But the Developers Did a Great Job Making it look like it.

I want to start out by saying I haven’t found anything explicitly wrong or malicious about XSplit VCam, so don’t sue me. What I did find is a lot of strange “telemetry” data being constantly sent by an application which I saw as a local utility. Some amount of license validation or update checks would have been totally reasonable traffic, but to that, XSplit VCam says hold my beer.

I have an Canon EOS R that I use as a webcam on my PC. Canon has a webcam utility that works for most applications, including OBS, Webex, Zoom, etc.. The webcam utility is not 100%, so I was looking for a solution that might make my camera available in some other applications. I found a suggestion for XSplit VCam and decided to try it. It worked great!

Until the next morning I sat down for work, check my home network dashboard and noticed unusual traffic from my PC, which I wasn’t even using. OK. Work can wait a few minutes. What has a websocket open to intercom.io?

PS C:\Users\dchidelf> (Get-NetTCPConnection -LocalPort 60268).OwningProcess
2948
2948

PS C:\Users\dchidelf> Get-Process -Id 2948
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1853 75 210660 211592 972.09 2948 1 XSplitVCam

This was the first slightly suspect behavior from Vcam. I had closed VCam after testing it the day before, but checking my system tray it was actually running in the background without the UI now.

Researching intercom.io / intercom.com I found they are a customer engagement company. Why is this virtual webcam utility perpetually connected to them, though? I could tell from the TCP/IP traffic that there were bytes flowing back and forth, but since it was an HTTPS websocket I couldn’t tell if it was just heartbeats to keep the socket open or real data.

My first attempt was to use winDbg to try to capture the traffic from the application, but without the source and debug symbols I could only trace the application in assembly and it had been 15 years since I had done any heavy duty x86 assembly. I quickly gave up on that and decided to just use a MitM to capture what was being sent and received.

I setup mitmproxy and started capturing.

-> {"eventName":"nx.Subscribe","nx.Topics":["*"]}

-> {"eventName":"nx.UserPresence","eventData":{"current_page":"https://xvc.apps.xsplit.com/main"}}

-> {"eventName":"nx.Ping","eventGuid":"1644524149809","eventData":{"sendTime":1644524149809,"endpoint":"https://nexus-websocket-a.intercom.io/pubsub/5-bftNubNCgNtLL9jn77U4C1_TWqY6Du455M69Nce044pYT_aijUeFKOT-X3VuX3Ccafcjs5iP0OTP6m8pXYnLz-Y8Xov1aAzHmXf0"}}

<- {"eventName":"ACK","eventData":null,"eventGuid":1644524150,"nx.Topics":null,"nx.Destination":null,"ACK":{"sendTime":1644524149809,"endpoint":"https://nexus-websocket-a.intercom.io/pubsub/5-bftNubNCgNtLL9jn77U4C1_TWqY6Du455M69Nce044pYT_aijUeFKOT-X3VuX3Ccafcjs5iP0OTP6m8pXYnLz-Y8Xov1aAzHmXf0"}}

The websocket that is opened to intercom.io is performing a subscribe to all topics, sending a UserPresence message every minute or so, and sending a Ping every couple minutes with an encoded endpoint URL, which receives an ACK response. This may just be all related to tracking metrics of how many users are actively using the product at any given time, but feels very “Command and Control.”

Other than the websocket to intercom.io, VCam is also periodically “fetching a gif” from www.xsplit.com. I quote “fetching a gif” because it is only minimally a GIF in that the content type is “image/gif” and it is a single pixel gif with the appropriate header. The fact that it is a GIF could maybe just be to prevent getting flagged by monitoring software. The real goal is to report data back to xsplit. This includes source camera, GPU, screen resolution, and application using the vcam.

I capture data for about a 24-hour period and didn’t catch anything outside of the information I listed above, but I am still very suspicous of the product. If anyone has noticed any other data being transmitted, or is familiar with the intercom.io products, please let me know. I’d be very interested in what others have seen with XSplit VCam.