Home => More strange network activity from an iPad
Created: May 20, 2021
Updated: May 21, 2021
Updated: May 22, 2021 with additional data from another day
Last June (2020) I blogged about strange network activity that I detected coming from my iPad (see: What is my iPad doing?). Specifically, I detected it making 25 attempts in 14 seconds to contact IP address 10.0.0.146.
The iPad was not on a subnet that started with 10.0.0, so there was no reason for it to communicate with any device whose IP address started with a 10.0.0. It was also strange for using UDP to contact a very high (non-standard) port, number 51625. Apple publishes information about the ports their software uses and there is nothing about port 51625.
This time, I saw similarly strange network activity from someone else's iPad. Like mine, this iPad tried to initiate outbound connections to an invalid IP address.
All IP (version 4) addresses are not the same. While the vast majority exist on the public Internet, a few are set aside for internal use only and will never appear on the public Internet. One group of internal-use-only IP addresses (used on my iPad) are those that start with 10. This iPad was trying to phone home to 192.168.1.71. IP addresses that start with 192.168 are another group reserved for internal use only.
The only way this might make sense is that if the iPads were on Local Area Networks using those subnets. Neither one was. The iPad phoning home to 192.168.1.71, for example, is on a LAN subnet of 192.168.88.x.
Two other things makes this more stranger (more suspicious?).
In both cases the iPads were using UDP rather than TCP. UDP is typically used for VPNs and streaming audio. It is a bit faster than TCP but does not guarantee that all the transmitted bits will arrive at the destination in the right sequence. In fact, it does not guarantee anything which is why TCP is used the vast majority of the time. Also, the status of a UDP port is much harder to detect than the status of a TCP port. Many port scanning apps can report if a TCP port is Open, Closed or Stealthed.
Finally, the UDP port number is a very high number. This means there is no standard usage for the port, it could be used for anything. Destination TCP/IP ports usually have low numbers and a standard usage.
What makes this case really interesting is that the iPad in question had not been touched for a couple days. Literally not touched. It was left behind, at home, when the owner went on vacation.
I had configured the Peplink router in the owners home to block and log any attempts to make an outgoing connection to an IP address that should only be used internally. I have been doing this for quite a while and it has never caused an obvious problem. As I said, requests to internal-use-only IP addresses are not normally sent to the Internet.
Despite no physical contact for days, this iPad has been very insistent, making outbound requests for three straight days. The relevant log entries are shown below. In summary:
May 21st: 10 requests in 5 seconds to UDP port 64452
May 19th: 10 requests in 5 seconds to UDP port 55197
May 19th: 10 requests in 4 seconds to UDP port 55202
May 18th: 10 requests in 5 seconds to UDP port 56727
May 17th: 10 requests in 5 seconds to UDP port 49972
May 22, 2021: After publishing up this on the 20th, the iPad did it again on the 21st and that data has been included above and below.
|Blocked outgoing connections from a sleeping iPad|
May 21 13:38:33 Denied DST=192.168.1.71 ID=33309 PROTO=UDP SPT=54877 DPT=64452|
May 21 13:38:33 Denied DST=192.168.1.71 ID=29969 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:32 Denied DST=192.168.1.71 ID=42961 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:32 Denied DST=192.168.1.71 ID=19173 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:31 Denied DST=192.168.1.71 ID=23023 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:31 Denied DST=192.168.1.71 ID=61877 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:30 Denied DST=192.168.1.71 ID=5870 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:30 Denied DST=192.168.1.71 ID=50524 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:29 Denied DST=192.168.1.71 ID=148 PROTO=UDP SPT=54877 DPT=64452
May 21 13:38:28 Denied DST=192.168.1.71 ID=17671 PROTO=UDP SPT=54877 DPT=64452
