Ever since I upgraded our home network earlier this year, I’ve wondered about one of the wireless devices on the network. It wouldn’t respond to pings and trying to connect to it on any port was futile; the router said it was running Linux, but that was about all it would tell me. And it generated a very small amount of traffic to and from the Internet, about 4 megabytes a day (less than the size of a typical photo).
I wasn’t worried that it was leaking any secrets to the world, but I did wonder what the hell it was. Since it ran 24/7, it had to be line-powered (not battery); I looked at everything plugged into outlets and didn’t find anything suspicious. So I decided it wasn’t important enough to worry about.
Yesterday, I listened to a podcast which mentioned that smart TVs these days do image recognition and send information about what you’re watching to their makers, who then sell the data to advertisers. I’d tried turning off the image recognition on my smart TV and had set the “do not sell my data” flag, but I wasn’t confident that that was enough, so I spent a few minutes blocking the TV from having Internet access (if I want to stream something, I have two perfectly good set-top boxes and a computer attached to the TV; the TV didn’t give me anything I didn’t already have).
While I was blocking the TV, I noticed the mystery device again in the router’s device list, and I decided I had to find out what it was and who it was talking to out on the Internet. I asked DuckDuckGo “unifi router find out what a device is connecting to” and started scrolling through the answers. I hit pay dirt about 30 answers down the page with a Reddit post asking how to see all traffic from a device, which suggested using tcpdump.
Some experimentation later, I had a tcpdump query running on my router looking for any traffic going to or from the mystery device. Every 30 seconds, the device would ask for the IP address of ‘enphase-envoy’ – but I don’t have any device with that name, so it never got an answer. But after 90 minutes, I saw something different – the mystery device connected to update.daikinskyport.com and sent and received a bunch of data.
The light dawned. Our HVAC system is made by Daikin!
I walked over to the thermostat and checked its settings – sure enough, the thermostat’s hardware address matched that of the mystery device.
I’ll sleep better tonight.