The great light switch debate: Mr Paranoid vs Mr Naïve

Lots of news these days about the parlous state of the global economy, so I’ve done my bit to keep it going by buying some unnecessary c**p on Amazon. Specifically, I’ve got some of these:

Full stack light switch. Just because.

That is a Meross MSS510 “smart” light switch, which I’ve integrated with my Apple Homekit ecosystem so I can shout at Siri to turn the lights on and off in my kitchen (the “A7” label refers to the breaker number in my distribution board – yeah yeah, I know).

Now, a few of you are probably thinking…

You utter hypocrite! Haven’t you been ranting for years about the dangers of cheap IoT c**p, its shoddy code, numerous security vulnerabilities, dubious supply chain and the clear and present danger of the People’s Liberation Army getting a foothold on your LAN to monitor your Spotify playlist?

A few of you

…and you’d be not entirely wrong. So why have I made this ill-advised purchase? Because security is a balancing act: a trade-off between competing positives and negatives in a complicated and complex swirling nebula of technology and geopolitics. Otherwise known as… Risk Management.

Let me introduce two ludicrously extreme characters to sit on my shoulders, like the cheesy angel and demon, and debate the light switch arguments (tip of the hat to Red Dwarf episode Confidence and Paranoia):

Mr Paranoid

Mr Paranoid lives in a concrete bunker which he’s wallpapered in tinfoil, then another layer of tinfoil because he didn’t trust the supplier of the first layer, then a third layer from the first supplier because he’s a bit dubious about the second supplier. He doesn’t trust other people (any), the government (any), or the media (apart from an obscure Reddit channel full of conspiracy theories about the “secret truth” from a mercurial bloke called Ken). He connects to the Internet via an AES512-encrypted covert channel running through an adjacent powerline to a Tor exit node that he secretly installed in a neighbour’s basement while wearing an embarrassing wig. He has a burner phone, and the charred bits of its battery are probably carcinogenic.

You may think this sounds a lot like your CISO, but I hope not.

Mr Naïve

Mr Naïve trusts everybody and everything. He installs every app on his phone and signs up for every loyalty scheme with every marketing company. Experian recently named their new Data Center in his honor. He now sofa-surfs with random people he meets on Craigslist after selling his house to help an unfortunate Nigerian prince who was experiencing financial difficulties. He lives by the motto “if you have nothing to hide, you have nothing to fear”, always accepts cookies and often wonders if they’ve got chocolate chips in them and when they’re going to be delivered.

That actually sounds like some of my friends from college. I wonder how they survived in the real world? They’re probably still in academia.

A man walks into a bar…

Messrs Paranoid and Naïve happen to meet in a bar to debate the subject of my light switch purchase (OK, a modicum of suspension of disbelief required here).

<Paranoid> Bad decision.  He has no idea who or what it's talking to.  It could be sending all his private data to bad people on the Internet.
<Naïve> Chill man, it's a light switch.  It just turns the lights on and off.  What's the big deal?

Taking a look at the hardware…

Let’s deal with Naïve first. Well, it isn’t just a light switch at all! At its heart is a Mediatek MT7687F System-on-Chip (SoC) with an ARM Cortex-M4 processor, some RAM, some Flash, lots of I/O and built-in WiFi. It’s significantly more powerful and feature-rich than my first PC.

So not just a light switch then. It’s a fully-featured computer running a webserver (among other things). Perhaps Paranoid has a point?

Mediatek is a Taiwanese “fabless” semiconductor company, which means it outsources the actual production of its chips. This chip is probably made in China. Is that a risk? It’s possible that a Chinese manufacturer has altered the chip design to include [ahem] undocumented features. Possible, but not likely. The manufacturer of the light switch, Chengdu Meross Technology Co, is one of the thousands of Chinese manufacturers of cheap consumer goods who keep their margins low by keeping its hardware as simple as possible. They will buy these chips in volume as cheaply as possible.

As a high-volume low-margin product, I think it’s unlikely (but not impossible) that the hardware itself is spying on me and – if it is – I can mitigate the most likely mechanisms with other security controls.

Now the software…

Paranoid is not… well… completely paranoid. As a Chinese company, Meross is legally obliged to help out the Chinese state if required and the easiest place to do that is in software. There are two big chunks of software in this product: the firmware on the light switch, and the Android/Apple app that accompanies it.

