Balenaetcher has used 150gb of network date?! Security issue!

Hi guys, I’m hoping for an answer. In the last 30 days balenaetcher has apparently used 150gb of my internet connection. I would never have seen it if I hadn’t been using a metered connection.

How and why should balenaetcher be using any of internet connection. I’m not using balena cloud. I’m using the free version of the writing tool. And I’ve only used it to make two Pop Os! Disks and one raspberry pi SD in that period.

Very concerned at this stage. Is this malware? Should I be wary of a data breach? Is that traffic my data being uploaded? Is there a crypto miner in this package?

I have been using the genuine installer from your direct source.

Version 1.5.33-64 downloaded on the 7th of May 2019.

Hi, we’re looking into it to see what might have caused so much usage. We’ll get back to you as soon as we find what’s using the most data

How and why should balenaetcher be using any of internet connection

Just a note on this: we do have online content - the featured project you see when flashing is an example, so we want to make sure it’s as tiny as possible

Can confirm on windows 10,
Etcher version 1.5.39

I have probably flashed around 40 images to sd cards and emmc memory modules in the last month so my usage has been high. But this is enough usage to upload all the images combined. (I am sure that is not what is happening)


I couldn’t find any connection when it was just sitting there, but when writing this is what shows up:

Also observing with Resource Monitor breaks the flash:
-Edit this now seems to be for all sd cards and all images that I was flashing yesterday.


Good luck Etcher team!

I upgraded to Etcher to 1.5.52 and closed a troublesome program,
(win32 diskimager) and it seems to be working again, I think this is unrelated to the data issue)

1 Like

So, those addresses in your activity monitor to me like IP addresses and Mac addresses. Especially the googleusercontent, that IP address string on the start of that one? Is that your personal IP address.

Using something like “what is my IP” as a google search will tell you your personal external real world IP address. I’m lot asking you to dox yourself. But I’m curious, what content is being streamed into our machines?

I’m about to look up 2606: and 2607: I’m curious if they are port numbers in router aimed at devices on the network.

Ok if I’m reading this right 2606 is a vulnerable open port normally reserved for Dell net monitoring. What ever is transmitting data on that port I have no idea…

Similar for port 2607, is your machine a dell?

Going through the list of connections from your screencap (I wish had the foresight to snap my own when I discovered the data usage.) I’ve done some basic research for each.

  1. 2606:4700:30::681f:529d

Apparently is cloudflare, which isn’t actually
Helpful as that could just be anyone on the end of a cloudflare service.



A rentable instance of cloud computing using the amazon servers.


All of the above are different connections to google data and cloud computing services. Bc.googleusercontent Specifically for programmers to run cloud based code and applications. And IP address 2707… is a set of google mail servers.

I’m not too concerned by the locations, I’m still really confused how Balenaetcher can have used so much of my computer network resources.

  • was anything downloaded or uploaded to my machine?
  • are my files and data safe?
  • were you using my computer resources for anything equating to distributed processing? Like cryptomining, or another node for cloud computing?

150gb is really excessive, and in Australia mobile data like that isn’t cheap. But I’m not as worried about that as much as I am wanting to know if my personal data is safe.

Thank you for your time, I hope this hasn’t come across as accusatory I’m simply looking for answers.

More data to help the etcher team get to the bottom of this.

Etcher as it starts up:

Etcher during a flash:

Etcher at the end of a flash:

I also captured the traffic with wire-shark this time, and if a Balena engineer wants to dig thru it please PM me.

No this wasn’t, I don’t know why that IP is displayed like that, but those are all external IPs.

No it is not, it is ASUS.

This makes sense to me. Etcher serves really light ads while it flashes your SD. Cool ads, but ads none the less. I don’t care but I image they are served thru the cloudflair network. However, it is weird that there is a google address in there. I am used to google tracking everything, mabye they are just using google anaylitics though.

Based on the usage I saw I think download things not upload anything. I think there is a bug where it fetchs something over and over again and really racks op the usage.

Now if I thought Balena was evil or unethical this could be true, but I don’t notice CPU usage or GPU usage. However, if their distribution pipeline has been hacked this could still be true if a third party injected code into BalenaEtcher.exe

I completely agree, and I would kinda like an answer from Balena around this to just resolve all concerns of something worse than a simple bug going on.

1 Like

Thank you so much for the update.

Also for more clarity on my case whatever is happening is happening is also when an etch isn’t taking place. During that entire time I hadn’t run more than 7 active etches for that 30 day period. But the system was on, unattended (its my workstation laptop in office, and I had assumed in sleep mode), but the software open and left running post etch.

@thundron have you found any info? Or heard back from any of the other devs?

No news yet. @tacLog do you still experience high data usage with the latest version? We also have a fix coming in the next week(s) that should reduce data usage for the windows portable version. I’d also suggest disabling auto-updates and data-reporting (settings page) and monitor it again

It has used 2gb since I last checked it. Now my usage is probably high. (Around 30 flashes a week, running it 24 in the background) but this still seems to be an issue. I reset the data usage metrics in windows to get a more accurate gauge and I will report back next week.

Currently Balena is blocked by my firewalls, I couldn’t afford to risk having it open to my network if that much cellular data was going to be used. But I also haven’t written more than one image file since.


Since my last message. Etcher has used a reasonable 83 MB of my data.
Etcher has been left running more or less 24/7 with 10-40 flashes.

On version 1.5.52 I no longer see this issue.

I think this can be closed now @Kandyman
You should be safe to unblock etcher, but I also don’t see why you would want to given it doesn’t need internet to work.

I would love to know what happened one day, but I know that that might never come to light.


@thundron thank you for following up.

Hmmm so no one had any theories in the cause of the issue? Nothing? As I said my main concern is personal privacy of my files. That’s my main work machine. So it’s got all office materials on it.

@kandyman Well since 1.5.33 (the version where this was reported) we made a bunch of changes, including improvements to the auto-update check which we noticed wasn’t really polished (and could probably use some more refinement) so my thoughts primarily go to that.
As for privacy concerns: users who opt-in for analytics shall know that all data we gather is anonymous and as such it’s not really a big deal from a privacy point of view (it’s a big deal for us in order to improve the application though!).
You can always opt-out whenever you want in the settings page and if you notice any connections being made to external services it’s because of two external contents we load from another (balena) source: the success-banner seen at the end of a flash and the featured projects that show when you’re flashing (if you’re connected to the internet), which should use just some data when you first open Etcher (since they have to load) and then nothing more.
Which actually makes me think what would happen if you kept closing/opening Etcher continuously as opposed to keeping it open, now that I’m writing this. This could be another nice test to do actually