this post was submitted on 26 Jan 2024
2 points (100.0% liked)

Privacy

31854 readers
179 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I have this old TP-Link smart lightbulb, it’s the only thing that’s IoT and on WiFi in my house.

Looking through pfBlocker logs for fun, and noticed it’s been trying to connect to the Tor network.

Oh! Also, it’s been uploading and downloading 100+ MB of data a day.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -1 points 9 months ago (1 children)
[–] [email protected] 0 points 9 months ago (1 children)

It's been hacked, the light bulb is likely part of some botnet or under an attacker's control directly. Which is why it's sending that much data continuously. IoT/smart devices don't send a lot of data in this sort of volume as most of the time they're idle and maybe send a heartbeat or status update every once in a while to prove they're alive.

This is what is called an indicator of compromise or IoC, it's some behavior or pattern that can be used to determine what is happening or who is the one doing the attacking.

Likely OP would need to do some analysis to be able to get attribution unless it's a very well known botnet actor in which case attribution is fairly straightforward.

[–] [email protected] 0 points 9 months ago (1 children)

The botnet in this case it's called NTP

[–] [email protected] 0 points 9 months ago (1 children)

You're aware that you can send whatever traffic you want over any port right? Using 123/udp for NTP is just convention. A light bulb that is updating its time over Tor is suspect. TP-Link would have their own infrastructure or use public pools to update the device's time.

[–] [email protected] 0 points 9 months ago

The Tor analysis is suspect in the first place. The whole thing is much ado over nothing.