It’s a good rule for life to never install any apps you don’t have to, so I didn’t. Apple’s own Homekit doohickie (technical term) has all the necessary gubbins (another technical term) to get the light switch working without ever installing the Meross app. But I can’t avoid using the firmware if I want to actually use the light switch (which I do).

The firmware is only updateable through the Meross app (which I haven’t installed) and, since I’m lazy, I Googled to see if anyone else had pulled the firmware apart already. And someone has!

Well, almost. Garrett Miller took a detailed look at the firmware of the Meross MSS110 smart switch in 2018 and, unsurprisingly, found that it was full of badness. Lots of open services, unauthenticated admin pages, etc. Almost certainly incompetence rather than malice, but very undesirable in any case. The MSS110 smart switch looks different to my light switch, but it’s basically the same under the covers.

Four years is a long time in technology, and manufacturers are much more aware of the attention their IoT products are receiving these days. Various countries are now (2022) passing laws that define a baseline security standard for consumer IoT devices. Meross appear to have fixed all of the glaringly bad stuff that Garrett identified, so that’s good.

What about hidden stuff? Chinese spy implants, that kinda thing? I’m clearly not the first geek to poke-the-cheap-IoT-widget (hi Garrett!), indeed they’re popular targets for Infosec newbies because they’re cheap, basic and often full of interesting stuff to find. Nobody has found anything on these popular devices, and the BBC reports much less newsworthy stunt hacking than that. Nation states can certainly do extremely clever things to hide such capabilities but I’m not too worried about that for reasons I’ll explain later. Does that mean I’m beginning to side with Naïve? Not necessarily…

Network traffic…

If I probe it I can see that ports 80 (TCP), 5353 (UDP) and 52432 (TCP) are open.

The light switch is dual-stacked: those ports are open on both IPv4 and IPv6. This is relevant because many firewalls and security devices block IPv4 and let IPv6 through unchallenged.

Port 80 appears to be presenting a lightweight webserver that returns a custom 404 (page not found) error.

Paranoid suggested that I had “no idea” what it was sending, and to whom. That’s not quite true: I can find out what it’s doing (on WiFi at least) by running a full packet capture on it.

22:10:37.307297 IP 192.168.1.XX.58062 > clock.xmission.com.ntp: NTPv4, Client, length 48
22:10:40.305749 IP 192.168.1.XX.49135 > XXXXX.local.domain: 1003+ A? time1.aliyun.com. (34)
22:10:40.305910 IP XXXXX.local.domain > 192.168.1.XX.49135: 1003 2/0/0 CNAME ntp.aliyun.com., A 203.107.6.88 (68)
22:10:40.307869 IP 192.168.1.XX.58062 > 203.107.6.88.ntp: NTPv4, Client, length 48
22:10:43.311035 IP 192.168.1.XX.38147 > XXXXX.local.domain: 21360+ A? time2.aliyun.com. (34)
22:10:43.311198 IP XXXXX.local.domain > 192.168.1.XX.38147: 21360 2/0/0 CNAME ntp.aliyun.com., A 203.107.6.88 (68)
22:10:43.313701 IP 192.168.1.XX.58062 > 203.107.6.88.ntp: NTPv4, Client, length 48
22:10:46.317338 IP 192.168.1.XX.55245 > XXXXX.local.domain: 65524+ A? time3.aliyun.com. (34)
22:10:46.317519 IP XXXXX.local.domain > 192.168.1.XX.55245: 65524 2/0/0 CNAME ntp.aliyun.com., A 203.107.6.88 (68)
22:10:46.319511 IP 192.168.1.XX.58062 > 203.107.6.88.ntp: NTPv4, Client, length 48

Answer: it’s trying lots of different NTP servers to try and get the time (and ignoring the local one I gave it by DHCP), sending some mDNS broadcasts, and occasionally reaching out to an AWS server which, presumably, is where it hosts the automation stuff used by Alexa, Google and its own app. I ran my packet capture for much longer than this and didn’t see anything especially unusual or alarming in it.

It’s failing to reach any of those NTP servers because I’ve got a firewall rule that blocks its IP address from reaching the Internet. So it’s not possible for it to leak any data that way, and I’ve blocked IPv6 completely.

<Paranoid> But what if it spoofs its IP and/or MAC address and gets data out that way?

