I have this old TP-Link smart lightbulb, it’s the only thing that’s IoT and on WiFi in my house.

Looking through pfBlocker logs for fun, and noticed it’s been trying to connect to the Tor network.

Oh! Also, it’s been uploading and downloading 100+ MB of data a day.

  • StarkZarn@infosec.pub
    link
    fedilink
    English
    arrow-up
    111
    arrow-down
    1
    ·
    9 months ago

    It’s just an NTP pool. The device is trying to update it’s time. Likely it made many other requests to other servers when this one didn’t work.

    Maintaining up to date lists of anything is a game of whack a mole, so you’re always going to get weird results.

    If you’re actually unsure, pcap the traffic on your pfsense box and see for yourself. NTP is an unencrypted protocol, so tshark or Wireshark will have no problem telling you all about it.

    That said, I’d still agree with the other poster about local integration with home assistant and just block that sucker from the Internet.

    • MonkderZweite@feddit.ch
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      NTP is an unencrypted protocol, so tshark or Wireshark will have no problem telling you all about it.

      Wait, it is? Pretty sure chrony.conf has some auth stuff in it.

    • czardestructo@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Agreed. To add to this because the traffic is being blocked it keeps retrying so it’s inflating the traffic size. I have about 14 tplink WiFi switches on a vlan and my pfsense rule for NTP is less than 6 megabytes. OP is conflating legitimate NTP traffic with Tor.

    • lemming741@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      9 months ago

      Similar to forwarding all DNS traffic to my pihole, I also forward 123 to the opnsense NTP server.

  • Auzy@beehaw.org
    link
    fedilink
    arrow-up
    38
    ·
    edit-2
    9 months ago

    Egh… More bad info. Seems to be prolific here on Lemmy

    And yeah, definitely not Tor (I happen to know the TPLink KASA HS100 protocol too). The chip running on them wouldn’t even have sufficient resources to run tor more likely lol

    Plus, as others have said, port 123 is NTP

      • Auzy@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        9 months ago

        How do you know it is? Dpi is often wrong about both protocol. And size

        123 isn’t the normal protocol though, so let’s assume it is malicious (I will admit I could be wrong here). Packet dumps is the way to prove it. If op posts packet dumps, that would be useful (as I could be wrong, the normal protocol is a different port generally though).

        Also, important to note that if they’re uk hs100 plugs, they have different firmware too… The UK ones have one of the protocols shut off

        • ReversalHatchery@beehaw.org
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          How do you know it is? Dpi is often wrong about both protocol.

          I didn’t mean to say that. My point wanted to be that it is a bit too much traffic for it to be honest NTP traffic (as it was assumed above), unless the program sending it has a honest bug

          • Auzy@beehaw.org
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            Dpi on these cheap routers sometimes often doesn’t even calculate the data downloaded correctly. Ie, we can’t even rely on the 100mb figure

            • ReversalHatchery@beehaw.org
              link
              fedilink
              arrow-up
              2
              ·
              9 months ago

              I’m a little confused. Why do you think this is a cheap router?
              As I know pfBlocker is a component of the pfSense firewall OS, and if OP runs that on their router, it must almost certainly be an x86 machine and have much more RAM than the amount that cheap routers have, according to the minimum reqs.

      • jeansburger@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        7
        ·
        9 months ago

        It’s been hacked, the light bulb is likely part of some botnet or under an attacker’s control directly. Which is why it’s sending that much data continuously. IoT/smart devices don’t send a lot of data in this sort of volume as most of the time they’re idle and maybe send a heartbeat or status update every once in a while to prove they’re alive.

        This is what is called an indicator of compromise or IoC, it’s some behavior or pattern that can be used to determine what is happening or who is the one doing the attacking.

        Likely OP would need to do some analysis to be able to get attribution unless it’s a very well known botnet actor in which case attribution is fairly straightforward.

          • jeansburger@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            9 months ago

            You’re aware that you can send whatever traffic you want over any port right? Using 123/udp for NTP is just convention. A light bulb that is updating its time over Tor is suspect. TP-Link would have their own infrastructure or use public pools to update the device’s time.

