Get AI summaries of any video or article — Sign up free
Who is your Boox device talking to? thumbnail

Who is your Boox device talking to?

Tools on Tech·
5 min read

Based on Tools on Tech's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

All Boox network traffic was forced through a user-controlled Linux laptop hotspot so packet capture could be performed with Wireshark, reducing reliance on potentially untrustworthy on-device monitoring apps.

Briefing

Boox e-reader traffic can be monitored cleanly by routing the device through a Linux laptop hotspot and inspecting the resulting packets with Wireshark, and the observed “phoning home” looks largely consistent with normal app and cloud-sync behavior rather than suspicious data exfiltration. After filtering traffic by the device’s hotspot IP, the connections that appear during active use and during a half-hour idle period mostly map to expected services: Boox’s own cloud, Amazon endpoints, Google/Play services, Stack Storage sync, and routine time/health checks.

The core method matters because it avoids a common blind spot: installing a monitoring app on the device can be undermined if the device controls what that app can see. Instead, the setup forces all network traffic from the Boox device to pass through the user’s laptop, where packet capture is performed remotely over SSH. With Wireshark running on the laptop, the analyst filters by the Boox device’s source IP (assigned by the hotspot) and then examines both raw packet streams and higher-level “conversations” and “name resolution” summaries.

During active use—opening notes and launching apps—traffic spikes in a way that matches typical Android behavior: DNS lookups and connections to major services show up, including Amazon (expected for cloud-backed storage), EUR books.com (tied to Boox web services), and other cloud endpoints used for sync and analytics. When the device sits idle for about 30 minutes, the traffic becomes “boring”: Boox cloud pings continue, and small, low-volume checks appear. A notable example is NTP (network time protocol) traffic to DataDog-related endpoints, interpreted as monitoring/latency and time synchronization checks rather than bulk data transfer.

The most concerning category—unexpected third-party tracking—does show up, but in small volume. Even with no Facebook apps installed, connections to Facebook endpoints appear, described as likely commercial or tracking-related activity. Still, the amount is characterized as only a few kilobytes, far from the kind of sustained, high-volume upload that would suggest covert data dumping.

The analysis also highlights a key limitation: HTTPS prevents inspection of what’s inside encrypted connections, so packet capture can confirm who is contacted and roughly how much data moves, but not the exact payload content. To test behavior, the analyst changes a PDF and observes a jump to roughly megabyte-scale upload consistent with syncing a new document; afterward, traffic drops back to kilobyte-level updates, suggesting the device’s internal representation (e.g., pen strokes) and sync strategy are efficient.

Overall, the takeaway is practical: using the Boox device appears safe enough for the analyst’s use case, especially when notes are not highly sensitive and cloud sync is understood. The analyst adds that sync destinations may vary by region (European vs US servers), and for a “lock-in” alternative, the Boox ecosystem’s PDF generation and syncing relies on kync, which writes PDFs to user-controlled storage such as Google Drive or Dropbox. For those who want deeper assurance, the analyst recommends longer monitoring runs, but argues that suspicious background behavior would likely surface in shorter idle and active tests.

Cornell Notes

Routing the Boox device through a user-controlled Linux laptop hotspot enables direct packet inspection with Wireshark, avoiding the weakness of on-device monitoring apps. After filtering by the Boox device’s hotspot IP, observed connections during active use and during a ~30-minute idle period align with expected Android and cloud-sync behavior: Boox cloud pings, Amazon endpoints, Google/Play services, Stack Storage sync, and NTP/monitoring checks (including DataDog-related traffic). HTTPS encryption limits visibility into payload contents, but traffic volume patterns look normal—kilobytes for routine sync and larger uploads only when notes/PDFs change. A small amount of Facebook-related traffic appears even without Facebook apps installed, but it’s low-volume and not indicative of bulk exfiltration in the captured windows.

Why route the Boox through a laptop hotspot instead of installing a traffic-monitoring app on the device?

