Arduino 2.0 IDE = spyware?

Development Tools IDE 2.x
1

Hello All,

I was a big fan of Arduino from the beginning.
It started as an independent microcontroller development environment independent of commercial interests.
When Arduino entered its partnership with M$ (2015) this independence was ended. I didn't see any impact until I tried the IDE 2.0:

At the first start of the IDE it wanted to establish several internet connections:

  1. "downloads.arduino.cc" which I can accept even if I want to be informed about it before it happens automatically in the background.

  2. "dc.services.visualstudio.com" why is not mentioned from Arduino side that M$ is somehow involved? Well it can be that parts or even the whole IDE 2.0 is developed by M$. But why is the user not informed about this? Furthermore it looks like the development is community driven.

And with the third connection it gets more than strange:

  1. "10.2.0.1" this is a private address i.e. it is not routed on the internet. But this is the default address of some home routers that connect to the outside world e.g. netgear. I don't use a 10.x.y.z network at my home. Therefore it can have nothing to do with normal network activities like mDNS or similar.

What is an IDE doing on the home router? looks like a hack attack to me! It is known that there are contaminated software that try to hack home router with the delivery settings.

I have not analyzed it further because I do not own a netgear router. But it seems that the IDE is at least some kind of spyware if not worse.

I am just appalled at how low Arduino has sunk.

2

I have deleted your other cross-post @kris99.

Cross-posting is against the Arduino forum rules. The reason is that duplicate posts can waste the time of the people trying to help. Someone might spend a lot of time investigating and writing a detailed answer on one topic, without knowing that someone else already did the same in the other topic.

Repeated cross-posting can result in a suspension from the forum.

In the future, please only create one topic for each distinct subject matter. This is basic forum etiquette, as explained in the "How to get the best out of this forum" guide. It contains a lot of other useful information. Please read it.

Thanks in advance for your cooperation.

3

Hi @kris99. Thanks for your feedback.

I appreciate your concerns about security and privacy, but some of the things you write here are not backed by evidence. I think this discussion will be more productive for all involved if we avoid straying into the realm of unfounded conspiracy theories and stick exclusively to fact.

Arduino IDE 2.x automatically downloads the following things from that host on the first run after a fresh installation:

The IDE would be completely non-functional without ctags, non-functional for 99% of users without serial-discovery, and serial-monitor, and the new user experience significantly impacted without the libraries and AVR boards (which also rely on the Library and Boards Manager index files). If the user is not willing to allow Arduino IDE to access the Internet on this first run then there is no point in them installing it in the first place. This is the same as when you download an installer for an application, which then installs the components of the application itself when you run it.

After the downloads made on the first run, the IDE is usable even without an Internet connection, but it still will attempt to download files on subsequent startups :

The first three can be disabled via the Arduino: Check For Updates advanced setting:

https://github.com/arduino/arduino-ide/blob/main/docs/advanced-usage.md#advanced-settings

The latter is not, simply because nobody saw the need to provide such an option, but if this is something important to you then you are welcome to submit a formal request to the developers here:

https://github.com/arduino/arduino-ide/issues/new/choose

The primary Arduino IDE developer explains the reason for this communication here:

https://github.com/arduino/arduino-ide/issues/57#issuecomment-780382836

Arduino IDE 2.x is built on the free open source Eclipse Theia IDE framework. One of the nice features of Theia is that it supports Visual Studio Code extensions. Arduino IDE 2.x uses the VS Code JSON language extension to provide schema and syntax highlighting for JSON files when they are opened in the Arduino IDE editor (most often done to edit the IDE's JSON-based configuration files such as settings.json and keymaps.json).

That is not to say that this communication is necessarily intentional or required for the IDE's functionality. The issue above remains open because this is something the team intends to eventually investigate.

Microsoft's only involvement is that some of the free open source dependencies of Arduino IDE (including the TypeScript language it is written in) was created by Microsoft. I think you would find that Microsoft is "involved" in a significant amount of the free open source software you use if you consider that "involved".

Microsoft has not had any direct involvement in the development of the Arduino IDE 2.x codebase.

It is not clear to me what you mean by "community driven".

