I was playing around with WireShark today and noticed something strange. My computer, despite running NordVPN and sending all web traffic over OpenVPN, was sending some HTTP requests.
Here’s one of the HTTP requests in question.
I quickly noticed that the request’s (redacted) destination IP was on my local network, so I let my VPN off the hook. I also noticed that it was the Spotify app (version 126.96.36.1998) on my MacBook Pro soliciting this information from another machine on my network.
The actual HTTP response was an XML file of the following form.
Huh? That’s (redacted) information about my Sony TV (which never works properly… shakes fist at Sony). What is going on?
Some further Googling explained it. My TV hosts a Universal Plug and Play (UPNP) service that allows other devices to discover it’s presence. UPNP is used for stuff like wireless printers, gaming consoles, TVs, etc. It is possible to configure your router to disable UPNP, as many have done due to vulnerabilities, but that might result in a loss of functionality.
Spotify probably aren’t using this device information for anything malicious. However, it strikes me that third parties (think Google, Amazon and others) can discover what devices you have in your home and could use this to improve their ad targeting.
If there are any security mechanisms that prevent this, I’d love to hear about them.