Why does my Jio Set-Top Box ping Facebook so much?

Viewer profiling via STBs?

Posted by Siddharth Balyan on April 21, 2021 · 5 mins read

Introduction

Recently, I took up a campaign to secure and speed up my home network. I installed PiHole DNS Sinkhole on a small spare laptop to block as many ads and trackers as I could. With logging enabled, the PiHole setup provided me with a lot of information about a large number of ads and trackers which were running on the home network devices.

One particularly interesting find was to see the quantum of Facebook analytics running on Jio GigaFiber’s Set-Top Box

For the uninitiated, Jio (or Reliance Jio) is primarily an Indian telecommunications company which provides mobile internet and broadband internet in India. In the past few years it has taken over a large market of mobile and broadband internet due to it’s cheap rates. It is quite literally the biggest telecom operator in India.


What is PiHole

We know that whenever you request a web resource first and foremost, a Domain Name Server (DNS) resolves it’s domain name into an IP address. A DNS sinkhole is a DNS server which gives false results for specific domain names like those of ad services, well known trackers etc. PiHole blocks these domain names by using blocklists which one can add to and configure quite extensively.

../img/posts/jio-stb/Pasted image 20210421164651.png

This is what the PiHole dashboard looks like. The web interface shows all the stats one may need to analyze their network queries.

../img/posts/jio-stb/Pasted image 20210421184843.png


What I Found

These are the overall stats I got after running PiHole for on my home network for almost 10 days.

../img/posts/jio-stb/Pasted image 20210421204944.png

36.5% of network queries were ads and trackers, hence were blocked.

/img/posts/jio-stb/Pasted image 20210421201426.png

  • graph.accountkit.com tracker topped the Blocked Domains list with more than 60,000 hits in 10 days!

../img/posts/jio-stb/Pasted image 20210421202204.png

  • The IP address 192.168.29.128 has queried 1,18,393 times in the past 10 days!

I ran an nmap scan against the IP Address 192.168.29.128 to figure out what device it was. This is what I got;

❯ sudo nmap -sS -O 192.168.29.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-21 19:33 IST
Nmap scan report for 192.168.29.128
Host is up (0.0064s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
2869/tcp open  icslap
9080/tcp open  glrpc

MAC Address: 6C:E8:C6:82:D7:EC (Earda Technologies)

Device type: phone
Running: Google Android 5.X|7.X, Linux 3.X
OS CPE: cpe:/o:google:android:5.1 cpe:/o:google:android:7.1.2 cpe:/o:linux:linux_kernel:3.4
OS details: Android 5.1, Android 7.1.2 (Linux 3.4)
Network Distance: 1 hop

On a little digging, I figured out this device is nothing other than my Jio’s GigaFiber Set-Top-Box which everyone gets free with their Jio connection.

  • A set top box which is not used much, sending more than 1 lakh queries seemed like an anomaly, so I went in deeper and found that the STB queries graph.accountkit.com the most.

What is graph.accountkit.com ?

On running nslookup utility on this domain, one sees that this is a Facebook service;

❯ nslookup graph.accountkit.com
Server:		208.67.222.222
Address:	208.67.222.222#53

Non-authoritative answer:
graph.accountkit.com	canonical name = star.c10r.facebook.com.
Name:	star.c10r.facebook.com
Address: 157.240.217.17
Name:	star.c10r.facebook.com
Address: 2a03:2880:f05c:12:face:b00c:0:2

But what does it actually do?

This is part of the analytics service of Facebook’s Graph API. Sites and services often have other third-party trackers in them for analytics and data collection. Having these trackers helps ad companies create digital identities and footprints even if you don’t have a Facebook account. For example, Facebook creates “shadow profiles” of you even if you don’t have a Facebook, Instagram, or WhatsApp account.


Conclusion

By installing PiHole on my home network, I found that my Set-Top Box, or the apps installed on it, run Facebook Analytics which most probably collects usage and viewing data.

The Jio STB runs on Android and the streaming apps installed on it could also be the cause of this. Multiple Android devices in the home network use the streaming apps too, why then, does the STB query analytic services so aggressively?

I am curious as to why this is.

Seems that Facebook’s investment of $5.7 billion (Rs 43,574) crore into Jio Platforms last year must have a role, but as a citizen, I hope it is not at a cost.

Who can clarify? I am a student and open to being corrected.

I could try to proxy the STB traffic and try to see what kind of data is exchanged between these services to confirm or refute my suspicions. If I end up digging around this, expect a part two to this post then!