NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

OliverWhite's avatar
OliverWhite
Aspirant
Dec 14, 2017
Solved

WAN access to LAN smart plugs

I recently purchased VRLIFE,Smart Plug smart plugs to use with Google assistant and Google Home. I was suprised that I can control the smart plug when I am outside my home wireless network.   How d...
Features
Hardware
Smart Plugs
  • antinode's avatar
    antinode
    Dec 14, 2017

    > How do my smart plug commands travel from the WAN through my router's
    > firewall to my home LAN? I have not opened ports for any traffic to the
    > smart plug private IP addresses.

       I know nothing about the "VRLIFE,Smart Plug", but I have played
    around a little with Wireshark to observe an Orvibo S20 "smart socket",
    which, I'd guess, operates similarly.  It's a clever/sneaky scheme.

       When an Orvibo S20 connects to a wireless network, it sends a DNS
    query about "homemate.orvibo.com" to a specific name-server IP address
    (168.95.192.1 = hntp1.hinet.net), which returns the address of some
    amazonaws.com rent-a-server (hired by Orvibo, I assume).  Then the S20
    socket opens a TCP connection to the AWS server (at port 10001).

       If you want to switch on your desk lamp at home when you're on the
    other side of the planet with your pad/phone app, all the app needs to
    do is contact the same AWS server, which can forward a message to the
    S20 socket using the connection which the S20 socket previously
    established to the AWS server.

       The advantage to a scheme like this is that the S20 socket creates an
    outgoing connection to the AWS server, which is handled by the wireless
    router's ordinary NAT functionality.  This way, there's no need to
    arrange any port forwarding, which would be needed to handle an incoming
    connection from the outside world (from the pad/phone app directly).

       Because of the fixed-address quality of the initial DNS query, it's
    hard to confuse/hijack the little fellow by providing it with a
    (malicious) do-it-yourself DNS server.

       Your gizmo's details may differ, but I'd bet (a small sum) that all
    these Internet-of-Junk gizmos work about the same way for this

    capability.

antinode's avatar
antinode
Guru
Dec 14, 2017

> How do my smart plug commands travel from the WAN through my router's
> firewall to my home LAN? I have not opened ports for any traffic to the
> smart plug private IP addresses.

   I know nothing about the "VRLIFE,Smart Plug", but I have played
around a little with Wireshark to observe an Orvibo S20 "smart socket",
which, I'd guess, operates similarly.  It's a clever/sneaky scheme.

   When an Orvibo S20 connects to a wireless network, it sends a DNS
query about "homemate.orvibo.com" to a specific name-server IP address
(168.95.192.1 = hntp1.hinet.net), which returns the address of some
amazonaws.com rent-a-server (hired by Orvibo, I assume).  Then the S20
socket opens a TCP connection to the AWS server (at port 10001).

   If you want to switch on your desk lamp at home when you're on the
other side of the planet with your pad/phone app, all the app needs to
do is contact the same AWS server, which can forward a message to the
S20 socket using the connection which the S20 socket previously
established to the AWS server.

   The advantage to a scheme like this is that the S20 socket creates an
outgoing connection to the AWS server, which is handled by the wireless
router's ordinary NAT functionality.  This way, there's no need to
arrange any port forwarding, which would be needed to handle an incoming
connection from the outside world (from the pad/phone app directly).

   Because of the fixed-address quality of the initial DNS query, it's
hard to confuse/hijack the little fellow by providing it with a
(malicious) do-it-yourself DNS server.

   Your gizmo's details may differ, but I'd bet (a small sum) that all
these Internet-of-Junk gizmos work about the same way for this

capability.

OliverWhite's avatar
OliverWhite
Aspirant
Dec 14, 2017

Thank you for sharing your findings! I was surprised that I couldn't find an explanation on the web.

  • antinode's avatar
    antinode
    Guru
    Dec 14, 2017

    > [...] I was surprised that I couldn't find an explanation on the web.

       Similar here.  I was fiddling around with a portable C program to
    deal with the Orvibo S20 (http://antinode.info/orvl/), and easily found
    some existing reverse-engineering documents on it
    (http://pastebin.com/LfUhsbcS), but I saw nothing anywhere about its
    remote operation.  I had little interest in using that feature, but,
    like you, I wondered how it could be done without explicit port
    forwarding.  No one mentioned UPnP, and I have that disabled, so that
    seemed unlikely to be the scheme.  It was a mystery.

       Then, one day, I had Wireshark recording when I powered up one of the
    things, and I saw a few unexpected packets flying thither and hither
    before I did anything.  After a little bit of decoding, it all made
    sense.  As I recall, there are some heartbeat packets exchanged
    periodically between the gizmo and the AWS server, too.  Some day, when
    I get bored enough, I may write it up and include the info with the ORVL
    docs.  But I wouldn't hold my breath.

       I find it a bit scary to think of all the stuff that such gizmos do
    behind my back, largely out of my control.  Presumably, a competent
    firewall could block some or all of this stuff, but any normal user
    (especially one who really wants that remote-operation feature) will
    simply leave these devices to their own devices.

       When Russian hackers start cycling the power on my old backup tape

    drives, I'll be plenty annoyed.