Fine, I'll enable IPv6

This is a follow up to my previous post on preparing my Ubuntu 19 system for travel. I've had to re-enable IPv6 on my Ubuntu laptop for a couple reasons which I'll discuss below. This wouldn't normally be post-worthy, except to help anyone else seeing the same errors due to disabling IPv6.

GPSd wants it

I've needed to run GPSd recently to work with a USB GPS device. Apparently GPSd really wants to bind to an IPv6 address. There's probably a way to make it not want this, but since I have other reasons to use IPv6 anyway, I'll just go ahead and enable it.

Just in case someone else comes across this error, here are the log messages that tipped me off:

gpsd.socket: Failed to listen on sockets: Cannot assign requested address

and

gpsd:ERROR: can't bind to IPv6 port gpsd, Cannot assign requested address

6LoWPAN

The 6 in 6LoWPAN means IPv6. There are some 6LoWPAN challenges at the Wireless CTF, and I'll need to be able to speak IPv6 to complete them (at least the challenges that require TX).

FYI: the device I'm using for 6LoWPAN is the openlabs 802.15.4 radio for the Raspberry Pi.

Do The Thing

Anyway, if you've disabled IPv6 via sysctl.conf, make sure the following lines are commented:

#net.ipv6.conf.all.disable_ipv6=1
#net.ipv6.conf.default.disable_ipv6=1
#net.ipv6.conf.lo.disable_ipv6=1

Preparing Ubuntu 19 for travel

These are the steps I take to prepare my Ubuntu system for travel. It's far from a complete list, but I think these preparations will help reduce risks before using your system away from home.

I'm assuming you've already done the basic cyber hygiene stuff like FDE, strong passwords, lock-screen, etc.

1. Disable Avahi

Avahi is an MDNS service. Here's a description from avahi.org:

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.

Yeah, no thanks.  Let's disable that.

sudo systemctl disable avahi-daemon.service
sudo systemctl disable avahi-daemon.socket

2. Disable CUPS

I don't print from this computer so I don't need CUPS. CUPS runs a listening socket that I don't need and it also tries to start Avahi, so it's an unnecessary risk; Let's disable it.

sudo systemctl disable cups.service
sudo systemctl disable cups-browsed.service

3. Disable the NetworkManager connectivity check

By default, NetworkManager is configured to check for captive portals by periodically making HTTP GET requests. In Wireshark you'll a DNS query for connectivity-check.ubuntu.com, followed by an HTTP GET to http://connectivity-check.ubuntu.com/. This is a dead giveaway to anyone monitoring your traffic that your system runs Ubuntu and and NetworkManager.

This can be disabled by adding the text below to /var/lib/NetworkManager/NetworkManager-intern.conf

[connectivity] 
.set.enabled=false

4. Disable IPv6

I have no use for IPv6 on this machine, and since the addresses are ridiculous their presence makes traffic monitoring more difficult. I think the normal way to disable this is in the kernel via sysctl or sysctl.conf.

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

Interestingly, these are already present at the bottom of my /etc/sysctl.conf, but my network interfaces still get IPv6 addresses. Why? If I check the values using sysctl, I can see that it's set for all, default, and lo, but not for my actual interfaces.

ted@a17:~$ sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

ted@a17:~$ sysctl net.ipv6.conf.wlp69s0.disable_ipv6
net.ipv6.conf.wlp69s0.disable_ipv6 = 0

The suggestion in this bug report to add a line to /etc/rc.local didn't work for me at first, but then I found a more complete solution here. Add the following to /etc/rc.local to disable IPv6 at boot time (and make sure the file is executable).

#!/bin/bash
# /etc/rc.local

/etc/sysctl.d
/etc/init.d/procps restart

exit 0

5. Disable geoclue

This service attempts to geo-locate the host system and shares that information with local applications (including web browsers) over DBUS. If that's not bad enough, it also sends MDNS queries looking for NMEA-0183 servers on the local network. Presumably this means it would connect to such a server if it found one?

I'm pretty surprised this is enabled by default (and more people aren't complaining about it).

sudo systemctl disable geoclue.service

6. Block outbound SSDP

Some applications use SSDP to discover things they can interact with on the network, like IOT TVs and Refrigerators and stuff. Chromium sends out lots of SSDP messages while it's running. Since this isn't a service that can be disabled, and I don't want to configure each application not to send SSDP, let's make a firewall rule to block outboung SSDP.

