all encrypted transmission. So there are a few pieces that may not be, but for the most part, everything in here is encrypted, but we can collect that metadata. The metadata we're collecting here is the actual queries of where it went. So we're gonna go over here, statistics, endpoints, because that's the ultimate one. Where are all the endpoints that this contacted to? So here's just a nice summary of the packets and the IPs that went through and let's dig into them. So nice thing is, you just go here to copy, and we're gonna copy it as a CSV. Move my head out of the way that the CSV's right here. So we copy it as a CSV, and then we just open up Leave Your Office, drag it on over here, and we'll just go edit, paste. And these are comma separated, so right here it changes it to easy import. So there we go. Now we have a summary of IP addresses. Let's run down here though real quick. Purge out IP addresses that aren't public because they're not relevant. So these are the local connections that it's seen, local lookups. I did find it interesting, my phone on boot checks two IP addresses that are relative to my home in the 192.1681 range, because we started at the three range at the office here. So interesting that I picked those up, but they're not ones we wanna look up for ASN. And we don't really need, but I'll leave them in here anyways. We'll give an error on those couple broadcast addresses. Then we're gonna go over here to this handy website, bulk IP to ASN lookup. I'll leave a link to this. This was a handy utility. I know I could have all done this from the command line because at CSV I could have parsed it and run a script that does a reverse lookup and pulled the same information. You're not wrong. I just wanted to make it easy and accessible because a lot of people have access to Leave Your Office and this website copy pasta to get ASNs makes it real easy. So now we can dig into where do those IP addresses that Tom has go. All right, here's all the IP addresses. Google, not shocking, 888, that's Google's DNS. Amazon, yes, I have the Amazon app loaded on there. So maybe in fact I got a couple of them loaded. Amazon Prime, the Amazon Fire Stick Controller. So I'm gonna expect these Amazon ones to be on there. But the first ones that caught my eye that weren't Amazon were Linode. I mean, I expected I do have a Twitter app loaded. I have the Facebook Messenger loaded but not the Facebook app. So it does reach out to Facebook. Google, Google. The one Comcast one I'm going to let you know to that's a Plex server, so I know what that is. But these Linode ones, what weird thing would it be contacting from Linode on there? So once again, we can just go ahead and copy, open up Showdan, just be an investigative here. Look up this, you found this and we will zoom in if I can and read what the, because it does have an SSL cert, which those can be really handy to figure out where things are. And it turns out it's, the reverse DNS lookup is for pocketcast.com, which is an app that's on my phone. So okay, that seems legit. And nothing else of really interest here. Like I said, it's a short list here of IP addresses. And of course, like I said, it doesn't look up those broadcast addresses that are at the bottom. So those are just sitting here with no result because of the broadcast. But this is an interesting way you can dig into and look into the things being looked up and what might be where your phone's going. It's kind of a fun little dive into the start of research and how someone came up with this block list. Here, obviously I'll note the exception that we don't know some of the 4G information. So if the phone were to send out a separate packet over 4G, we would have to take out the SIM card and force it then, but maybe it has, maybe we go nefarious further and say it detects when the 4G's often doesn't make these queries cause it's trying to hide things from you. Yeah, when you don't have clear access to full source code, this is a problem. But it is concerning that Hawaii's, you know, obviously they're not being secretive about this because they would mask it in some other way or set up a line node proxy that sends it back over to China, but they're doing nothing of the such. It openly reaches out to these IP addresses. So I found this interesting, but I wanted to make sure you understood some of the methodologies that could be used to detect this in case you wanna know where does your phone go or any device really, IoT, whatever device you wanna test. This is an easy way to test it inside a PF sense. You just go to diagnostics packet capture. I'll leave a link to this cause this is just handy between the tools used, you know, leave office, packet capture, wire shark, all these are for utilities you can use. And of course, if you're already running PF sense or whatever you wanna do for the packet capture, it's a great way to do it and makes life a lot easier. That's about it. And I will know I did full in case anyone didn't notice I had full packet capture when I did this cause I wanted everything, even though we're not really tracing out too much in wire shark. But always, you know, never be afraid to take a look at your devices and ask that question where they're going and stop and do that, you know, even once more. Maybe you get an app on there that is doing this, but you know, it's through these security researchers that we start to discover as we start to dig into what these things are doing. So it's always interesting. It may not be nefarious at all. Maybe just their policy to have statistics because there is such a mix of government slash private business with any of these companies in China. They don't have that separation of private company versus government. They're kind of one and the same. And maybe it's your policy that these have statistics so they understand sales better. Maybe it's not nefarious at all as we don't know the traffic is going across but we do know that it's going there. So that raises at least some levels of concern. And you know, you can go back and dig into the politics and spin your head around this. Maybe there is something to what the CIA is saying and the US government is saying about Huawei, but hey, keep your tinfoil head tight and feel free to continue this on in our discussion forums. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.