Comment by dlenski

1 day ago

Yeah, this is what's glaringly missing from the article.

Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?

I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.

Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.

> Exactly how does Microsoft's device identifier get associated with the ngrok session

The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:

1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.

2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)

3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)

4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.

I work at ngrok, and this is not how our freemium plan works. Free plans limit based on usage alone, not on machine IDs.

  • > I work at ngrok, and this is not how our freemium plan works. Free plans limit based on usage alone, not on machine IDs.

    Thank you! This is not only good to know as an ngrok user myself, but it's also more informative than what's in the article.

    Sounds like we can rule that out as the avenue of detection.

    • For what its worth, this has been swiriling around on socials and i saw someone noted that the guy had been busted for something at age 17, maybe he was on some list?

  • Sure but you still know which connection belongs to which licensed customer which seems to be how this person was identified.

I'm not even clear if it requires Windows. Say if one had a Surface running Arch, would that still be traceable?

Asking for a friend.

from the microsoft store. the ngrok app was downloaded via microsoft store...

  • And then what?

    Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?

    And if so, how?

    All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.