This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I recently purchased VRLIFE,Smart Plug smart plugs to use with Google assistant and Google Home. I was suprised that I can control the smart plug when I am outside my home wireless network.
How do my smart plug commands travel from the WAN through my router's firewall to my home LAN? I have not opened ports for any traffic to the smart plug private IP addresses.
Thank you for any information that you can provide! If I am missing the obvious, I apologize.
> How do my smart plug commands travel from the WAN through my router's > firewall to my home LAN? I have not opened ports for any traffic to the > smart plug private IP addresses.
I know nothing about the "VRLIFE,Smart Plug", but I have played around a little with Wireshark to observe an Orvibo S20 "smart socket", which, I'd guess, operates similarly. It's a clever/sneaky scheme.
When an Orvibo S20 connects to a wireless network, it sends a DNS query about "homemate.orvibo.com" to a specific name-server IP address (168.95.192.1 = hntp1.hinet.net), which returns the address of some amazonaws.com rent-a-server (hired by Orvibo, I assume). Then the S20 socket opens a TCP connection to the AWS server (at port 10001).
If you want to switch on your desk lamp at home when you're on the other side of the planet with your pad/phone app, all the app needs to do is contact the same AWS server, which can forward a message to the S20 socket using the connection which the S20 socket previously established to the AWS server.
The advantage to a scheme like this is that the S20 socket creates an outgoing connection to the AWS server, which is handled by the wireless router's ordinary NAT functionality. This way, there's no need to arrange any port forwarding, which would be needed to handle an incoming connection from the outside world (from the pad/phone app directly).
Because of the fixed-address quality of the initial DNS query, it's hard to confuse/hijack the little fellow by providing it with a (malicious) do-it-yourself DNS server.
Your gizmo's details may differ, but I'd bet (a small sum) that all these Internet-of-Junk gizmos work about the same way for this
> How do my smart plug commands travel from the WAN through my router's > firewall to my home LAN? I have not opened ports for any traffic to the > smart plug private IP addresses.
I know nothing about the "VRLIFE,Smart Plug", but I have played around a little with Wireshark to observe an Orvibo S20 "smart socket", which, I'd guess, operates similarly. It's a clever/sneaky scheme.
When an Orvibo S20 connects to a wireless network, it sends a DNS query about "homemate.orvibo.com" to a specific name-server IP address (168.95.192.1 = hntp1.hinet.net), which returns the address of some amazonaws.com rent-a-server (hired by Orvibo, I assume). Then the S20 socket opens a TCP connection to the AWS server (at port 10001).
If you want to switch on your desk lamp at home when you're on the other side of the planet with your pad/phone app, all the app needs to do is contact the same AWS server, which can forward a message to the S20 socket using the connection which the S20 socket previously established to the AWS server.
The advantage to a scheme like this is that the S20 socket creates an outgoing connection to the AWS server, which is handled by the wireless router's ordinary NAT functionality. This way, there's no need to arrange any port forwarding, which would be needed to handle an incoming connection from the outside world (from the pad/phone app directly).
Because of the fixed-address quality of the initial DNS query, it's hard to confuse/hijack the little fellow by providing it with a (malicious) do-it-yourself DNS server.
Your gizmo's details may differ, but I'd bet (a small sum) that all these Internet-of-Junk gizmos work about the same way for this
> [...] I was surprised that I couldn't find an explanation on the web.
Similar here. I was fiddling around with a portable C program to deal with the Orvibo S20 (http://antinode.info/orvl/), and easily found some existing reverse-engineering documents on it (http://pastebin.com/LfUhsbcS), but I saw nothing anywhere about its remote operation. I had little interest in using that feature, but, like you, I wondered how it could be done without explicit port forwarding. No one mentioned UPnP, and I have that disabled, so that seemed unlikely to be the scheme. It was a mystery.
Then, one day, I had Wireshark recording when I powered up one of the things, and I saw a few unexpected packets flying thither and hither before I did anything. After a little bit of decoding, it all made sense. As I recall, there are some heartbeat packets exchanged periodically between the gizmo and the AWS server, too. Some day, when I get bored enough, I may write it up and include the info with the ORVL docs. But I wouldn't hold my breath.
I find it a bit scary to think of all the stuff that such gizmos do behind my back, largely out of my control. Presumably, a competent firewall could block some or all of this stuff, but any normal user (especially one who really wants that remote-operation feature) will simply leave these devices to their own devices.
When Russian hackers start cycling the power on my old backup tape
