Rogue WiFi devices

wkearney99

wkearney99

Senior Member
I figured it'd be good to finally bite the bullet and buy some better WiFi access points.  I picked up a pair of Unifi UAP-AC-Pro units and have been quite pleased with the significantly better coverage and network throughput.  Haven't quite nailed down where I'm going to put them, but that won't be too much trouble.

Where I am having trouble, or at least annoyance, is tracking down all of the devices that want to use WiFi.  Bathroom scale, floor heat thermostat, plug-in sockets, tablets, phones, Echo devices, Chromecasts, cameras.... ugh, the list is endless.
 
Most of the stuff is sensible, their Ethernet hardware MAC address typically gives some clues as to the maker, pointing to the likely culprit.  I've long since kept all my devices configured with DHCP network leases.  Or so I thought....
 
But I've got ONE device that I just can't seem to find.  It's squawking a MAC as an "Espressif" device.  I can't, for the life of me, find the damned thing!  I've no idea what it is and nothing useful is emitting any errors about it or it's IP address.

I could, of course, just re-name the WiFi SSID to cause the device to fail.. but then I'd have all the other legitimate devices likewise failing.

So, the bug-hunt continues!   Just ranting a bit...
 
I've seen the Espressif devices (MAC) with tinkering SonOff WiFi basic devices.
 
I have three online now here.  One with mcsTasmota firmware (GDO multiple function device) and two temperature hubs using Espurna firmware.
 
MAC Address 2C:3A:E8
 
The updated MagicHome RGB controllers are also using Espressif MACs.
 
MAC Address DC:4F:22
 
Guessing it might be your neighbors using some wifi automation devices if it is not you.
 
It's a chipset, potentially used by any number of IoT kinds of devices. https://en.wikipedia.org/wiki/ESP8266

A number of things these days don't squawk their own company name, or technically, don't have their own OUI assigned to the MAC address blocks. Blink cameras have addresses from Texas Instruments, Hunter Douglas shade hub is "Electronic Solutions", Fitbit scale is "Delta Electronics", The Honeywell Redlink thermostat gateway says "Ademco", the alarm company?  Most PCs are going to report the Ethernet card chip type, not the vendor brand.  

I've checked the DNS logs (using pi-hole) and it's not making name lookups.  Nor do their seem to be any active firewall logs for sessions being attempted out to the Internet.

I'm guessing it's potentially a chinesium plug-in socket I might have tried setting up at one point.  The downside to DIY/hobbyist interest is sometimes your toys get out of hand!

So now I'm basically on a bug hunt, socket-by-socket trying to find the danged thing.  If that fails then I'll set up a ping client and start turning off electrical circuit breakers.  Which would bring it's own set of hassles having to reset or otherwise babysit devices that don't play well with hard power loss.  Or something on a UPS (of which we've several).

But it's leading me to decommissioning some stuff that doesn't fit into the current plan.  Which is a good thing, I suppose.  No need to keep the old gen 1 Wink hub powered up, or the Vera Plus.  That and cleaning up an infestation of wall-warts all powering separate gizmos that might be able share a single USB power supply.  And moving a couple of hard-wired gateways that don't need to be cluttering up one area off to another that's better suited for them.  
 
I never got around to buying any Sonoff gizmos, but have been considering it.  

I do have a Fibaro water sensor under the steam shower... but I don't remember that being a WiFi device (z-wave, iirc).  I halted the effort to install it when I discovered a separate leak in the plumbing under there.  Calling the plumber to make a larger catch pan is on my 2018 to-do list.  The steam unit has it's own purge cycle that dumps the water to a pan... and then out to an exterior drain.  I'd been using a battery-powered sensor to monitor if that pan level ever go too high, but it chewed through batteries far more often than my patience would tolerate.   So I picked up a Fibaro, which can be wall-powered... yet another To Do list item...
 
Here's a tip... whenever you're near one of your gadgets... TAKE A PICTURE OF THE LABELS ON IT with your phone.  That way you won't have to climb ladders, pull access panels or move furniture to track down the details.  Get serial, model and part# and be sure you can READ the data from the pictures before putting it all back in place.
 
Yes here have stayed away from any wireless automation iOT devices until recently. 

I would like to attempt to JTAG the new Leviton WiFi switches and replace the OS firmware with Espurna or Tasmota.

The smaller the device the harder it is to hardware modify.
 
I am only doing MQTT these days with the newly updated devices and totally control each one.
 
Wireless environment for these and other devices talks to custom OpenWRT routers (well now three of them configured) for said sandbox.
 
Main house wireless which I do not use that much is using Ubiquiti.
 
I have though tinkered a bit with ThingsSpeak - IoT Analytics as it is included in the Espurna firmware.
 
I was able to get a University math department (alma mater account) with IoT Analytics which I like. 

You can install a wifi sniffer on your smart phone / tablet and maybe zero in on your "rogue devices".
 
FOUND IT.

lr_3_connect_grey_app_3.png

 
An entirely frivolous and hilariously expensive WiFi-connected cat litter box.  I've sent a stern 'feature request' to support to have their app/labeling actually SHOW the MAC address somewhere.  It'd have saved me hours hunting around.

