Xbox One – Network Scans and Traffic Analysis

This week we are returning back to our analysis of the Xbox One and checking out some of the data we gathered during the last post.  I know some folks were very interested in what we are doing with the Xbox and I apologize for the delay.  We decided to push back this post due to some excitement over healthcare.gov and its security.

First, lets take a look at how this system shows up in an nmap scan.  It turns out that we only have one network port listening on the network; tcp port 2869.  nmap wasn’t able to recognize the service, but some hunting around online appears to indicate that this is related to UPnP or media sharing.  I’ll be looking at that closer in another post.  The operating system detected was something that I was interested in.  nmap returns this as running Windows 7, Windows 2008 or Windows 8.  You can download the .nmap file of the scan here.  All together this isn’t too exciting, but it is interesting to see that the Xbox One has enough similar network behavior to come back as a Windows OS.  It was something I had expected, but I was curious to see if Microsoft had gone a different route with the console.

The traffic analysis has been taking quite a bit of time.  So far I’ve captured several gigabytes of data with the Xbox One in different conditions.  The states of I’ve looked at are:

  • Initial startup and configuration
  • Registering the device with Xbox Live
  • During an OS update
  • Xbox One powered down over night 
  • Startup and shutdown
  • While changing settings and watching trailers
There have been a few things that I didn’t expect to see along the way, but for the most part anything sensitive is sent via HTTPS.  At least I haven’t found anything sensitive being transmitted in the clear yet.  As a consumer I find that to be a good thing.  I also was happy to see that while it was idle and powered down that there wasn’t any information moving around behind the curtain.  Normally, I would expect a device that is powered off to not do anything.  However, I can power up the Xbox One by saying “xbox on”, so its obviously running on some level all the time.
I did find a couple of odd things that I didn’t expect.  The first were some weird DNS queries.  For whatever reason, the Xbox One went looking for some host named “cfiadhjcfuuagwb”under a couple of different domains.  This occurred during the initial setup of the machine.  While I don’t find this worrying, I did wonder what the heck it was doing.

The next unexpected item was that the Xbox One does not provide any place for me to enter information about a proxy server, but it does make wpad queries on the network.  So while I may not be able to configure a proxy from the console itself, I might be able to use wpad to get the Xbox One to run through a proxy.  This would be incredibly useful, since so much information runs through HTTPS.  The question of course is how would the Xbox One respond the proxy’s CA certificate?  Will it stop because its an unknown CA or will it continue on?  More to come on that later.
So there you have round two with the Xbox One.  I’m still gathering a lot of information, but it has been interesting to see more of how the Xbox One works and to verify how it is transmitting data.  The next installment of this project will be coming soon.

Jason Wood is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

2 thoughts on “Xbox One – Network Scans and Traffic Analysis”

  1. I've heard of the random domain requests before, I think it was Windows checking whether it had an internet connection.

    I'd guess it is random to stop it being a predictable attack vector.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top