99.9% of the development work on the Arduino IDE 2.x codebase (not including all the amazing free open source software dependencies it is built on top of) was performed by Arduino's paid team of developers. The community's donations and purchases of Arduino products by the community support that work.

Community developers have made a small but valuable number of contributions to the project. The number of contributions have increased since the 2.0.0 release, so I'm certain we will see more involvement from the community in the development as time goes on.

The community has also provided a huge amount of beta testing and feedback that has greatly assisted the development work.

And of course this project was created by the Arduino company for the benefit of everyone in the Arduino community, so in that way it is absolutely community driven.

I would like to do some investigation into this. What are you using to identify this connection?

3 Likes
4

I have installed a local firewall "little snitch" which is configured to ask for every new connection in- and outside.

My biggest concern is the secrecy. Of course, I could find out that M$ has a stake in the new IDE, at least on the codebase. But why is this not openly communicated?

5

Thanks for the information. I don't have access to a macOS machine, but I did some investigation using an equivalent application firewall and was unable to reproduce this problem of Arduino IDE attempting to connect to 10.2.0.1.

I have notified Arduino's security team about your report.

Because by any reasonable definition of "stake" it is not true.

Arduino IDE 2.x has thousands of dependencies from all sorts of organizations, as do most modern open source software projects. Anyone can look at the code and see all the dependencies. There is no secrecy.

3 Likes
6

Hi @kris99 in order to allow us to proceed with the investigation, I would like to ask you for some additional information about this connection to 10.2.0.1:

Please provide the full details from the connection attempt detected by Little Snitch (as shown in the "Connection Details" revealed by clicking the button on the connection alert dialog), including:

  • The path of the process attempting to make the connection (I believe this is shown in the "Established by" field of the dialog)
  • The "Parent Application"
  • The "Code Signature"

Which specific version of Arduino IDE are you using? The version is shown in the Arduino IDE title bar and also in the dialog accessed via the Arduino IDE > About Arduino IDE menu item.

7

Hi ptillisch,

I am shocked by the simple psychological tricks you are working with here. Maybe you are not aware of it but the effect is there. What do these words

have to do in our discussion? Without saying it directly you put me in a corner with swindlers by your choice of words.

And you talk about objectivity.

Why I am so sensitive to M$:
I was at home in IT for over 40 years. Since a few years I have turned my back on it because in the professional area it is simply tedious to keep the systems running under consideration of data security and runtime stability just because of this sneakiness that software does something in the background which is not obviously communicated to the user. Yes even here you can almost always find the clues if you read through 400 pages of documentation.

Yes M$ is used in the professional sector but only when management pushes it through. In small and medium sized businesses M$ has more of a foothold thanks to the "clueless" generation:
When it came out that Windows XP sent unsolicited data from the PC to Redmond there was a small uproar and M$ rowed back. With Windows 10 "Server" the "data exchange" from PC and Redmond is the default setting and nobody cares except the responsible admin who tries to keep the NDAs or security of the user data. But something like that is hip nowadays with cloud services being the keyword.

But back to the topic:

Again, why is this not communicated? There was a time when it was pointed out that software only works if there is an internet connection to reload data. Nowadays it is tacitly assumed. (Stealth)
BTW: It would be very easy to include the "missing" packages in the first download.

_

So by your reasoning it is not stealth that there is the internet connection to M$ because it was mentioned in a forum. So the user has to search all sources concerning the new IDE to get all the information. So it's the user's own fault if he didn't know about it, that his computer contacts non-Arduino servers without any request.

I don't want to start any flameware nor discredit you in any way. I just want honesty. And that doesn't start with the fact that all information is available somewhere.

The uninitiated user does not realize that he is using code from M$ when he downloads the IDE. Not to mention the clandestine attempt to connect to "10.2.0.1".

8

It should indeed be communicated to the user. The Arduino IDE developers are tracking the need for this here:

No. That is not my reasoning. I simply pointed to a technical explanation of why this communication occurs.

Right after that, I explained that the intent is to investigate whether this communication can either be disabled or made user configurable.

If this is something you care about, please feel free to submit a pull request to this free open source project to disable the communication. Otherwise you will need to wait for someone else to find time to make that change.