All the SSDP traffic I'm seeing from my machine has a UDP destination port of 1900. Execute the following command to add a firewall rule to block it.

sudo ufw deny out 1900/udp

7. Remove saved WiFi networks

This serves two purposes. First, to prevent your system from sending out 802.11 probe requests, which leak information about where you've been and the networks you've connected to. Second, to prevent your system from automatically connecting to any networks. To do this, we'll remove all saved network connections at boot time.

Add the following to /etc/rc.local to remove all saved 802.11 network connections at startup:

while IFS=\: read -r type uuid
do
    if [ $type == 802-11-wireless ]; then
        nmcli con delete uuid "$uuid"
    fi

done < <(nmcli -t -f TYPE,UUID conn)

Note: I adapted the above from this stackoverflow answer.

8. Make sure Bluetooth and WiFi are disabled at boot

Bluetooth is probably the bigger risk of the two, but let's play it safe and rfkill both at startup. Add the following to /etc/rc.local.

rfkill block all

9. Disable crash reporting

This step is probably optional, but like the previous steps it helps reduce the amount of information your system is leaking about itself.

sudo systemctl disable apport.service

There's probably more we can do to protect a Ubuntu system from threats while away from home. If I think of anything else I'll make a follow up post.

TV WiFi Adaptor Hax

I was looking for a cheap 802.11ac USB adaptor based on an MT76 chip when I found some ZDGFMT7612U WiFi boards on eBay. The ZDGFMT7612U is meant to add networking capabilities to a TV, but it includes a USB interface and seems conveniently packaged, so I decided to see if I could it would work as a normal USB/WiFi adaptor for use with Kismet, etc.

The eBay item description read:

Sharp ZDGFMT7612U P/N: 1178206 Wifi Module Board for LC-55P6000U

Not super helpful, but the back of the board clearly shows the FCC ID 2AJVQ-ZDGFMT7612U.  If you didn't already know, the FCC equipment authorization database contains useful documents about electronic equipment authorized for RF transmission in the United States, including user manuals and internal photographs.

Using the FCC Equipment Authorization Search (EAS) I was able to find the exhibits for this device's authorization application, which include a user manual and internal photos (the search page is a little weird, and I ended up searching by the Grantee Code 2AJVQ and scrolling through the results until I found it).  The internal photos reveal that the ZDGFMT7612U is based on the MT7612U chip from MediaTek, and the user manual has a somewhat helpful pinout for the board's connector.

Looking at the pinout and the wiring harness that came with the board, it looks like pins 3-6 are the USB connection to the host, and pin 7 is the shield for USB cable.  Unfortunately only USB 2 pins are connected.  I de-pinned the pins I don't care about from the white connector going to the board, and spliced a USB A male connector to the other end.  All the colors matched up, so this was pretty easy.

When I plugged the resulting thing into a computer, nothing happened.  No smoke, which is good, but also no wireless device.  After some guesswork and some help from the folks in the Wireless Village Discord, I figured out that the WIFI_REG_ON pin turns on the voltage regulator that converts the 5 volts supplied by USB to the 3.3 volts required by the WiFi chip.  I used a 4.3k resistor to make a pull-up connecting pin 1 to the 5v pad on the board.

Note: The resistor value I chose probably isn't right, and there are probably better ways to do this, but I'm not an EE and it's working so far.  If you have any advice please leave a comment!

After adding the pullup, the device is seen by the Linux kernel and a new wireless interface is added using the mt76x2u driver.  Yay!

[758511.999389] usb 1-1: new high-speed USB device number 5 using xhci_hcd
[758512.150403] usb 1-1: New USB device found, idVendor=0e8d, idProduct=7612, bcdDevice= 1.00
[758512.150409] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[758512.150412] usb 1-1: Product: 802.11a㜵呃䴷NA
[758512.150415] usb 1-1: Manufacturer: MediaTek Inc.
[758512.150417] usb 1-1: SerialNumber: 000000000
[758512.323849] usb 1-1: reset high-speed USB device number 5 using xhci_hcd
[758512.500874] mt76x2u 1-1:1.0: ASIC revision: 76120044
[758512.534205] mt76x2u 1-1:1.0: ROM patch build: 20141115060606a
[758512.871760] mt76x2u 1-1:1.0: Firmware Version: 0.0.00
[758512.871761] mt76x2u 1-1:1.0: Build: 1
[758512.871762] mt76x2u 1-1:1.0: Build Time: 201507311614____
[758513.913630] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[758513.914392] usbcore: registered new interface driver mt76x2u

[758513.951582] mt76x2u 1-1:1.0 wlx40cd7a083350: renamed from wlan0

My next step is to do some performance testing against the venerable AWUS-036AC and see how well it works in monitor mode.  I think the small on-board antennas may put it at a disadvantage (I have no idea what the beam pattern for those things would look like).