Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,866
Hey all,
I am curious about this.
A few years ago before I really was as concerned about privacy and IOT as I am today, I bought a few Nest thermostats. They have worked very admirably, saved me energy, and in general I am very happy with them, but over time the data collection and security angle increasingly has me concerned, especially now that Google owns them.
So, I decided to take opportunity when moving to a new house to reconfigure my network. At the very least I should isolate those fuckers on their own VLAN on a separate subnet.
A vastly oversimplified view of the relevant portion my network is as follows:
pfSense Router -> Main Mikrotik Switch -> Secondary Mikrotik Switch -> Ubnt Unifi AV LR access points
So, I created a new VLAN on my pfSense router, with it's own dedicated subnet and DHCP address pool. I firewalled off access to and from the subnet from the other subnets on my network. I configured the VLAN's on my switches. Then I created a new SSID dedicated to Nest with a strong password using WPA Personal, and assigned it the appropriate VLAN, and logged on to the dedicated SSID with my laptop to test.
- Internet access works. (Unfortunately that's how Nest theormostats work, need to communicate with the Google mothership)
- Cannot reach the configuration for pfSense, which is good
- Cannot reach any other subnets on my network, which is good.
Alright, time to install the thermostat.
A mac address starting with 18:b4:30:xx:xx:xx shows up in the dedicated subnet, and it works the way it is supposed to. Great!
Until next day when I discovered a strange mac address in my client list in the Unifi server.
Strange. Mac address is 0e:83:36:27:7e:5f, which has no vendor associated with it in mac address lookup.
NOTHING else has been connected to that dedicated net that I am aware of.
I did some googling, and found some reports of spurious mac addresses popping up in Unifi during sleep or improper shutdown startup of wireless devices resulting in malformed headers. This could have caused it I guess. Strange that I've never seen it before though, as I've been using Unifi for 8 years.
Just to be sure, I decided to check the pfSense logs. If this were just a spurious header, then there shouldn't be anything in there, as it would never have requested an IP from the DHCP server. I found that it DID request an IP from the DHCP server. Further review of Unifi data suggests that this mystery mac address proceeded to download some 268MB and upload 16MB.
So I can only think of two reasons for this.
1.) Someone has broken into my dedicated Nest network, and did so the same day I set it up, after never getting into my main network. Hung around for a couple of hours, and now has not been seen in 24 hours.
2.) Nest devices spawn a secondary MAC address for some purpose, either a second wireless connection, or some sort of internal VM or alternate thing. Who knows what sneaky shit Google has going on.
I'm not sure how likely #1 is, which is why I am asking. I understand breaking WPA is pretty trivial if WPS is enabled, but I don't have WPS that on my Unifi system. It's WPA Personal with AES/CCMP (I presume it is WPA2, but the user interface just says "WPA Personal"). I used to live in a tighter in suburb in a very tightly populated and busy area. In 6 years of using Unifi there with the same settings I never had an unexplained mac address. Here I'm comparatively more rural. Seems odd.
As far as #2 goes. I've had these Nests for years. If they randomly spawned alternate MAC addresses for whatever nefarious purpose Google uses them for, I think I would have seen it before...
I'm a little stumped.
Any thoughts/recommendations?
I am curious about this.
A few years ago before I really was as concerned about privacy and IOT as I am today, I bought a few Nest thermostats. They have worked very admirably, saved me energy, and in general I am very happy with them, but over time the data collection and security angle increasingly has me concerned, especially now that Google owns them.
So, I decided to take opportunity when moving to a new house to reconfigure my network. At the very least I should isolate those fuckers on their own VLAN on a separate subnet.
A vastly oversimplified view of the relevant portion my network is as follows:
pfSense Router -> Main Mikrotik Switch -> Secondary Mikrotik Switch -> Ubnt Unifi AV LR access points
So, I created a new VLAN on my pfSense router, with it's own dedicated subnet and DHCP address pool. I firewalled off access to and from the subnet from the other subnets on my network. I configured the VLAN's on my switches. Then I created a new SSID dedicated to Nest with a strong password using WPA Personal, and assigned it the appropriate VLAN, and logged on to the dedicated SSID with my laptop to test.
- Internet access works. (Unfortunately that's how Nest theormostats work, need to communicate with the Google mothership)
- Cannot reach the configuration for pfSense, which is good
- Cannot reach any other subnets on my network, which is good.
Alright, time to install the thermostat.
A mac address starting with 18:b4:30:xx:xx:xx shows up in the dedicated subnet, and it works the way it is supposed to. Great!
Until next day when I discovered a strange mac address in my client list in the Unifi server.
Strange. Mac address is 0e:83:36:27:7e:5f, which has no vendor associated with it in mac address lookup.
NOTHING else has been connected to that dedicated net that I am aware of.
I did some googling, and found some reports of spurious mac addresses popping up in Unifi during sleep or improper shutdown startup of wireless devices resulting in malformed headers. This could have caused it I guess. Strange that I've never seen it before though, as I've been using Unifi for 8 years.
Just to be sure, I decided to check the pfSense logs. If this were just a spurious header, then there shouldn't be anything in there, as it would never have requested an IP from the DHCP server. I found that it DID request an IP from the DHCP server. Further review of Unifi data suggests that this mystery mac address proceeded to download some 268MB and upload 16MB.
So I can only think of two reasons for this.
1.) Someone has broken into my dedicated Nest network, and did so the same day I set it up, after never getting into my main network. Hung around for a couple of hours, and now has not been seen in 24 hours.
2.) Nest devices spawn a secondary MAC address for some purpose, either a second wireless connection, or some sort of internal VM or alternate thing. Who knows what sneaky shit Google has going on.
I'm not sure how likely #1 is, which is why I am asking. I understand breaking WPA is pretty trivial if WPS is enabled, but I don't have WPS that on my Unifi system. It's WPA Personal with AES/CCMP (I presume it is WPA2, but the user interface just says "WPA Personal"). I used to live in a tighter in suburb in a very tightly populated and busy area. In 6 years of using Unifi there with the same settings I never had an unexplained mac address. Here I'm comparatively more rural. Seems odd.
As far as #2 goes. I've had these Nests for years. If they randomly spawned alternate MAC addresses for whatever nefarious purpose Google uses them for, I think I would have seen it before...
I'm a little stumped.
Any thoughts/recommendations?
Last edited: