Research Saturday 1.11.20
Ep 116 | 1.11.20

Profiling the Linken Sphere anti-detection browser


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit, or connect with Juniper on Twitter or Facebook. That's And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:57] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Staffan Truvé: [00:01:38] Linken Sphere is a browser which allows the user to masquerade in different ways. So in its easiest form, it allows the user to change some of the characteristics which make up the so-called "fingerprint" of the browser.

Dave Bittner: [00:01:52] That's Staffan Truvé. He's the co-founder and chief technology officer at Recorded Future. The research we're discussing today is titled, "Profiling the Linken Sphere Anti-Detection Browser."

Staffan Truvé: [00:02:03] Of course, the use for that is that if you're connecting from the same machine and trying to sort of have different personalities, different identities, you need to change these kinds of parameters. So that's one part of it.

Staffan Truvé: [00:02:18] The other part of Linken Sphere is that it's a platform for essentially hiding that it's a machine and not a human that's communicating through the browser. Examples of how you can do that, for example, is if you do text input, it will – it has the capacity to change the timing, so it looks like a human typing and not a machine putting in information, for example. It can also change between appearing to be a normal laptop-based browser and touchscreen-based browser.

Dave Bittner: [00:02:49] And so what's the background in terms of the origin of of this? Where did it come from? Who developed it?

Staffan Truvé: [00:02:56] So this has been around for a couple of years now, developed by what we assume is a Russian guy who did this. And the reason we decided to do some deeper dive into it now and explore its capabilities, was that they released a new version this summer. We thought it was interesting to see what kind of new features they had put in there and also what the clientele using it were talking about. So we've been tracking it both through the developers' own website, things like that, but also by looking in various criminal forums and seeing what kind of discussions are going on there, what are people asking about, and, you know, essentially how well supported is the product.

Dave Bittner: [00:03:36] Now, as is the case with many of these tools that have multiple uses on both sides of the fence, the developers here list a number of legitimate uses for it. What sorts of things are they saying that are the legitimate reasons for having a tool like this?

Staffan Truvé: [00:03:53] Well, you know, so they are saying that this can be used for penetration testing. It can be used if you're testing your system. So, we're actually using some similar tools ourselves when we develop our own user interfaces. It can also be used, they claim, for privacy. You know, if you want to – if you're, say, working in an environment where you are afraid of, say, government or someone else intervening with you, you know that you can get higher privacy through this. And these are all legitimate cases, you know, those are all good cases why people in different situations could want a tool like this. But then, of course, you know, as we've been writing about, you can also find a number of not quite as legitimate uses for it.

Dave Bittner: [00:04:40] Well, let's go through your research here. I mean, what are some of the key things that you all were looking at?

Staffan Truvé: [00:04:47] We really did this as a product evaluation, you could say. So, we started out by checking out the pricing and the kind of support you get. And I would say the overall conclusion on that side is that this is a very professional organization providing this, you know, so they are very open about their license terms. You can license a light and a pro and a premium version, you can have it for different times, and they're very clear about what kind of capabilities you get for the different licenses. So in that sense, it all looks like a very legitimate product. You know, good support. It also appears from the way they are answering questions about it that they have a good customer support organization. You know, people ask things. They both reply themselves and there's a community of users who reply on questions about how to use it, and how to set it up, and so on.

Dave Bittner: [00:05:38] The pricing starts at a hundred dollars per month. I suppose – I mean, that sits it somewhere in there where it's not out of reach for a lot of people, but I can't imagine that it's something that an amateur would be willing to pay for as well.

Staffan Truvé: [00:05:52] No, you're quite right. This is not something which people would sort of, you know, you wouldn't throw out that money just for fun. So you should have a legitimate economic case for paying that kind of licensing. Absolutely.

Dave Bittner: [00:06:05] Now, your research here, you go through quite a bit of detail in your threat analysis. Can you walk through some of the interesting things that you found here?

Staffan Truvé: [00:06:13] The first part is really the way it allows you to hide in different ways. So, first of all, we should say, you know, that this is based on Chromium. But of course, they've stripped out anything which calls back, for example, to Google services and so on. So, when you're using this, you could feel secure that you will not be tracked. There are no tracking mechanisms that we have found, at least in the product as such. And then the first part maybe, you know, is that you can, as I said, you can use that to essentially configure what your profile will look like, you know, what operating system, what browser, what kind of machine timezone, and so on, which you appear to be coming from when you use this. So very handy.

Staffan Truvé: [00:07:02] And you can think of one reason you want to do that is, for example, if you want to – let's say you go to the same website multiple times with short time in between and not appear to come from the same machine, then that's excellent because you can then set up so you have a new profile every time you go there. A use case for that, for example, could be if, you know, let's say that you want – you're in the business of trying to manipulate, say, customer ratings, for example. You know, you could, very easily using this tool, you could go to something like TripAdvisor or something like that, you know, a hundred times and put in new reviews, and it will look like it's different individuals putting in those reviews. That would be one simple use case for that functionality.

Dave Bittner: [00:07:44] And it has the ability to automate that, right? It's fairly easy to to spin up those – I guess to randomize those settings?

Staffan Truvé: [00:07:53] Yes. It has the ability – so essentially, what you get is that you get – even with a subscription, you get a bunch of settings, you know, so you get a bunch of profiles from scratch, but you can also add your own. That's very, very simple. And the other interesting thing, which I think is maybe the most interesting part, is that apart from being able to do this manually or semi-manually, there is also an API which you can use with Linken Sphere. So, through the API you could have a script – you know, it could be a simple Shell script or it could be a program which connects to the API and does very high volume accessing, for example.

Staffan Truvé: [00:07:53] So you could imagine if you have access to, say, leaked credentials from a website, you know, let's say you have a few thousand or hundreds of thousands of credentials for a website. And when you want to look through those to check which ones are actually valid, which you can get access with, then you could write a little program which would go through this API, have a new profile every time, and then try to get in there and you will record that. So, it's a great platform, if you like, for validating those kind of things.

Dave Bittner: [00:09:00] So, in terms of it being successful in doing what it sets out to do – in other words, this is a difficult thing to circumvent it. It's successful in making you appear as though you're coming from the things it's pretending – the settings that it's sort of randomizing.

Staffan Truvé: [00:08:30] Yes, exactly. So, I think, you know, it's – as we say, it's extremely hard to put any new kind of defense. I mean, if you look at the kind of ways that, for example, an e-commerce site, something that would try to defend against someone coming with, you know, doing multiple logins, for example. One of the few tools you have there is looking at the originating IP address or this kind of browser profiling. And since Linken Sphere can connect through a Tor network, for example, you know, it would be very hard or impossible, even, to track the IP address. In combination with the fake fingerprinting, it would be virtually impossible to defend against that kind of tool when someone's using it.

Dave Bittner: [00:10:01] Our thanks to Staffan Truvé for joining us. The research is titled, "Profiling the Linken Sphere Anti-Detection Browser." We'll have a link in the show notes.

Dave Bittner: [00:10:14] Thanks to Juniper Networks for sponsoring our show, you can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:10:23] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security

Dave Bittner: [00:10:31] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing. CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.