So on last nights security scan of my home, I found a new and interesting thing. Specifically, a TFTP server running. Huh. That is normally something I bring up to rescue some widget that is old-school almost-bricked.

Now, where is it. Its on the ring1. (ring0 is the hard-wire between my 3 larger servers, doesn’t go anywhere. ring1 is the things my wife and I use, ring2 is the guests who come over, and ring3 is the evil crap that got bought in a moment of weakness).

Hmm, ok. What is it? Its an asustek tablet. One of the nexus 7’s. My nexus 7 is semi-retired and currently in hard-off state, so must be Sonya’s. But its pretty unlikely she has purposely installed TFTP server, right? Turns out this is indeed correct. One of the apps she has installed has gone rogue… Someone lost control of their account, or sold it, or whatever, and an update was pushed, and the update has some means of trying to get control of my network. The TFTP server would be how they get some new firmware to a device if they can crash it. And there are still some devices that can be crashed (previous hardening runs have improved my lot, but there are still a good chunk of devices that i’m not sure what to do with).

OK, so what should I do? Well, i reflashed her tablet and yanked the offending app. I could demote her tablet to ring2 or ring3 (but then it can’t drive the chromecasts, sonos, remote, plex, …). Hmm.

I could make some more complex firewall rules, a ring 1.5 maybe, but ugh. So much work. That mud thing, well, its just not there.

Suggestions? Maybe its the sorceror’s apprentice syndrome?

Another day, another Internet widget dissected. This time its the Kankun smart plug. Now with English APP. For between $10-$20 you can make any electrical outlet in your home into a smart one, and turn it off via the power of the Internet!

Sounds easy. And there was some Eglish’s good clicky here! in the app.

So the usual process. Bring it up in a closed environment. Try to ssh/telnet/web in w/ the usual passwords. Here I was able to ssh in without trouble. And find lots of info online (e.g. here).

But what no one mentioned is the ‘calling home’ bit. It looks up ‘wis.huafeng.com’ and does some UDP activity there. A bit of firewall, a bit of DNS etc, and that is gone. (no Internet is needed so just blocked that, no outbound is needed from it, so blocked that too). I suspect (?) its so that I can control it from anywhere in the world. Or that someone can. Neither seemed needed.

A bit more work and I was able to compile and upload my own OpenWRT from source, so that risk is gone.

But its amazing for ~$10 you can get a widget, delivered to your home, which has enough ram/flash to run a decent linux (OpenWRT). And control your lamps. What an age we live in.

They have a video (for a similar model) here, i’ll let you eyeball it before you place the big order.

The smart hair brush. You know you need to live-stream the wetness of your hair, the amount of brush strokes it takes, but you are just too lazy to keep a log? The hair coach is for you. it provides a holistic hair assessment. You know the shark is jumped when you can’t even convince me to buy a gadget. I’m assuming that it is full of security flaws and will destroy your life if you connect it to your home network. But i’ve insufficient time and hair to find out.

and now back to the kitten academy live stream