D-Link Forums

D-Link Connected Home => DSP-W110 => Topic started by: eghuff on May 24, 2016, 08:29:16 PM

Title: Using the DSP-W110 on a Guest network
Post by: eghuff on May 24, 2016, 08:29:16 PM

Given the newness of IOT devices and the fact that the firmware can be loaded from a remote D-Link server, I wanted to put my plugs on a private network that would allow them to access the internet, but not access the other non IOT devices on my LAN.  I am using an ASROCK G10 router that provides guest network capability.

I tried setting up a persistent guest network and setting up my plugs using this network.  All appeared to go well, but when I clicked Finish to save the device, I consistently got an error message.  The app could see the plugs, and the plugs connected to the network, but the process could not be completed to save the device data on the server and the device definition was mot saved.  I called D-Link support and after trying many things with the rep, she finally escalated the problem to a higher level of support.  The next day, I got a call from Ryan, and after much discussion, he concluded that something was being blocked by the restrictions of the guest network implementation.  He suggested that I try changing the normal wireless SSID and password to the ones I wanted to use for the guest network, disable the gusst network, and set up the plugs that way.  He opined that the plugs should work normally on the guest network once they were set up.

I did this and was able to sucessfully save the devices in the app.  I then changed the router definition to use the normal SSID and password for my normal network, and enabled the guest network using the SSID and password the plugs had been set up with.  Applying these changes requires rebooting the router, but when the router rebooted and was connected to the iinternet, the plugs attached to the guest network and appeared to work normally.  I had had the plugs in my office plugged into a power strip for setup, so I unplugged them and moved them to the rooms where the were to control lamps.  When I plugged them in, the green light on the plugs indicated the plugs were attached to the guest network, but the devices in the app were greyed out, and tapping them caused and error popup saying the plugs were not connected to the internet.  My guess is that the swithcing of the SSIDs/passwords went undetected by the plugs until the plugs were power cycled.

After another call to Ryan, we concluded that something related to the guest network as stopping the plugs from accessing the D-Link server.  After trying several things, Ryan suggested that I power cycle the router.  I tried that, and the plugs showed up as active in the app, and I was able to control the lamps from the app.  Neither Ryan nor I have any idea why power cycling the router allowed the plugs to access the server, but so far that seems to work.

I learned several things from this exercise:
1) You can't set up the plugs on a guest network.
2) You can set them up on a normal network, then swap the SSID and password to a guest network
3) The software is sensitive to the length of the SSID.  When I used a 14 character SSID, I could not save the device definitions.  10 or less characters worked OK.
4) At least on my router's guest network, the plugs can't connect to the D-Link server without rebooting the router
Title: Re: Using the DSP-W110 on a Guest network
Post by: FurryNutz on May 25, 2016, 06:47:21 AM
Thanks for the information and feed back about your experiences. I presume this experience is all related to the router your using and how it's handling the guest network and devices on it. The mfr of this router maybe handling and processing things differently. Of course, these DSP units are designed to work on a secured WLAN side normal SSID configuration. Some guest networks are not fully secure and are open to the WAN side of the router and are blocked from communicating with anything on the LAN side of the router when using the guest network. Also some routers use different IP address pools that differ from the default IP address pool as well.

If you got it working then you should be ok. Enjoy.

Good Luck.
Title: Re: Using the DSP-W110 on a Guest network
Post by: eghuff on May 25, 2016, 07:46:08 AM
It's not clear the issue is specific to the G10 router.  Ryan was able to confirm that his test configuration using a different router guest network did not allow setup of the plugs.  Without knowledge of the protocol usage of the smart plug it's hard to know.  One article describing a hack of the DSP-W215 smart plug indicated use of the Home Network Administration Protocol (HNAP), which it exploited with a buffer overrun attack to get root privilege.  Here's a reference on that hack: http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/.

I would contend that the smart plugs as well as all IoT devices should most certainly not be on your normal network.  The other version of the D-Link smart plug has been hacked to allow an attacker to gain root privilege, and Several IoT hubs protocols have been showed to be not secure.  IoT devices are not secure and one might expect that manufacturers of low cost devices won't apply much resource to security testing.  That said, the IoT devices should utilize protocols that work on guest networks imho.
Title: Re: Using the DSP-W110 on a Guest network
Post by: FurryNutz on May 25, 2016, 07:53:04 AM
These devices are meant for normal networking on the lan side.

If there is a security issue, you can help by reporting it to D-Link:
http://support.dlink.com/ReportVulnerabilities.aspx (http://support.dlink.com/ReportVulnerabilities.aspx)

I'm sure D-Link will work as fast as possible to close any security issues seen with this devices so they are safe and secure and used with peace of mind on any normal network.

I'll pass this along to D-link as well.

Thank you for your time and information.
Title: Re: Using the DSP-W110 on a Guest network
Post by: FurryNutz on May 25, 2016, 09:01:34 AM
These units support mDNS...possible factor here.

Also that article is 2 years old. I'm sure D-Link as already addressed that issue.
Title: Re: Using the DSP-W110 on a Guest network
Post by: eghuff on May 26, 2016, 11:05:33 AM
The exposure I referenced wasn't catastrophic since the exploit required the exploiter to be on the same network as the plug.  The primary security exposure that concerns me is the possibly of the D-Link server that the plugs connect to being exploited, since that server sends commands including firmware updates to the plug, which is always connected to the server.  If one could compromise the server either directly or via a man in the middle attack, then the plug could be loaded with firmware to make it a back door into the network to which it is connected.

Historically, routers have had many exploitable holes, and the many manufacturers haven't been quick to fix these exploits.  These IoT devices are cheaper than routers (and thus need limited development expense to be profitable), so one would be smart to be wary of having them in a network you rely on imho.  There's no reason that the plugs shouldn't be designed to work on an isolated network.  Given mine are functioning fine on my guest network after installation, they are pretty close now.

I'm not familiar with mDNS protocol, but looking at Google search results, mDNS seems to but used to resolve names on a local network.  Once configured, the plugs connect to the remote server which is not local, so would have to be resolved by normal DNS protocol, wouldn't it?  Any idea what the plugs use mDNS for?  Is i used after configuration has added the plug to the account on the D-Link server?
Title: Re: Using the DSP-W110 on a Guest network
Post by: FurryNutz on May 26, 2016, 11:44:24 AM
What Mfr and model router do you have?
D-Link is fairly quick to review, check and close any security issues seen on there routers.

FYI: https://en.wikipedia.org/wiki/Multicast_DNS (https://en.wikipedia.org/wiki/Multicast_DNS)
Title: Re: Using the DSP-W110 on a Guest network
Post by: eghuff on May 27, 2016, 02:47:20 PM
I am using an Asrock G10 which supports AC2600 with MUMIMO.