A monitoring app on the Boox can be constrained by the device itself—if the device controls what the app can observe, the app’s view may be incomplete or misleading. By using a hotspot on the laptop, all Boox traffic must traverse the laptop’s network stack. That lets the analyst capture packets externally with Wireshark and inspect DNS lookups and connection metadata without trusting an on-device observer.

What does the analyst consider “normal” traffic during active use?

When notes are edited and apps are opened, traffic spikes in ways consistent with Android behavior: name resolutions and connections to expected services appear. Examples cited include Amazon endpoints (cloud-backed storage), EUR books.com (Boox web services), and Google/Play services. The pattern is that activity triggers more lookups and connections, while routine background sync continues.

What changes when the device is left idle, and what does that imply?

With the Boox left running for about 30 minutes, the analyst sees low-volume, periodic activity rather than bursts. Conversations include Boox cloud pings and small checks such as NTP-related traffic interpreted as time synchronization/monitoring. The low data volume is used as evidence against covert, high-throughput exfiltration during inactivity.

How does HTTPS affect what can be concluded from packet capture?

HTTPS encrypts payloads, so packet capture can identify destinations, connection timing, and approximate data sizes, but it cannot reveal the contents inside the encrypted streams. The analyst argues that while payload inspection isn’t possible, the amount of data transferred and the destination patterns still provide meaningful signals.

What test was used to validate sync behavior when content changes?

The analyst modifies a PDF and observes a jump to roughly megabyte-scale upload, consistent with syncing a changed document. After that, traffic drops back to kilobyte-level updates, suggesting the device’s background sync strategy is efficient and that large transfers correlate with actual content changes.

Which unexpected third party appears, and how is it characterized?

Facebook endpoints show up even though no Facebook apps are installed on the Boox device. The analyst describes the volume as small (on the order of a few kilobytes) and frames it as likely commercial/tracking-related activity rather than evidence of major data theft in the captured sessions.

Review Questions

  1. What specific advantage does hotspot-based packet capture provide over on-device monitoring apps?
  2. How do the analyst’s idle-period observations (destinations and data volumes) support the conclusion about “phoning home”?
  3. Given HTTPS encryption, what evidence types remain available (and what evidence types are unavailable) when assessing device security from network captures?

Key Points

  1. 1

    All Boox network traffic was forced through a user-controlled Linux laptop hotspot so packet capture could be performed with Wireshark, reducing reliance on potentially untrustworthy on-device monitoring apps.

  2. 2

    Filtering by the Boox device’s hotspot-assigned source IP made traffic analysis manageable and helped separate routine background activity from spikes caused by user actions.

  3. 3

    During active use, observed destinations matched expected services such as Boox cloud endpoints, Amazon, and Google/Play services, with traffic volume rising when notes and apps were used.

  4. 4

    During a ~30-minute idle window, traffic became low-volume and periodic, including Boox cloud pings and NTP/time-related checks interpreted as monitoring and synchronization.

  5. 5

    HTTPS prevents inspecting what’s inside encrypted connections, so the assessment relies on who is contacted and how much data moves rather than payload content.

  6. 6

    A small amount of Facebook-related traffic appeared even without Facebook apps installed, but it was characterized as low-volume rather than bulk exfiltration.

  7. 7

    Sync behavior appears content-driven: changing a PDF triggered megabyte-scale uploads, while subsequent background updates returned to kilobyte-level synchronization.

Highlights

Routing the Boox through a laptop hotspot enables external packet capture, avoiding the blind spot of trusting an on-device monitoring app.
Idle traffic looked “boring”: low-volume Boox cloud pings and time/monitoring checks rather than sustained uploads.
HTTPS limits payload visibility, but traffic volume and destination patterns still offer strong indicators of normal vs suspicious behavior.
Even without Facebook apps installed, Facebook endpoints appeared—small in volume, but notable for privacy-minded users.

Topics

  • Boox Security
  • Network Monitoring
  • Wireshark
  • Cloud Sync
  • HTTPS Encryption

Mentioned

  • SSH
  • NTP
  • HTTPS

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library