We would like to continue with the investigation of that, but we can only do so if you will provide the information I requested five days ago:

9

Do we speak the same language? And i am not a native english speaker.
A look at merriam-webster what a "stake" means:

...
: an interest or share in an undertaking or enterprise
...

Furthermore your argument "... every reasonable ...". So you are in possession of the omniscient wisdom? Just to downplay M$'s defense of Arduino?

Lying by omission: This is when a person omits important information or fails to correct a pre-existing misunderstanding in order to hide the truth from others.
"I didn't lie; I just didn't tell you."

I am not referring to you in person but to the process we are discussing above and your effort to defend it.

A weak argument even if it is common today.

I searched for "10.2.0.1" on github in source and did not find it. Surely I can analyze all the code myself, including the reloaded parts from the internet. But it shouldn't be my job to figure out the "I just didn't tell you" myself. This is against the spirit of open source.

10

My interest is in making Arduino IDE 2.x better. If you would like to work with us to do that, then let's do it. If your only intent is to vent about "M$", that is fine too, but I have better things to do with my time than read it so I'll move on.

The choice of which direction this thread goes is yours.

1 Like
11

All Informations I can get:

Arduino IDE

Deny outgoing connections to 10.2.0.1

Where: /Applications/Arduino IDE.app/Contents/MacOS/Arduino IDE
Owner:  Me
Priority: Normal
Created: 6. Nov 2022 at 14:36

Code Signature:
Code Signature not applicable.

Internet Access Policy:
Unable to show an Internet Access Policy because the application not found on disk.

Notes:
On 6. Nov 2022, Arduino IDE via Arduino IDE Helper tried to establish a connection to 10.2.0.1. The request was denied via connection alert.

1 Like
12

Thanks. Please also tell me which version of Arduino IDE you are using.

13

Arduino IDE 2.0.1 and nightly builds 20221107 and 20221114.

14

All IPv4 address beginning with 10. are meant to be private addresses. Many sites explain this. For example:

https://whatismyipaddress.com/private-ip

Whatever is trying to connect to 10.2.0.1 almost certainly is not trying to communicate to any internet site, as no publicly accessible server could use that IP number and virtually all internet routers are configured to not route packets with private IP addresses.

It's very likely some sort of leftover debugging code.

Releasing software with this sort stuff enabled could be considered at worst an oversight. The harshly accusatory tone of this thread with words "spyware", "clandestine", "stealth", "how low Arduino has sunk" is needlessly alarmist and downright disrespectful.

6 Likes
15

Good grief... 10.anything/4 is unroutable to the Internet ... Op's home router would require a rule installed to NAT this address outbound.

Added (Sorry Paul, was editing and missed your response.)

1 Like
16

If you had read the first post carefully you would have noticed that I am aware that "10.2.0.1" is a private address and is not routed to the Internet.

Maybe it is a "leftover" maybe not. But "10.2.0.1" is the default address of e.g. Netgear home routers.

According to your statement you don't care if your home network might be hacked. But I do care.

Instead you jump on my words of criticism which are admittedly very harsh without addressing the real problem. I stand by this: secrecy has no place in the open source community. The fact that IDE 2.0 does a download in the background without asking is such secrecy that I denounce.

I consider it disrespectful to accuse someone without studying the facts carefully.

17

No matter what point you were trying to make, for all practical purpose you've sabotaged your own effort by speaking this way.

3 Likes
18

Do you have any evidence for that claim? I have asked a friend that I consider expert in these things and in response to the question:

Is this statement true:
'10.2.0.1 is the default address of e.g. Netgear home routers.' ?

He replied:

No.
It's 192.168.0.1 for Netgear devices.

Now, I don't claim my friend is infallible, and I don't claim you are wrong, but if he does not think 10.2.0.1 is the default for a Netgear router then I take him seriously. Maybe you know something he doesn't, if you care to share the information from an authoritative source that would be interesting and I will pass the information on to him.

Thank you.

20

To log in to your NETGEAR router with a web browser:

  1. Launch a web browser from a device that is connected to your router's network.
  2. Enter routerlogin.net or http://192.168.1.1 in the address bar.
    The router login window displays.
  3. Enter the router admin user name and password.

https://kb.netgear.com/980/How-do-I-log-in-to-my-NETGEAR-router

21

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.