Balenaetcher has used 150gb of network date?! Security issue!

Hi guys, I’m hoping for an answer. In the last 30 days balenaetcher has apparently used 150gb of my internet connection. I would never have seen it if I hadn’t been using a metered connection.

How and why should balenaetcher be using any of internet connection. I’m not using balena cloud. I’m using the free version of the writing tool. And I’ve only used it to make two Pop Os! Disks and one raspberry pi SD in that period.

Very concerned at this stage. Is this malware? Should I be wary of a data breach? Is that traffic my data being uploaded? Is there a crypto miner in this package?

I have been using the genuine installer from your direct source.

Version 1.5.33-64 downloaded on the 7th of May 2019.

Hi, we’re looking into it to see what might have caused so much usage. We’ll get back to you as soon as we find what’s using the most data

How and why should balenaetcher be using any of internet connection

Just a note on this: we do have online content - the featured project you see when flashing is an example, so we want to make sure it’s as tiny as possible

Can confirm on windows 10,
Etcher version 1.5.39

I have probably flashed around 40 images to sd cards and emmc memory modules in the last month so my usage has been high. But this is enough usage to upload all the images combined. (I am sure that is not what is happening)

image

I couldn’t find any connection when it was just sitting there, but when writing this is what shows up:

Also observing with Resource Monitor breaks the flash:
-Edit this now seems to be for all sd cards and all images that I was flashing yesterday.

image

Good luck Etcher team!

–Update:
I upgraded to Etcher to 1.5.52 and closed a troublesome program,
(win32 diskimager) and it seems to be working again, I think this is unrelated to the data issue)

1 Like

So, those addresses in your activity monitor to me like IP addresses and Mac addresses. Especially the googleusercontent, that IP address string on the start of that one? Is that your personal IP address.

Using something like “what is my IP” as a google search will tell you your personal external real world IP address. I’m lot asking you to dox yourself. But I’m curious, what content is being streamed into our machines?

I’m about to look up 2606: and 2607: I’m curious if they are port numbers in router aimed at devices on the network.

Ok if I’m reading this right 2606 is a vulnerable open port normally reserved for Dell net monitoring. What ever is transmitting data on that port I have no idea…

Similar for port 2607, is your machine a dell?

Going through the list of connections from your screencap (I wish had the foresight to snap my own when I discovered the data usage.) I’ve done some basic research for each.

  1. 2606:4700:30::681f:529d

Apparently is cloudflare, which isn’t actually
Helpful as that could just be anyone on the end of a cloudflare service.

https://www.ip-tracker.org/locator/ip-lookup.php?ip=2606:4700:30::681f:529d

  1. hwcdn.net

https://transparencyreport.google.com/safe-browsing/search?url=hwcdn.net%2F

  1. compute-1.amazonaws.com

A rentable instance of cloud computing using the amazon servers.

  1. 1e100.net
    2600:1901:0:498c::
    Bc.googleusercontent.com
    2607:f8b0:4003:c06::22e

All of the above are different connections to google data and cloud computing services. Bc.googleusercontent Specifically for programmers to run cloud based code and applications. And IP address 2707… is a set of google mail servers.


https://www.abuseipdb.com/whois/2600:1901:0:498c::

I’m not too concerned by the locations, I’m still really confused how Balenaetcher can have used so much of my computer network resources.

  • was anything downloaded or uploaded to my machine?
  • are my files and data safe?
  • were you using my computer resources for anything equating to distributed processing? Like cryptomining, or another node for cloud computing?

150gb is really excessive, and in Australia mobile data like that isn’t cheap. But I’m not as worried about that as much as I am wanting to know if my personal data is safe.

Thank you for your time, I hope this hasn’t come across as accusatory I’m simply looking for answers.

More data to help the etcher team get to the bottom of this.

Etcher as it starts up:


Etcher during a flash:

Etcher at the end of a flash:

I also captured the traffic with wire-shark this time, and if a Balena engineer wants to dig thru it please PM me.

No this wasn’t, I don’t know why that IP is displayed like that, but those are all external IPs.

No it is not, it is ASUS.

This makes sense to me. Etcher serves really light ads while it flashes your SD. Cool ads, but ads none the less. I don’t care but I image they are served thru the cloudflair network. However, it is weird that there is a google address in there. I am used to google tracking everything, mabye they are just using google anaylitics though.

Based on the usage I saw I think download things not upload anything. I think there is a bug where it fetchs something over and over again and really racks op the usage.

Now if I thought Balena was evil or unethical this could be true, but I don’t notice CPU usage or GPU usage. However, if their distribution pipeline has been hacked this could still be true if a third party injected code into BalenaEtcher.exe

I completely agree, and I would kinda like an answer from Balena around this to just resolve all concerns of something worse than a simple bug going on.

1 Like

Thank you so much for the update.

Also for more clarity on my case whatever is happening is happening is also when an etch isn’t taking place. During that entire time I hadn’t run more than 7 active etches for that 30 day period. But the system was on, unattended (its my workstation laptop in office, and I had assumed in sleep mode), but the software open and left running post etch.

@thundron have you found any info? Or heard back from any of the other devs?

No news yet. @tacLog do you still experience high data usage with the latest version? We also have a fix coming in the next week(s) that should reduce data usage for the windows portable version. I’d also suggest disabling auto-updates and data-reporting (settings page) and monitor it again

It has used 2gb since I last checked it. Now my usage is probably high. (Around 30 flashes a week, running it 24 in the background) but this still seems to be an issue. I reset the data usage metrics in windows to get a more accurate gauge and I will report back next week.

Currently Balena is blocked by my firewalls, I couldn’t afford to risk having it open to my network if that much cellular data was going to be used. But I also haven’t written more than one image file since.