IoT and Smart Home Devices: Part 1

WiFi Module - ESP8266 (4MB Flash) 

Source: https://www.sparkfun.com/products/17146            

 

This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup. 

I was looking to purchase a new Roku and since Walmart was the closest store that would have one I went in to see if I could get it. Unfortunately they were out of the model I wanted but something else caught my eye on the clearance shelf. An outdoor smart plug from Merkury Innovations. It was marked down from $15 to about $8 and with my natural distrust for IoT devices I decided to buy it and see if I could learn more about it. Now I wont be reviewing this product in a conventional sense and I cant speak for security of the associated app but we can take a look at how it operates on your home network. 

My first question: Who is Merkury? A quick Google search will lead to your their main page along with their LinkedIn profile. It lists them as located in New York but not much else. They appear to operate 3 different brands all dealing with smart home/IoT and other small electronic devices. The brands are Merkury, Geeni and iHome. I was surprised since even as a long time Android user, I knew what an iHome (or atleast the original inception) was. Poking around a bit it seems that Merkury is the over arching brand that also sells Geeni and iHome products. I know this info dosent directly pertain to how it operates but I feel its good to know what your buying, especially when it comes to IoT devices. 

If you have ever taken a look around the Useful Tools page on here you might have come across the FCC’s ID search page. This allows us to take the FCCID on the back of your device (provided it conforms and has passed validation) and enter it to find out more details. The FCC ID is 2AC2CDR-017 and using this page we find a host of fun facts. For integrators and installers the DoC (Declaration of Conformity) is probably the most important. For the nerds and engineers the internal photos and test report pages are of interest. With the internal photos we can generally identify the RF module in use. Here we find the ubiquitous ESP8266 chip on a TYWE3S board. On the modules page we can see all the specs it has to offer, we know all of its capabilities now and have an idea of the performance we can expect. 

Since this type of device will be used outside we can take a look at the RX performance of the radio. We see that it has a Receiver Sensitivity of -91dBm for receiving data at 1Mbps DSSS. But we also see it requires potentially in the high 60’s or low 70’s for receiving OFDM data. This could present an issue if you disable CCK rates (you should) and do not provide an additional IoT SSID with these rates enabled. We can crudely test these numbers (and we will!) though. 

The TX performance will also give us an idea about how far we can have this device so it can reliably report back its status. If it can't report back what its operational status is and we are not near the thing being powered there is no feedback for us to verify whether or not it is working. 

Ill stop here since Im hoping you'll pick up one of your devices laying around and visit the FCCID page to find out more about what your using. In the next post we'll go over the theory of operation on Wifi Direct since it has been around longer than the recently released Wifi Easy Connect method.

Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more