An area in particular is running an efficient home. My first toe-dip in this area is shutting down (not putting-into-standby, shutting down) as many things as possible for as much of the day as possible. Being a geek, controlling some power-points via WiFi seemed like a great way to get started. Hence: These $20 devices can be found on eBay and are controlled by an app that is only ever named in the user manual. This smells of "security by obscurity" and after further investigation I can see why...
My particular one (which was identical to the photo) was called a "Small-K" but you'll probably get the most Google-joy by searching for "Kankun" devices. There are a whole pile of different iOS and Android apps, with various brandings and/or success at translation into English.
There is an extremely troubling suggestion that the various Android apps do some "calling home" via some Chinese servers - this, combined with the fact that you have to tell your device your SSID and WiFi password, made me sufficiently uneasy that even though I have uninstalled the Android app (it was junk anyway), I'll be putting my smart plugs into a dedicated subnet that is unable to "get out of" my network. How?
Putting network devices in jail
I use DNSmasq on my NAS which gives me much more control over my DHCP than the usual on/off switch in consumer routers. The setup to make sure a particular device doesn't go wandering off out onto the interwebs just needs two lines of configuration in dnsmasq.conf, namely:# Always give the host with ethernet address 11:22:33:44:55:66 # the name smartplug1, # IP address 10.200.240.1, # lease time 45 minutes, and # assign it to the "jailed" group dhcp-host=11:22:33:44:55:66,smartplug1,10.200.240.1,45m,net:jailedWhy 10.200.240.1? Well:
- 10 because I like to have space ;-)
- 200d is 11001000 which in my bitwise-masking permissions scheme means:
- Firewalled FROM internet
- Trusted WITHIN home network; and
- Prevented from going TO internet (I've added that last bit flag since writing that old post)
- 240d because it's 240-Volt mains power (geddit?); and
- 1 because it's my first device of this type
# Members of the "jailed" group don't get # told about the default gateway #("router" in DHCP-speak) #- this sends a zero-length value: dhcp-option = net:jailed, option:routerAnd we can check this after rebooting the plug; in the DNSmasq logs:
dnsmasq-dhcp: DHCPDISCOVER(eth0) 11:22:33:44:55:66 dnsmasq-dhcp: DHCPOFFER(eth0) 10.200.240.1 11:22:33:44:55:66 dnsmasq-dhcp: DHCPREQUEST(eth0) 10.200.240.1 11:22:33:44:55:66 dnsmasq-dhcp: DHCPACK(eth0) 10.200.240.1 11:22:33:44:55:66 smartplug1.. and after logging in to root@smartplug1:
root@koven:~# ping www.google.com PING www.google.com (220.244.136.54): 56 data bytes ping: sendto: Network is unreachable
No comments:
Post a Comment
Comments welcome - spam is not. Spam will be detected, deleted and the source IP blocked.