NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
WAN access to LAN smart plugs
I recently purchased VRLIFE,Smart Plug smart plugs to use with Google assistant and Google Home. I was suprised that I can control the smart plug when I am outside my home wireless network.
How do my smart plug commands travel from the WAN through my router's firewall to my home LAN? I have not opened ports for any traffic to the smart plug private IP addresses.
Thank you for any information that you can provide! If I am missing the obvious, I apologize.
> How do my smart plug commands travel from the WAN through my router's
> firewall to my home LAN? I have not opened ports for any traffic to the
> smart plug private IP addresses.
I know nothing about the "VRLIFE,Smart Plug", but I have played
around a little with Wireshark to observe an Orvibo S20 "smart socket",
which, I'd guess, operates similarly. It's a clever/sneaky scheme.
When an Orvibo S20 connects to a wireless network, it sends a DNS
query about "homemate.orvibo.com" to a specific name-server IP address
(168.95.192.1 = hntp1.hinet.net), which returns the address of some
amazonaws.com rent-a-server (hired by Orvibo, I assume). Then the S20
socket opens a TCP connection to the AWS server (at port 10001).
If you want to switch on your desk lamp at home when you're on the
other side of the planet with your pad/phone app, all the app needs to
do is contact the same AWS server, which can forward a message to the
S20 socket using the connection which the S20 socket previously
established to the AWS server.
The advantage to a scheme like this is that the S20 socket creates an
outgoing connection to the AWS server, which is handled by the wireless
router's ordinary NAT functionality. This way, there's no need to
arrange any port forwarding, which would be needed to handle an incoming
connection from the outside world (from the pad/phone app directly).
Because of the fixed-address quality of the initial DNS query, it's
hard to confuse/hijack the little fellow by providing it with a
(malicious) do-it-yourself DNS server.
Your gizmo's details may differ, but I'd bet (a small sum) that all
these Internet-of-Junk gizmos work about the same way for thiscapability.
3 Replies
> How do my smart plug commands travel from the WAN through my router's
> firewall to my home LAN? I have not opened ports for any traffic to the
> smart plug private IP addresses.
I know nothing about the "VRLIFE,Smart Plug", but I have played
around a little with Wireshark to observe an Orvibo S20 "smart socket",
which, I'd guess, operates similarly. It's a clever/sneaky scheme.
When an Orvibo S20 connects to a wireless network, it sends a DNS
query about "homemate.orvibo.com" to a specific name-server IP address
(168.95.192.1 = hntp1.hinet.net), which returns the address of some
amazonaws.com rent-a-server (hired by Orvibo, I assume). Then the S20
socket opens a TCP connection to the AWS server (at port 10001).
If you want to switch on your desk lamp at home when you're on the
other side of the planet with your pad/phone app, all the app needs to
do is contact the same AWS server, which can forward a message to the
S20 socket using the connection which the S20 socket previously
established to the AWS server.
The advantage to a scheme like this is that the S20 socket creates an
outgoing connection to the AWS server, which is handled by the wireless
router's ordinary NAT functionality. This way, there's no need to
arrange any port forwarding, which would be needed to handle an incoming
connection from the outside world (from the pad/phone app directly).
Because of the fixed-address quality of the initial DNS query, it's
hard to confuse/hijack the little fellow by providing it with a
(malicious) do-it-yourself DNS server.
Your gizmo's details may differ, but I'd bet (a small sum) that all
these Internet-of-Junk gizmos work about the same way for thiscapability.
Thank you for sharing your findings! I was surprised that I couldn't find an explanation on the web.
> [...] I was surprised that I couldn't find an explanation on the web.
Similar here. I was fiddling around with a portable C program to
deal with the Orvibo S20 (http://antinode.info/orvl/), and easily found
some existing reverse-engineering documents on it
(http://pastebin.com/LfUhsbcS), but I saw nothing anywhere about its
remote operation. I had little interest in using that feature, but,
like you, I wondered how it could be done without explicit port
forwarding. No one mentioned UPnP, and I have that disabled, so that
seemed unlikely to be the scheme. It was a mystery.
Then, one day, I had Wireshark recording when I powered up one of the
things, and I saw a few unexpected packets flying thither and hither
before I did anything. After a little bit of decoding, it all made
sense. As I recall, there are some heartbeat packets exchanged
periodically between the gizmo and the AWS server, too. Some day, when
I get bored enough, I may write it up and include the info with the ORVL
docs. But I wouldn't hold my breath.
I find it a bit scary to think of all the stuff that such gizmos do
behind my back, largely out of my control. Presumably, a competent
firewall could block some or all of this stuff, but any normal user
(especially one who really wants that remote-operation feature) will
simply leave these devices to their own devices.
When Russian hackers start cycling the power on my old backup tapedrives, I'll be plenty annoyed.