What did a IoT device do on my network?

Sam Thorogood on June 08, 2019

Note: An update is coming Wednesday, June 12th! I quite literally don't know the answer yet and I am busy wrangling a new baby. 👶 In May, I bought... [Read Full]
markdown guide
 

Well, if I never hear from you again, I'll assume it's the Illuminati.

 

Maybe it might help by installing Wireshark to capture what is uploaded for 10, 30 mins or 1h?

It might be your program's data upload interval which you might be sending it at a higher frequency.

 

Maybe its recording and sending your voice notes and surrounding sounds to its server where the company that has built this device is using these voice notes and sounds as a data set for machine learning. Anything is possible.👍😉

 

You found it ! You found it ! Hillary's email server.

I bought a webcam from Wish.com and I noticed a higher than normal activity and found it had secondary settings for a cloud service (?) which were not in the docs. Probably someplace in China. I completely wiped its memory. Have you checked the network settings to see if it is "phoning home" (E.T. movie) ?

 
 

Maybe it converts excess solar-electrical energy into data and transfers it offsite for storage.

 

Lol oh if only. Then we could generate as much as we wanted to just be sending copies back out.

 

On Linux, I like etherape or ntop-ng for this many times. And as many said, Wireshark or tcpdump. See if you can find the DNS requests to which domains it's accessing.

 

It might have its network adapter set to promiscuous mode, and is mirroring all network traffic it can see on the network to some host somewhere in case it gets unsecured http requests?

On a less malicious note, maybe it has cloud log reporting,and the developer left it on trace mode by mistake?

As others have said, put wireshark on it (but possibly not while connected to the internet, just look at the DNS requests).

 

What other programs are exposed to the network on the device? Knowing only SSH, you may want to confirm whether CVE-2018-10933 is unpatched on that distro.
libssh.org/security/advisories/CVE...

 

The device isn't specifically exposed to the internet (it's behind DHCP and I didn't forward ports to it). It does have a IPv6 address, but Google WiFi blocks all incoming IPv6 connections by default.

 

It seems like every iPhone I've ever had seemed to upload a lot as well even when it was new. While I don't have any way of verifying what was being uploaded, I know there weren't any photos, apps, or music to backup. So why would it be uploading so much data? In any case, I'd be very leery of device that cost $10 or $1,000 that is uploading gigabytes of data in a quarter of a day. There's no obvious or good purpose for such an action.

 

Your best bet is to use Charles or Wireshark to see where traffic is going to but, depending how chatty is the device this can happen. The strange here is that, even if it was sending a message every second that is a very large message.

 

If you do the math, 4.6gb over 6 hours:

4823449.6kb / 21600 seconds = 223kb/sec

4.6gb x 4 x 30 days = 552gb per month

That would be about half your allocated bandwidth as a Comcast customer.

But since we're being optimistic, I was thinking that it was downloading updates to keep it and your network safe. But that's upload.

Okay, my last guess would be it's using spare compute and sending up calculations to determine if there is life.

I give up.

 

For what it's worth, it was basically saturating my upload (which is about 2mbit—I was approximating—so ~200kb/sec).

I had a friend suggest compute too. But considering the board and chip cost $10, I can't imagine what it could compute with its tiny, tiny ARM CPU :-)

 

I would personally sniff the packets sent by the device (Using Wireshark preferably).

 

I wonder how different that number would'be been with a pi-hole

 

What is your upload interval... every nanosecond?

 

Time to place it on its network segment, and run it through pihole.

 
 

Can you see the destiny url on the logs on the http logs folder.

var/log/httpd/error_log
/var/log/apache2/error.log
/var/log/httpd-error.log

 
 

Sadly no :(

I've had the device on tcpdump for the last week and all it's doing is DHCP packets, Canonical/Ubuntu updates, and a bit of totally other plausible noise.

I'm also still poking around on its drive to see what it could have been set up to do. I'm still cautiously optimistic I'll find something (I actually have a second fresh device that I bought at the same time I might also poke at), but not sure when I'll have more data.

 
code of conduct - report abuse