Well, it would have to use the IP or MAC of something else on the same network segment otherwise it would be caught by my firewall, switch or IPS. Possible, certainly. Likely? I’m not the first security nerd to look at one of these devices (see above). They’re an extremely popular model of light switch, and nobody else has (to my knowledge) found it doing that.

Light?

<Paranoid> It doesn't have to be over WiFi, you know [taps nose knowingly].

True. It could be modulating my LED spotlights at a frequency undetectable by the human eye (this is exactly how LiFi works), but that would be line-of-sight so would rely on some relay equipment installed within view of my kitchen window, or some spies sat in a car at the end of my driveway. A worthwhile investment for exfiltrating data from an embassy perhaps, but it seems like a lot of work for little old me.

Other types of radio

It could still be transmitting radio, just not WiFi. It already has the radio hardware to broadcast at 2.4GHz (for the WiFi bit) but, again, that’s very low range. 2.4GHz is unlicensed spectrum precisely because it’s easily absorbed by water and doesn’t travel that far in the atmosphere. The absorption of that 2.4GHz RF energy by water is exactly how your microwave oven works.

XKCD cartoon “Nachos”: https://xkcd.com/654/

What about a different RF band? It is connected to a large antenna cable (my electrical wiring) which would make an acceptable monopole HF antenna for transmitting data round the world (very slowly). But… in order to be sold in the US, it has to be approved by the FCC to ensure it’s not transmitting spuriously. Here is the documentation for my particular light switch, and here is all the stuff they sent to the FCC with their application (side note: this FCC site is extremely useful for reverse engineering since it contains a lot of useful information about the device in question). Does the contracted testing authority stick this device in an anechoic chamber and test it for every radio frequency? I don’t know. Could you fool the FCC by submitting a “sanitized” version of your device for testing? Certainly [cough, Volkswagen]. Does the FCC audit random samples from the marketplace? I don’t know. Would the FCC (or somebody else) notice an illicit HF transmission? Possibly. It likely wouldn’t be able to operate for very long before somebody noticed and/or got upset, significantly limiting its utility for data exfiltration of large volumes.

<Paranoid> There are cunning ways of avoiding detection...

Mister P is probably talking about Spread Spectrum. This used to be the preserve of advanced super-secret military kit, but now it’s in loads of consumer-grade technology such as LoRa. It works by [crude simplification alert] squashing a signal so that its amplitude is much smaller (often below the noise floor) and its bandwidth is much wider, preserving the overall signal power. The other end reverses the process to recover the original signal. Nobody gets particularly upset if you’re transmitting below the noise floor, especially because – by definition – it’s really hard to detect. I’d hope that somebody would have noticed if these consumer light switches included a spread spectrum HF transmitter.

So I can’t disprove Paranoid’s conjecture, but it feels like an acceptable risk in my particular case. If I was installing these light switches in a secret military bunker then I’d apply a lot more due diligence and investigation. Or, more likely, I’d just not use cheap consumer IoT kit in my secret military bunker!

There are lots of other hypothetical ways this device could exfiltrate my data, but they are either short range (requiring a nearby relay), reliant on the cooperation of other less-firewalled devices in my home, or likely to be noticed and upset the FCC. In short, I’m content that they’re probably not exfiltrating my data.

What about ingress?

All the same physics stuff applies. It won’t be getting in over my network, because my firewall (etc) will block it. Most of the other communication channels are constrained by range. It could be using my home wiring as an HF antenna and waiting for an initiation command, like the old Soviet number stations (allegedly) did for human agents operating abroad. But then what? There isn’t much point getting a command in if it can’t get data out, unless there’s some hidden zero-day on the switch intended to cause havoc on my home network. And if that happens, I trust Marcus Hutchins will find the kill switch before it destroys anything important.

Summing up

So… could a hypothetical evil actor have put something in my light switch that captures all traffic broadcast on the same WiFi network? Trivially easily, yes. They could also be listening to me with a hidden microphone, but that is harder to conceal. There are plenty of other things it could be capturing, but that’s not much use if they can’t extract that data. I don’t think there is a plausible risk they’re doing that by electronic means, and I haven’t noticed my light switches sneaking out at night to make dead drops in that hole in the old oak tree by the pond.

Mr Paranoid – you raise some valid concerns but, after applying some security controls, I’m happy with my residual risk.

And that’s how Risk Management works, kids!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *