Wait, what. Windows 10 sends info on USB devices plugged in directly to Microsoft?
And it does that using pure HTTP?
https://pastebin.com/ttYp5rLg
You gotta be kidding me.
@rysiek
As early as Windows 7, when you opened up the Devices and Printers control panel, there was an option to "Obtain device information from the internet" (or some wording to that effect) which would retrieve graphics for printers and such, so they wouldn't show up with generic icons. I wonder if this is *that*, but perhaps without asking for permission, and of course being done insecurely as it may have been all along.
Windows 7+: Device Metadata Packages Show more
Windows 7+: Device Metadata Packages / Security Show more
Windows 7+: Device Metadata Packages / Security Show more
@rysiek
It should be done by HTTPS for sure, but this feature was designed for Windows 7, which was released in 2009, and concern over HTTPS wasn't quite as mainstream until after the Snowden revelations in 2013.
There may well be an exploitable vulnerability somewhere, for all I know. However, Device Metadata Package information retrieved via WMIS is verified to have been signed by Microsoft.
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/debugging-device-metadata-packages-by-using-event-viewer