So, for the benefit of search engine crawlers, if you have a WiFi device that appears with a network MAC starting with bc:dd:c2 and the vendor ESPRESSI... it's probably the WiFi board in your Litter Robot Connect.
 
Hi Bill, how funny, i have one of these boards that's been sitting in a box in my home office for months waiting to be installed in my litter robot.  I was literally just thinking about it again last night and added it to my todo list.  I'm pretty sure you just saved me a few hours of future confusion..
 
Oo, before you put it in, take a few pix?  It'd be interesting to know a bit more about the setup.  The potential to hack it for maybe some additional firmware options could be interesting.  I wouldn't mind being able to locally poll it to find out status.  Right now it doesn't seem to have any local API.
 
So far playing here with SonOff / MagicHome WiFi devices all look like they utilize ESP8266's or similiar. 
 
The smaller the board the more difficult it is to JTAG.  (even smaller with WiFi light bulbs).

Guessing the new Leviton WiFI switches are using same or similiar technology. Wondering how easy they will be to modify for MQTT.  
 
Here have switched over to multimoding these devices to use MQTT with Tasmota and or Espurna firmware and taking them off of the Internet.  
 
Last goofing around here with WiFi devices was with OpenWRT and changing mac addresses in the embedded firmware.  
 
Using MagicHome controllers here for under counter LED lamps with SMD5050 LED strips and added an optional manual dimmer and switch to concoction.  
 
magichome.jpg  
 
Wanting to be able to see everything on my network using arp now in HS3 for monitoring these devices.    
 
arp.jpg
 
And now I'm on the trail of another device with an OUI starting with 44:65:0d which is vendor "AmazonTe".  Don't know which device that could be, so I've got to slog through my headcount of them again.  FireTV sticks, remotes, various Echo flavors, etc.  

Dang, no open ports to at least make it easy...
 

Code: 
# nmap 192.168.xx.xxx 
Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-08 17:10 EST
Nmap scan report for 192.168.xx.xxx
Host is up (0.078s latency).
All 1000 scanned ports on 192.168.xx.xxx are filtered MAC Address: 44:65:0D:xx:xx:xx (Amazon Technologies)
 
Nmap done: 1 IP address (1 host up) scanned in 79.99 seconds
 
Oh I don't care about getting into it, rather to identify which of the bajillion devices IT IS.  As referenced by the 'how many wifi devices' thread a week ago, I've got a class C that's quite full, and getting more-so with each new gizmo.
 
I shudder to think of the disaster it'll be for entry-level router techs when 'average' homeowners try populating their house with a ton of chinesium wifi switches.  Where, yes, the customer does indeed have more than 253 devices and needs to use a class B private subnet mask instead of class C.  Which could still be done using 192.168.0.0 ranges using a /32 mask.  That'd really throw them for a loop, and I'm not sure how many SOHO-grade routers would let them.  More likely they'd use 172.16.0.0/32 ranges (65535 possible addresses from 172.16.0.1 through 172.16.255.254).  Will the existing cheap stuff even use class B addressing?  I have limits on how much I want to torture myself, so I haven't tried, yeesh, for more than a decade now.
 
wkearney99 said:
Oh I don't care about getting into it, rather to identify which of the bajillion devices IT IS.  As referenced by the 'how many wifi devices' thread a week ago, I've got a class C that's quite full, and getting more-so with each new gizmo.
 
I shudder to think of the disaster it'll be for entry-level router techs when 'average' homeowners try populating their house with a ton of chinesium wifi switches.  Where, yes, the customer does indeed have more than 253 devices and needs to use a class B private subnet mask instead of class C.  Which could still be done using 192.168.0.0 ranges using a /32 mask.  That'd really throw them for a loop, and I'm not sure how many SOHO-grade routers would let them.  More likely they'd use 172.16.0.0/32 ranges (65535 possible addresses from 172.16.0.1 through 172.16.255.254).  Will the existing cheap stuff even use class B addressing?  I have limits on how much I want to torture myself, so I haven't tried, yeesh, for more than a decade now.
Click to expand...
/32 ? I think you mean /16.
 
And I'm using 4 class C addresses with a /22. I outgrew the /24 and just migrated it a /22 with changes to the DHCP. Did this overnight.
 
Wish I had the same luck with IPV6. I asked for 4 /64s out of a /56 and I ran into bugs in my router which gave me fits. Good thing I recovered from that in less than an hour.
 
You must log in or register to reply here.

Similar threads

pete_c
Generic MoCa 2.5 device testing
Replies
0
Views
526
pete_c
pete_c
pvrfan
Craig's Airplay2 Whole Home Audio setup
Replies
3
Views
688
pvrfan
pvrfan
pete_c
A Brief Technology Overview of the Lightning Control Marketplace
Replies
11
Views
1K
pete_c
pete_c
electron
Chat Transcript - Securifi (Almond+) - 02/22/2013
Replies
0
Views
3K
electron
electron
electron
Chat Transcript 11/09/2005
Replies
1
Views
2K
Dean Roddey
Dean Roddey
Back
Top