IOT Security Report: MiLight WiFi Bridge Sends Network Packets to China

Today we’re taking a look at an informal security report on the MiLight WiFI bridge. Maybe you’re considering picking up this cheap Chinese WiFi smart light package, be sure to check out the details below to weigh what you’re giving up trying to save a few dollars.

This network traffic analysis of the MiLight WiFi bridge was performed and shared by a Reddit user and is summarized here for your benefit.

Why is the MiLight WiFi Bridge Sending Information to China?

As soon as you start analyzing the network traffic to and from the MiLight bridge, it’s obvious that the bridge regularly is communicating back and forth to China.

Here’s a summary of the traffic:

  1. Every 28 seconds, the bridge send a network time protocol (NTP) packet to 61.164.36.105 (Shanghai, China)
  2. Every 24 seconds, the MiLight bridge sends a TCP packet to a Virtual Private Server (VPS) hosted by Dreamservers
  3. When powering up, it resolves www.anymilight.com
  4. When powering up, it also sends a TCP packet to www.anymilight.com

Here’s a more detailed look at the traffic mentioned above.

  1. The NTP message is sent to a server that is also used by other Chinese IOT producs like the Orvibo WiFi Socket. For the MiLight WiFi Bridge, there is no response to the message and the content is always the same.
  2. Like the NTP message above, the content of the TCP packet appears to always be the same (at least constant for the time period analyzed).  It looks like it may be some sort of hardware ID or checksum.
  3. The bridge uses 8.8.4.4 (a Google resolver) to resolve www.anymilight.com to IP 208.113.204.254)
  4. The TCP packet definitely looks like a MAC address (media access control, e.g. a device ID for the network)

So, what’s this mean?

First, it’s important to state that these all seem like pretty benign actions by the hub to contact servers in China and California.

So if you already have a MiLight WiFi bridge, don’t rip it out and toss it in the trash just yet.

The only real concern here is this is an analysis constrained by limited time. While nothing suspicious was being sent during the time frame recorded above, that does not preclude the bridge from sending sensitive information at other times.

If you’re very concerned about your home network’s security, you may want to log messages from the hub or block messages to these addresses altogether just to be sure.

References:
1. Reddit user analysis

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.