            • wahming@monyet.cc
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              The Tor analysis is suspect in the first place. The whole thing is much ado over nothing.

  • mozz@mbin.grits.dev
    link
    fedilink
    arrow-up
    27
    arrow-down
    2
    ·
    9 months ago

    You’re the one that connected an impossible-to-security-update device to the internet. You can do plenty of home automation without it needing to be that way, if you’re open to a little more setup being involved in the process.

    • errorlab@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      4
      ·
      9 months ago

      It’s on it’s own VLAN from the beginning. Wanted to poke around but never got to it.

      I still have it connected, want to use for practice.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        9 months ago

        Good on you. I use the poor man’s VLAN–guest Wi-Fi network to isolate my IoT devices.

        • errorlab@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          2
          ·
          9 months ago

          Will do. It’s part of a long list.

          Don’t know my ADHD will hyper focus on it tho haha

      • mozz@mbin.grits.dev
        link
        fedilink
        arrow-up
        3
        arrow-down
        4
        ·
        9 months ago

        I have no idea of all the details, but in legal terms this is called “res ipsa loquitur” – in this case, the fact that it clearly seems compromised is pretty solid evidence that it wasn’t immune to compromise.

        • errorlab@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          Expected since TP-Link stopped updating them shortly after release.

  • Chozo@kbin.social
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    9 months ago

    Your house heard about the dark web and thought it needed some light.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      9 months ago

      I went to ask nicely for help from their support department and got a development build for one of their routers. Not only was it an ancient version of OpenWRT with the myriad of unpatched vulnerabilities, but it had absolutely dumb/weird configurations like the Wi-Fi password being a user account password exposed to a patched up SSH daemon with shell /bin/false. Just a whole lot of why and an obvious lack of care put into the software.

      Their devices function… Most of the time. That’s about all that’s redeeming.

    • Auzy@beehaw.org
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      This is a TPLink KASA plug. I wouldn’t touch their routers but their smart home equipment actually isn’t bad…

  • khannie@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    9 months ago

    That’s really odd. For what it’s worth though, the company I work for does firmware updates over a Tor hidden service for customer privacy. We don’t send any data though (as that would defeat the purpose entirely), just poll for updates then download and install if there are any.

  • Haystack@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    9 months ago

    Fwiw the TP link bulbs usually have a local API that Home Assistant has an integration for. You can use that and block their internet access - unless they’ve removed that feature. I only used one of these briefly because someone gave it to me. Usually just use cheap ZigBee bulbs. I would throw that one out though as someone else said it’s likely been compromised already…

    • errorlab@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      9 months ago

      I’m all in on ZigBee and z-wave. The bulb is isolated, don’t even know my app login.

      Do you mind sharing what ZigBee lightbulbs you recommend?

      • Flying_Hellfish@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        9 months ago

        The zigbee bulbs I’ve had the best luck with are Innr, although they are kind of pricy. Ikea bulbs are good for the price, but every one I have, has very loud coil whine when off. I had some on bedside stands and had to move them to other rooms. Sengled are nice when they work, I’ve had issues with them dropping off my network.

        Both Ikea and Innr are also repeaters, Sengled does not do repeaters in their bulbs. Neither Ikea or Innr are exactly cheap, but they’ve been the most solid for me.

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    Thats why my Smart Home is build on Zigbee. (Yeah VLANs and so on, but so many clients still makes your wifi worse)

    • Bizarroland@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      I’m installing a new Wi-Fi setup soon and I will be putting all of my iot devices on an iot network that is segmented from my main wifi.

      I will also be jailbreaking them from tuya and running a local home assistant.

      Bit of a hassle but it’s a fun experiment to get my “smart” home set up just for me.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        The thing is it still impacts the other Wifi Channels and Networks (or at least those on the same band, guessing mist IoT uses 2.4GHz) even tho other Channels are used.

        But, i see the appeal, since most smart home devices you can get cheap are Wifi connected. Hope that changes with the ESP32-H2 and -C6. Those are relatively recently released.

        Wifi is just such a heavy proticol for just sending sensor data and some commands around, imho.

        • Bizarroland@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          It doesn’t affect it that much. It’s very easy to separate out the bands and to put your iot devices far away from your regular Internet devices.