>openssl s_client -host ec2-52-87-164-81.compute-1.amazonaws.com -port 8088
CONNECTED(00000003)
depth=1 CN = Splunk Cloud Certificate Authority, L = San Francisco, O = Splunk Inc, ST = CA, OU = Splunk Cloud
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=input-prd-p-993nvx6jqt3v.cloud.splunk.com/L=San Francisco/O=Splunk Cloud/ST=CA/emailAddress=cloud-eng@splunk.com/OU=Cloud Team
i:/CN=Splunk Cloud Certificate Authority/L=San Francisco/O=Splunk Inc/ST=CA/OU=Splunk Cloud
1 s:/CN=Splunk Cloud Certificate Authority/L=San Francisco/O=Splunk Inc/ST=CA/OU=Splunk Cloud
i:/CN=Splunk Cloud Certificate Authority/L=San Francisco/O=Splunk Inc/ST=CA/OU=Splunk Cloud
Sunday, September 11, 2016
Splunk
The Sunpower device also seems to log directly to Splunk Cloud if this cert is to be believed (at least this is encryped, wonder if it cares about the signature?:
Encryption is for squares
Trying to figure out exactly which boxes do what and sadly:
23:30:35.404809 IP sunpower.37908 > 204.194.111.66.http: Flags [P.], seq 3882797762:3882797966, ack 2328649950, win 39128, length 204So yeah, posting data unencrypted... :-(. It looks like there is a signature in here so at least its probably not trivial to submit data for someone else? A bit of googling found a discussion.
E.....@.@.'R...5..oB...P.n....`.P....}..POST /Command/SMS2DataCollector.aspx HTTP/1.1
Host: collector.sunpowermonitor.com
Content-Type: text/plain
Content-Length: 72
Its not SSH if its on port 55251
When I was first trying to figure out what the Sunpower monitoring ethernet device was (I had a device on my network I didn't know what it was) I did a port scan to try and figure it out.
>nmap sunpower-plc -p1-65535 -vvv
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-11 16:40 EDT
Initiating Ping Scan at 16:40
Scanning sunpower-plc [2 ports]
Completed Ping Scan at 16:40, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:40
Completed Parallel DNS resolution of 1 host. at 16:41, 6.50s elapsed
DNS resolution of 1 IPs took 6.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 16:41
Scanning sunpower-plc [65535 ports]
Discovered open port 55251/tcp on sunpower-plc
Okay, so what is port 55251?
telnet sunpower-plc 55251
Trying sunpower-plc...
Connected to sunpower-plc
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6
When I didn't know what it was I was even more worried, who is running ssh on a non-standard port on my network anyhow? A quick look at the vulnerabilities for this version of Openssh look fairly benign as of today and at least its encrypted.
Sunpower fun
The Sunpower Monitoring device appears to be very frequently pinging (~ every 5 seconds) a few EC2 instances (ec2-50-18-211-78.us-west-1.compute.amazonaws.com, ec2-52-7-213-242.compute-1.amazonaws.com) and Googles DNS server (8.8.4.4). Pinging 8.8.4.4 seems like a very odd decision. First off, does Google actually support pinging 8.8.4.4 or might this just up and disappear? Why do they need to ping 3 hosts every 5 seconds? Detecting connectivity once every few minutes seems plenty for any use?
No local interface
I recently had solar panels installed. In terms of ios devices this is probably one of the more annoying ones. Almost all of them have some form of web interface run by a company that has to stay afloat. These panels should last *at least* 25 years and I really don't want to loose monitoring because they go out of business. There are actually at least 2 devices that are this way.
- The power production meter (by solar-log) as installed is using a cellular connection making things even worse (odds that the cell modem works in 25 years?). Thankfully it also has Ethernet which I need to get the Solar company to hook up as its in a meter box on the side of my house this isn't a simple plug and play. Once its hooked up I'll know more about its local query ability.
- The panel monitoring box itself pushes to a hosted web-ui (which has already *lost* per-panel data collection in the new webui, thankfully the old one is still around). Its not clear yet if there is a full API, but really its still not local. If they go bankrupt can I still monitor my panels?
I don't really mind this style of UI for devices that are expected to be short lived ( < 3 years ) but anything more should have a local interface.
What is this?
First: I'm going to define IoT as anything that is not a general purpose computer and has Ethernet. I mostly try and keep my network sane an occasionally find a device doing odd things and finally decided to post about them. Some I'll dig into, others I'll just mention in passing. I've also made a few of my own I might post about. Anyhow...
Subscribe to:
Posts (Atom)