I'd pcap a bunch of the traffic -- in particular the DNS requests -- that will tell you where it is connecting. Hopefully it is using TLS, and then the SNI headers can give you more information.
I run a local DNS resolver and so I capture all the lookup responses so that I can turn IP addresses back into names. Depending on what firewall/router you have, you may be able to log connections. I use a locally hosted free Gravwell process to grab these logs and correlate with the DNS queries to find which systems are talking to where. If your home network is like mine, then there are probably a bunch of systems that you want to block from talking outside.
For those interested, you can setup tcpdump on Asus router pretty easily to monitor traffic going through the router. You don't even need to mess with the firmware on the router.
It may be worth sandboxing it into a dedicated network then analyze the traffic and see what it does in detail, for example if it accesses the local network then relays something outside, or if it opens ports waiting for connections, etc.
I wonder if merely downloading so much data and storing it into its internal flash could wear it in a short time forcing the user to call for repair.
Does it stop functioning intermittently? I've seen cases of devices in the middle of a failed OTA, and the device keeps requesting the OTA again. If it's going on and offline often, this might the case.
Have you tried tcpdump’ing its payload on your router? If it’s plain text it should be obvious what it’s doing. If it isn’t you can still sniff which domains it’s connecting to from SNI ClietnHello message but payload will be encrypted. You can still get to it but that would require some decent soldering and hw debugging skills…
If you have a openwrt router than it should be quite simple. Redirect the traffic from the ip of the washing machine to a machine that has mitmproxy installed (using iptables). Hopefully the protocol is https and it doesn't have some form of certificate pinning. That should get you the raw requests/responses.
pjsg|2 years ago
I run a local DNS resolver and so I capture all the lookup responses so that I can turn IP addresses back into names. Depending on what firewall/router you have, you may be able to log connections. I use a locally hosted free Gravwell process to grab these logs and correlate with the DNS queries to find which systems are talking to where. If your home network is like mine, then there are probably a bunch of systems that you want to block from talking outside.
Johnie|2 years ago
1. Install Entware https://github.com/Entware/Entware/wiki/Install-on-Asus-stoc...
2. Then install tcpdump: `opkg install tcpdump`
From there, you can monitor any traffic going through your router.
Johnie|2 years ago
Looking at my router log, the only web history request is:
2024-1-08 19:44:10 LG_Smart_Laundry2_open aic-common.lgthinq.com
This was likely after I had removed it from my main wifi and reconnected it to a segregated wifi. I don't see any logs for prior to this point.
runjake|2 years ago
squarefoot|2 years ago
maerF0x0|2 years ago
Depending on the details in each of the layers[1] you might be able to spoof traffic towards it to trick it things.
you may need to try MITM the certs/key exchange stuff[2], hopefully they have a broken implementation that doesnt validate signatures etc.
[1]: https://www.bmc.com/blogs/osi-model-7-layers/
[2]: first promising hit when i googled: https://gbhackers.com/mitm-attack-https-connection-ssl-strip...
SushiHippie|2 years ago
omgmajk|2 years ago
PlunderBunny|2 years ago
coupdejarnac|2 years ago
dilyevsky|2 years ago
chucklenorris|2 years ago
SushiHippie|2 years ago