May 19 12:46:27 Denied DST=192.168.1.71 ID=57052 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:26 Denied DST=192.168.1.71 ID=47113 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:26 Denied DST=192.168.1.71 ID=53850 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:25 Denied DST=192.168.1.71 ID=47751 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:25 Denied DST=192.168.1.71 ID=40773 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:24 Denied DST=192.168.1.71 ID=36326 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:24 Denied DST=192.168.1.71 ID=15638 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:23 Denied DST=192.168.1.71 ID=56759 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:23 Denied DST=192.168.1.71 ID=53858 PROTO=UDP SPT=50445 DPT=55197
May 19 12:46:22 Denied DST=192.168.1.71 ID=52570 PROTO=UDP SPT=50445 DPT=55197
May 19 11:02:03 Denied DST=192.168.1.71 ID=48762 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:03 Denied DST=192.168.1.71 ID=62965 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:02 Denied DST=192.168.1.71 ID=61672 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:02 Denied DST=192.168.1.71 ID=31897 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:01 Denied DST=192.168.1.71 ID=58630 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:01 Denied DST=192.168.1.71 ID=11861 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:00 Denied DST=192.168.1.71 ID=18764 PROTO=UDP SPT=54496 DPT=55202
May 19 11:02:00 Denied DST=192.168.1.71 ID=7381 PROTO=UDP SPT=54496 DPT=55202
May 19 11:01:59 Denied DST=192.168.1.71 ID=32128 PROTO=UDP SPT=54496 DPT=55202
May 19 11:01:59 Denied DST=192.168.1.71 ID=9493 PROTO=UDP SPT=54496 DPT=55202
May 18 17:35:28 Denied DST=192.168.1.71 ID=7602 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:28 Denied DST=192.168.1.71 ID=7228 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:27 Denied DST=192.168.1.71 ID=46961 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:27 Denied DST=192.168.1.71 ID=2526 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:26 Denied DST=192.168.1.71 ID=32937 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:25 Denied DST=192.168.1.71 ID=32341 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:25 Denied DST=192.168.1.71 ID=7235 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:24 Denied DST=192.168.1.71 ID=22514 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:24 Denied DST=192.168.1.71 ID=60382 PROTO=UDP SPT=57311 DPT=56727
May 18 17:35:23 Denied DST=192.168.1.71 ID=23306 PROTO=UDP SPT=57311 DPT=56727
May 17 11:24:33 Denied DST=192.168.1.71 ID=30684 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:32 Denied DST=192.168.1.71 ID=4418 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:32 Denied DST=192.168.1.71 ID=31033 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:31 Denied DST=192.168.1.71 ID=46382 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:31 Denied DST=192.168.1.71 ID=38969 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:30 Denied DST=192.168.1.71 ID=64878 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:30 Denied DST=192.168.1.71 ID=39211 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:29 Denied DST=192.168.1.71 ID=3960 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:28 Denied DST=192.168.1.71 ID=3949 PROTO=UDP SPT=54372 DPT=49972
May 17 11:24:28 Denied DST=192.168.1.71 ID=18252 PROTO=UDP SPT=54372 DPT=49972
|Blocked outgoing connections from a sleeping iPad|
In the table above, SPT is the Source Port, DPT is the Destination Port and DST is the Destination IP address. For network experts, all these outbound connection attempts shared these additional attributes:
LEN=57 TOS=0x00 PREC=0x00 TTL=63 LEN=37 MARK=0x2.
I don't review the logs on this router very often, and I never look for live connections. But, I did on the 20th and I saw the iPad had a live connection to 126.96.36.199 on TCP port 5223. The IP address belongs to Apple and the port is used by the Apple Push Notification Service. I also checked on the 22nd and found the iPad in communication with 188.8.131.52 on port 443. According to Shodan, this computer is courier.push.apple.com or courier2.push.apple.com or windows.courier.push.apple.com. Not particularly interesting.
What is interesting, is that this iPad has a history. Back on October 27, 2020 I also saw suspicious outbound connection attempts. Then too, it had tried to phone home to an internal-use-only IP address using UDP and targeting a very high port. This seems to be a pattern. Back then, it was even more insistent, making 63 connection attempts in about a minute and a half (104 seconds to be exact).
The router log from last year is shown below. It was trying to contact IP address 10.82.181.253 on UDP port 60761. The source port, which tells us nothing, was 16402.
|Blocked outgoing connections from the same iPad in 2020|
Oct 27 00:23:34 Denied DST=10.82.181.253 ID=42549 PROTO=UDP DPT=60761 |
Oct 27 00:23:32 Denied DST=10.82.181.253 ID=18396 PROTO=UDP DPT=60761
Oct 27 00:23:31 Denied DST=10.82.181.253 ID=47987 PROTO=UDP DPT=60761
Oct 27 00:23:29 Denied DST=10.82.181.253 ID=10387 PROTO=UDP DPT=60761
Oct 27 00:23:28 Denied DST=10.82.181.253 ID=7518 PROTO=UDP DPT=60761
Oct 27 00:23:26 Denied DST=10.82.181.253 ID=53246 PROTO=UDP DPT=60761
Oct 27 00:23:25 Denied DST=10.82.181.253 ID=13756 PROTO=UDP DPT=60761
Oct 27 00:23:23 Denied DST=10.82.181.253 ID=6479 PROTO=UDP DPT=60761
Oct 27 00:23:22 Denied DST=10.82.181.253 ID=11730 PROTO=UDP DPT=60761
Oct 27 00:23:20 Denied DST=10.82.181.253 ID=14107 PROTO=UDP DPT=60761
Oct 27 00:23:19 Denied DST=10.82.181.253 ID=63383 PROTO=UDP DPT=60761
Oct 27 00:23:17 Denied DST=10.82.181.253 ID=13228 PROTO=UDP DPT=60761
Oct 27 00:23:17 Denied DST=10.82.181.253 ID=31120 PROTO=UDP DPT=60761
Oct 27 00:23:11 Denied DST=10.82.181.253 ID=11330 PROTO=UDP DPT=60761
Oct 27 00:23:10 Denied DST=10.82.181.253 ID=14936 PROTO=UDP DPT=60761
Oct 27 00:23:08 Denied DST=10.82.181.253 ID=31062 PROTO=UDP DPT=60761
Oct 27 00:23:07 Denied DST=10.82.181.253 ID=31372 PROTO=UDP DPT=60761
Oct 27 00:23:05 Denied DST=10.82.181.253 ID=24890 PROTO=UDP DPT=60761
Oct 27 00:23:04 Denied DST=10.82.181.253 ID=39286 PROTO=UDP DPT=60761
Oct 27 00:23:02 Denied DST=10.82.181.253 ID=29811 PROTO=UDP DPT=60761
Oct 27 00:23:01 Denied DST=10.82.181.253 ID=61258 PROTO=UDP DPT=60761
Oct 27 00:22:59 Denied DST=10.82.181.253 ID=7334 PROTO=UDP DPT=60761
Oct 27 00:22:57 Denied DST=10.82.181.253 ID=32902 PROTO=UDP DPT=60761
Oct 27 00:22:56 Denied DST=10.82.181.253 ID=47562 PROTO=UDP DPT=60761
Oct 27 00:22:54 Denied DST=10.82.181.253 ID=40452 PROTO=UDP DPT=60761
Oct 27 00:22:53 Denied DST=10.82.181.253 ID=59360 PROTO=UDP DPT=60761
Oct 27 00:22:51 Denied DST=10.82.181.253 ID=44949 PROTO=UDP DPT=60761
Oct 27 00:22:50 Denied DST=10.82.181.253 ID=13000 PROTO=UDP DPT=60761
Oct 27 00:22:48 Denied DST=10.82.181.253 ID=16073 PROTO=UDP DPT=60761
Oct 27 00:22:47 Denied DST=10.82.181.253 ID=32723 PROTO=UDP DPT=60761
Oct 27 00:22:45 Denied DST=10.82.181.253 ID=60591 PROTO=UDP DPT=60761
Oct 27 00:22:44 Denied DST=10.82.181.253 ID=19280 PROTO=UDP DPT=60761
Oct 27 00:22:42 Denied DST=10.82.181.253 ID=16640 PROTO=UDP DPT=60761
Oct 27 00:22:41 Denied DST=10.82.181.253 ID=37285 PROTO=UDP DPT=60761
Oct 27 00:22:39 Denied DST=10.82.181.253 ID=12127 PROTO=UDP DPT=60761
Oct 27 00:22:38 Denied DST=10.82.181.253 ID=56971 PROTO=UDP DPT=60761
Oct 27 00:22:36 Denied DST=10.82.181.253 ID=35479 PROTO=UDP DPT=60761
Oct 27 00:22:35 Denied DST=10.82.181.253 ID=42642 PROTO=UDP DPT=60761
Oct 27 00:22:33 Denied DST=10.82.181.253 ID=65124 PROTO=UDP DPT=60761
Oct 27 00:22:32 Denied DST=10.82.181.253 ID=18803 PROTO=UDP DPT=60761
Oct 27 00:22:30 Denied DST=10.82.181.253 ID=42641 PROTO=UDP DPT=60761
Oct 27 00:22:28 Denied DST=10.82.181.253 ID=66 PROTO=UDP DPT=60761
Oct 27 00:22:27 Denied DST=10.82.181.253 ID=25304 PROTO=UDP DPT=60761
Oct 27 00:22:25 Denied DST=10.82.181.253 ID=56553 PROTO=UDP DPT=60761
Oct 27 00:22:24 Denied DST=10.82.181.253 ID=32109 PROTO=UDP DPT=60761
Oct 27 00:22:22 Denied DST=10.82.181.253 ID=65516 PROTO=UDP DPT=60761
Oct 27 00:22:21 Denied DST=10.82.181.253 ID=11029 PROTO=UDP DPT=60761
Oct 27 00:22:19 Denied DST=10.82.181.253 ID=46491 PROTO=UDP DPT=60761
Oct 27 00:22:18 Denied DST=10.82.181.253 ID=5603 PROTO=UDP DPT=60761
Oct 27 00:22:16 Denied DST=10.82.181.253 ID=5969 PROTO=UDP DPT=60761
Oct 27 00:22:15 Denied DST=10.82.181.253 ID=33752 PROTO=UDP DPT=60761
Oct 27 00:22:13 Denied DST=10.82.181.253 ID=60265 PROTO=UDP DPT=60761
Oct 27 00:22:12 Denied DST=10.82.181.253 ID=7287 PROTO=UDP DPT=60761
Oct 27 00:22:10 Denied DST=10.82.181.253 ID=35556 PROTO=UDP DPT=60761
Oct 27 00:22:09 Denied DST=10.82.181.253 ID=24495 PROTO=UDP DPT=60761
Oct 27 00:22:09 Denied DST=10.82.181.253 ID=26330 PROTO=UDP DPT=60761
Oct 27 00:22:09 Denied DST=10.82.181.253 ID=55044 PROTO=UDP DPT=60761
Oct 27 00:22:08 Denied DST=10.82.181.253 ID=24302 PROTO=UDP DPT=60761
Oct 27 00:22:02 Denied DST=10.82.181.253 ID=42396 PROTO=UDP DPT=60761
Oct 27 00:21:57 Denied DST=10.82.181.253 ID=48978 PROTO=UDP DPT=60761
Oct 27 00:21:55 Denied DST=10.82.181.253 ID=9607 PROTO=UDP DPT=60761
Oct 27 00:21:53 Denied DST=10.82.181.253 ID=62762 PROTO=UDP DPT=60761
Oct 27 00:21:52 Denied DST=10.82.181.253 ID=28943 PROTO=UDP DPT=60761
Oct 27 00:21:50 Denied DST=10.82.181.253 ID=54473 PROTO=UDP DPT=60761
|Blocked outgoing connections from the same iPad in 2020|
On the same day (Oct 27, 2020) the iPad also made 63 attempts to contact IP address 10.1.10.40 on UDP port 60303. You can see the transition between these two destination IP addresses below. The source port (164020) does not change which indicates the same software was involved. The iPad was attempting to make a new connection, roughly once a second for roughly a minute and a half. Then, it paused for 30 seconds and started back up making another 63 requests to a different destination IP and port. To me, this does not seem like a programming bug.
|October 27, 2020 transition|
Oct 27 00:24:09 Denied DST=10.1.10.40 ID=20240 PROTO=UDP SPT=16402 DPT=60303|
Oct 27 00:24:07 Denied DST=10.1.10.40 ID=40216 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:24:06 Denied DST=10.1.10.40 ID=9308 PROTO=UDP SPT=16402 DPT=60303
Oct 27 04:24:05 Denied DST=10.1.10.40 ID=58151 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:24:04 Denied DST=10.1.10.40 ID=36228 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:24:04 Denied DST=10.1.10.40 ID=3078 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:24:03 Denied DST=10.1.10.40 ID=30186 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:24:03 Denied DST=10.1.10.40 ID=21553 PROTO=UDP SPT=16402 DPT=60303
Oct 27 00:23:34 Denied DST=10.82.181.253 ID=42549 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:32 Denied DST=10.82.181.253 ID=18396 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:31 Denied DST=10.82.181.253 ID=47987 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:29 Denied DST=10.82.181.253 ID=10387 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:28 Denied DST=10.82.181.253 ID=7518 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:26 Denied DST=10.82.181.253 ID=53246 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:25 Denied DST=10.82.181.253 ID=13756 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:23 Denied DST=10.82.181.253 ID=6479 PROTO=UDP SPT=16402 DPT=60761
Oct 27 00:23:22 Denied DST=10.82.181.253 ID=11730 PROTO=UDP SPT=16402 DPT=60761
|October 27, 2020 transition|
Again, for network experts, these outbound connection attempts shared these additional attributes:
LEN=108 TOS=0x00 PREC=0x00 TTL=63 LEN=88 MARK=0x2.
What gives? Why would iOS, or an iOS app, want to contact assorted internal-only IP addresses using UDP and targeting high numbered ports?
I don't know.
Update May 21, 2021: It has been suggested that this might be an app attempting to contact a previously used IOT device using the last known IP address. An excellent guess, but I don't think thats it. For my iPad, I know all the subnets the thing has ever been connected to and none were the one it tried to contact. As for the iPad left at home when its owner went on vacation, I setup that network too and the three subnets it tried to contact never existed. However, that iPad has traveled so it has connected to networks that I am not aware of.
I have often seen remote control software make connections to internal-only IP addresses, so perhaps this traffic came from Zoom? Could be. But, if it was Zoom, why the four different internal subnets and the varying UDP ports?
It has also been suggested that this might be coming from Homekit or Airplay. Neither iPad uses Homekit. Mine does not use Airplay, I don't know if the left-behind iPad uses Airplay or not. But again, it had not been used at all for a few days.
It seems unlikely that these attempted transmissions are a bug or a coding mistake. I say this because the destination IP address and port varies. And while there is a pattern, its also a bit random. I would not expect a programming bug to have this sort of randomness to it.
We can assume that these are not the only two iPads in the whole world that make these strange networking requests. Could they go undetected for so long? Yes.
For one thing, the vast majority of routers do not have outbound firewall rules. And, among the small number of people using a router with outbound firewall rules, you need a certain personality (mine) to look for this stuff and log it. It's one thing to block porn or malware, but internal-use-only IP addresses are not an obvious danger. Finally, even if others have seen it, it's another thing take the time and trouble to blog about it. So, even in a very big world, it could be just me finding this activity and writing about it.
The next question, to me, is whether these connection attempts are coming from an app or the operating system. For what its worth, the Apple documentation on their use of TCP and UDP ports says that UDP ports between 49,152 and 65,535 are not used for anything.
If this is not a bug, then either an app or the operating system is trying to send out data while flying under the radar. If I ran a spy agency, this is exactly how I would exfiltrate data as internal-only IP addresses would not appear on any blocklist of bad IPs.
For the exfiltration of data using an internal-use-only IP address to succeed, the ISP has to be in on the game. The only computers that would see these requests would be the routers run by the ISP. Every router on the Internet should throw these requests away as the IP addresses are not valid. But, an ISP router could easily save any data sent an internal-only IP address.
One next investigatory step might be to log all data packets coming and going from an iPad all the time. But, these occurrences are too infrequent for me to bother with this type constant logging. Again, on the other side, this is just what I would do if I ran a spy agency and was able to lean on both an ISP and either Apple or an app developer. Here in the US, the ISPs have no choice but to carry out the government's wishes and keep it all secret.
Another approach would be internal rather than external. That is, run software on the iPad that shows which app (or iOS itself) is using a particular source port. This would tell us exactly where these requests originate from. I am not aware of any such software, though I am sure it exists. Somewhere.
This is as far as I can go with this.
|@defensivecomput||TOP||Home => More strange network activity from an iPad|
|michael--at--michaelhorowitz.com||Last Updated: May 22, 2021 3PM UTC|