Bitflips when PCs try to reach windows.com: What could possibly go wrong?

By | March 4, 2021
Stock photo of ones and zeros displayed across a computer screen.

Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days.

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w i n d o w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h n d o w s

Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it’s after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,” he wrote in a post summarizing his findings. “As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken.”

The researcher observed machines trying to make connections to other windows.com subdomains, including sg2p.w.s.windows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows.com/?fbclid.

Remy said that not all of the domain mismatches were the result of bitflips. In some cases, the mismatches were caused by typos by people behind the keyboard, and in at least one case, the keyboard was on an Android device, as it attempted to diagnose a blue-screen-of-death crash that had occurred on a Windows machine.

To capture the traffic devices sent to the mismatched domains, Remy rented a virtual private server and created wildcard-domain lookup entries to point to them. The wildcard records allow traffic destined for different subdomains of the same domain—say, ntp.whndows.com, abs.xyz.whndows.com, or client.wns.whndows.com—to map to the same IP address.

“Due to the nature of this research dealing with bits being flipped, this allows me to capture any DNS lookup for a subdomain of windows.com where multiple bits have flipped.”

Remy said he’s willing to transfer the 14 domains to a “verifiably responsible party.” In the meantime, he will simply sinkhole them, meaning he will hold on to the addresses and configure the DNS records so they are unreachable.

“Hopefully, this spawns more research”

I asked Microsoft representatives if they’re aware of the findings and the offer to transfer the domains. The representatives are working on getting a response. Readers should remember, though, that the threats the research identifies aren’t limited to Windows.

In a 2019 presentation at the Kaspersky Security Analysts Summit, for instance, researchers from security firm Bishop Fox obtained some eye-opening results after registering hundreds of bitflipped variations of skype.com, symantec.com, and other widely visited sites.

Remy said the findings are important because they suggest that bitflip-induced domain mismatches occur at a scale that’s higher than many people realized.

“Prior research primarily dealt with HTTP/HTTPS, but my research shows that, even with a small handful of bitsquatted domains, you can still siphon up ill-destined traffic from other default network protocols that are constantly running, such as NTP,” Remy said in a direct message. “Hopefully, this spawns more research into this area as it relates to the threat model of default OS services.”

Update: Lots of commenters have pointed out that there’s no way to be certain the visits to his domain were the result of bit flips. Typos may also be the cause. Either way, the threat posed to end users remains the same.

Update 2: The Microsoft representatives didn’t answer my questions, but they did say: “We’re aware of industry-wide social engineering techniques that could be used to direct some customers to a malicious website.”

Source