[PLUG] Evil thermostat

[Russell Senior]

Those addresses are all in AWS address space, according to whois. As a
previous commenter suggested, it might just be NTP. Did you notice
what port the communication was happening over?

Have you considered popping the case and seeing if there is a serial
console port on their wifi module? It's reasonably likely it is
running some ancient version of linux. Is there an FCC-ID on the case?

On Tue, Jan 4, 2022 at 6:49 PM Chuck Hast <wchast at gmail.com> wrote:
>
> Well folks, I was able to get wireshark on the thermostat. I found
> that it is trying to contact these addresses:
> 54.209.187.172
> 107.21.255.187
> 3.214.34.120
> Right now none are reachable. I am trying to figure out why this
> thermostat is trying to reach those addresses.
> When I do a whois, they come up as being hosted on Amazon...
> I wonder if one of them comes awake every so often and the
> thermostat gets the connection and receives a TZ change... So
> far I have not been able to catch it doing so.
> When I bought the unit I intentionally did NOT try to use the
> cloud service, I have tried to get proper communications with
> Radio Thermostat but so far only idiots... And they do not have
> a published telephone number.
>
>
> On Tue, Jan 4, 2022 at 4:53 PM Chuck Hast <wchast at gmail.com> wrote:
>
> > More info, this was the reply I got from the manufacturer
> > -----------------------SoF------------------------------------------
> > Radio Thermostat <radiothermostat at tstatsupport.com>
> > 1:10 PM (3 hours ago)
> > to Info, me
> > Hi,
> >
> > If you are sure you have a WiFi module in the thermostat Model - RTMV-01
> >
> > Then check out the following to see and correct the time zone so the
> > thermostat will have the correct time:
> >
> > How to change time zone
> >
> > First go to the web portal via a browser *https://my.radiothermostat.com/rtcoa/login.html
> > <https://my.radiothermostat.com/rtcoa/login.html>*
> >
> > (Note you will need to use the desktop version of the web site)
> >
> > Then log in and go to the person (then select location)
> >
> > select the location you want and click edit
> >
> > Go to the pull down for time zone and select your time zone
> >
> > Then click save
> >
> >
> > -----------------------------------EoF---------------------------------
> > This is exactly what I have tried to avoid, I never registered
> > the thermostat with their cloud. I have my personal reasons
> > for not wanting my devices on someone's cloud if I can avoid
> > it. in this case that is exactly what I have tried to do.
> >
> > Now meantime, since the thermostat IP is static, I went into
> > the firewall and set up a rule to drop any packets to/from
> > the thermostat. No more time change, and I did that well over
> > and hour ago. I can still control the device on my LAN just
> > dropping whatever is trying to reach the thermostat.
> >
> > This brings up the question, of who/what is it? I never
> > registered the device with their cloud, indeed I bought
> > it because it was one of the thermostats that did not
> > require you to use an outside network to access it, (I am
> > looking at you Honeywell, Nest and all of the rest of the
> > cloud only based devices). Now to see if I can get Wire
> > shark on a part of the network that can see that device.
> > Suspend the rule and try to catch the packet session.
> >
> >
> > On Tue, Jan 4, 2022 at 9:41 AM Chuck Hast <wchast at gmail.com> wrote:
> >
> >> Sorry, should have, not there is not. But the interesting thing
> >> is that as long as it cannot contact the network there is no
> >> time change. I think I am going to go into the firewall and
> >> make it drop all packets to/from the device and see what
> >> happens. If that takes care of it then maybe allow it to talk
> >> on the LAN but drop anything going to/from it on the WAN
> >> side.  I would like to see what it is talking to. So far I have
> >> not been able to catch it.
> >>
> >> On Mon, Jan 3, 2022 at 11:00 PM Erik Lane <eriklane at gmail.com> wrote:
> >>
> >>> You don't mention this, but since it's always 2 hours, is there a time
> >>> zone
> >>> setting in there that has gotten off? Maybe it's talking to a NTP server?
> >>>
> >>> On Mon, Jan 3, 2022 at 8:49 PM Chuck Hast <wchast at gmail.com> wrote:
> >>>
> >>> > Folks,
> >>> > Not sure where to take this but figured that I would get more
> >>> > info here.
> >>> >
> >>> > I have a RadioThermostat CT80. I have had it now for several
> >>> > years. As the summer wound down. I shut down the A/C and
> >>> > opened the windows in the house. Then in Nov I needed to fire
> >>> > up the heating, all appeared to be well, but I noticed that the
> >>> > thermostat clock was 2 hours slow. I set it and a while
> >>> > later see that it has lost 2 hours again.
> >>> >
> >>> > I have a home automation system. I checked the logs, and
> >>> > contacted the author. He has a CT50 which has fewer bells
> >>> > and whistles than mine but same unit. Anyhow he gave me
> >>> > some guidance, in the end I shut down the HA system and it
> >>> > still would drop the 2 hours, I powered the thermostat down
> >>> > and removed the WiFi radio, powered it back up, it ran about
> >>> > 4 hours (about 3 hours longer) and never dropped the 2 hours.
> >>> > Normally it will go between 20 minutes and an hour after I
> >>> > have set it to the correct time, then drop back to the incorrect
> >>> > time. So this appears to indicated that it is either something
> >>> > on the network that is doing the time change or something in
> >>> > the WiFi radio.
> >>> >
> >>> > I am trying to sniff the network and see if I can catch any
> >>> > weird packets. But this is one I have not done before.
> >>> >
> >>> > My router is a Mikrotik 2011, and I have been trying to use
> >>> > the tools on it to try to monitor the IP address of the thermo-
> >>> > stat and try to see if it is talking to something else. So far
> >>> > no joy.
> >>> >
> >>> > I am wondering about getting wire shark in there and trying
> >>> > to filter those packets that way as I am not having much luck
> >>> > with the Mikrotik tools
> >>> >
> >>> > Any recommendations?
> >>> > --
> >>> >
> >>> > Chuck Hast  -- KP4DJT --
> >>> > I can do all things through Christ which strengtheneth me.
> >>> > Ph 4:13 KJV
> >>> > Todo lo puedo en Cristo que me fortalece.
> >>> > Fil 4:13 RVR1960
> >>> >
> >>>
> >>
> >>
> >> --
> >>
> >> Chuck Hast  -- KP4DJT --
> >> I can do all things through Christ which strengtheneth me.
> >> Ph 4:13 KJV
> >> Todo lo puedo en Cristo que me fortalece.
> >> Fil 4:13 RVR1960
> >>
> >>
> >
> > --
> >
> > Chuck Hast  -- KP4DJT --
> > I can do all things through Christ which strengtheneth me.
> > Ph 4:13 KJV
> > Todo lo puedo en Cristo que me fortalece.
> > Fil 4:13 RVR1960
> >
> >
>
> --
>
> Chuck Hast  -- KP4DJT --
> I can do all things through Christ which strengtheneth me.
> Ph 4:13 KJV
> Todo lo puedo en Cristo que me fortalece.
> Fil 4:13 RVR1960