I was finally able to decrypt the packets to api-eu-north-1.protect.glasswire.com
by setting an environment variable on my workstation to dump the TLS keys on my desktop and use Wireshark to decrypt in real time. Itās just a heartbeat. It doesnāt look like much info is being sent, I am curious as to why there is a device ID and what theyāre doing with that. I would rather not have anything sent outside my network. It is also interesting that the type is ACTIVITY. Iāve tried to click around/modify settings to see if I could trigger this heartbeat but I canāt, so Iām not sure if this is sent at a set interval (looks to be sent at exactly every 5 minutes, look at the timestamps in the last 2 photos). Iām still unsure why I couldnāt see it when I mitmād myself, but regardless Iām downgrading
It says I cannot make 3 posts in a row, so I am editing this one.
Ok last update, sorry, Iām really bored
While Iām here I decided to make a Glasswire account (Nick @ Glasswire, if youāre reading this our paths will unfortunately cross once more ) and check out whatās being sent/received. Iām pretty tired so Iāll summarize here and post screenshots of the captures below.
TLDR: Itās very possible and extremely likely (according to the privacy statement) that device hardware is being collected and sent out. Whatever theyāre collecting (Iām assuming application names, traffic in/out and whatever else) is being sent to them as a gzip. Application names, popularity, traffic in/out are being downloaded, and the application names are encoded somehow (not base64, ran through CyberChef and couldnāt figure it out. Probably double encoded or salted.) Also, there was an interesting request to update.glasswire.com to /ads/ which appears they may roll out ads in the future.
HTTP Posts
/auth/realms/glasswire/protocol/openid-connect/token
Appears to just authenticate or keep your Glasswire account logged in. Includes an access token, expiration time, refresh time and session state.
/api/v1.1/agent/detect/batch
This looks like itās just downloading the statistical values populated for each app, such as popularity, average traffic in/out etc.
/api/v1.1/agent/detect/upload
Iām guessing this is collecting your application names, average traffic in/out etc. Itās encoded/uploaded as a gzip.
GET request
/api/v1.1/agent/update/check
Just checks for updates, value is either 1 or 0 for yes and no.
/ads/
Whatās interesting here is a GET request to update.glasswire.com to /ads/. The values are empty, but it looks like they may possibly roll out a (free?) version to include ads in the future. If youāve read the above responses from the Glasswire staff, youāll see that you cannot opt out in the free version for data transmission, so this may be one way to monetize free users. This is likely a huge reason for migrating to the cloud. I guess we will see.
If you INSIST on using this or future versions of Glasswire, I recommend blocking the following in your hosts file and/or router.
api-eu-north-1.protect.glasswire.com
api-us-east-2.protect.glasswire.com
pivot.protect.glasswire.com
Ok I guess Iām not done. C:\ProgramData\GlassWire\service-full\stats
has lots of files that provide clues as to whatās being collected. I ran sysinternal strings on some of the files, here are the SQL tables being created. It looks like info is being collected at the 1 second, 30 second and 10min intervals.
indextraffic_stats_protocol_idxtraffic_stats
CREATE INDEX traffic_stats_protocol_idx ON traffic_stats (protocol)t
indextraffic_stats_rport_idxtraffic_stats
CREATE INDEX traffic_stats_rport_idx ON traffic_stats (remote_port)t
indextraffic_stats_rhost_idxtraffic_stats
CREATE INDEX traffic_stats_rhost_idx ON traffic_stats (remote_host)k
indextraffic_stats_app_idxtraffic_stats
CREATE INDEX traffic_stats_app_idx ON traffic_stats (app_id)z
indextraffic_stats_timestamp_idxtraffic_stats
CREATE INDEX traffic_stats_timestamp_idx ON traffic_stats (timestamp)
)tabletraffic_statstraffic_stats
CREATE TABLE traffic_stats (timestamp INTEGER, app_id INTEGER, remote_host BLOB, remote_port INTEGER, remote_host_region BLOB, protocol INTEGER, flags INTEGER, inbound_bytes INTEGER, outbound_bytes INTEGER)
There is also an interesting folder, located at C:\ProgramData\GlassWire\service-full\cloud
. Hereās the notable info in the database
tableoptionsoptions
CREATE TABLE options (name TEXT PRIMARY KEY, value BLOB)-
indexsqlite_autoindex_options_1options
qindexflux_cache_app_idxflux_cache
CREATE INDEX flux_cache_app_idx ON flux_cache(app)m
indexflux_cache_timestamp_idxflux_cache
CREATE INDEX flux_cache_timestamp_idx ON flux_cache(timestamp){
Atableflux_cacheflux_cache
CREATE TABLE flux_cache (flow BLOB PRIMARY KEY, timestamp INTEGER, app INTEGER, flux BLOB)3
indexsqlite_autoindex_flux_cache_1flux_cache
tabletraffic_stats_1sectraffic_stats_1sec
CREATE TABLE traffic_stats_1sec (timestamp INTEGER, data BLOB)
q%%
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)
q11
tabc
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)