Unknown Android Device

slimypizza · Mar 9, 2020, 5:00 PM

I recently noticed on my DHCP Server page, that what appears to be an Android device (identified as android-3854ef10afd0d6ff) had received a DHCP address. That was a red flag to me because I don’t have any Android devices. I assigned a static IP and made a LAN rule to block that address just to contain it which seems to be working. Per the logs, the ‘device’ tries to contact either DNS (53) or a couple of IP’s in China every few seconds (203.119.211.219, 203.119.217.116, 203.119.205.154). Any ideas what could be happening? I did reboot pFsense and the device came back. The only new devices I have at the house are Alexa dots which I have assigned static IP’s to and are accounted for. Blocking communication of the unknown device has no effect on the performance of the Alexa dots so I don’t believe they’re associated.

NollipfSense · Mar 9, 2020, 5:32 PM

@slimypizza Posting situations such as this makes no sense. The device must have came from those who has access to your LAN...either household or guest. I even believe your Alexa uses Android. For sure, pfSense has NOTHING to do with this issue.

stephenw10 · Mar 9, 2020, 8:05 PM

That's just the hostname whatever it is reports. Android does use a naming scheme like that but it could be anything with a spoofed name.

Check the MAC address, what is the OUI? That too could be spoofed of course.

Install the nmap package run it against that host.

Change your wifi passphrase if you're in any doubt.

Steve

NollipfSense · Mar 9, 2020, 9:28 PM

He could renew the lease to see whether the device appears and got a new IP...

JKnott · Mar 10, 2020, 1:14 AM

@NollipfSense

It should normally get the same address.

NollipfSense · Mar 10, 2020, 1:58 AM

@JKnott I realized that...maybe I should have said the device accepts IP however at least he would be able to know whether the device is active and powered.

slimypizza · Mar 10, 2020, 2:42 PM

Thanks all. I did check the MAC, renewed the lease (before I gave it a static IP) and began taking devices offline to narrow down what this could be. Then….. I discovered a wifi picture frame my daughter had gotten and set up on the network. That was it. I’m not happy that it communicates to China with such frequency but will leave it be for now. Thanks for the feedback.

stephenw10 · Mar 10, 2020, 1:16 PM

Mmm, worrying.

Gertjan · Mar 10, 2020, 1:19 PM

This DHCP server option :

🔒 Log in to view

might help you.
When you give away your Wifi password, "people" can connect any device they want.

True, if the device permits a static IP / DNS / network / gateway setup, it could still communicate. Only firewall rules per device would really help = protect you.

Btw : connected devices nearly always 'call home'. Often, it's just the time and possible updates. Some times it's more. Before even buying stuff like this, you should 'Google them up' first.

JKnott · Mar 10, 2020, 2:42 PM

@slimypizza said in Unknown Android Device:

I’m not happy that it communicates to China

Maybe it's spying on you!

NollipfSense · Mar 10, 2020, 4:38 PM

@slimypizza said in Unknown Android Device:

I’m not happy that it communicates to China with such frequency

This below...almost always it just checking for firmware upgrade!

@Gertjan said in Unknown Android Device:

Btw : connected devices nearly always 'call home'. Often

slimypizza · Mar 10, 2020, 6:08 PM

Yes, probably spying on the whole family. HA! The frequency of interaction is about every 20 seconds. Seems excessive but the picture frame also allows for emailed photos and is probably checking for deliveries. Outbound communication only, it seems. No worries. Thank you all.

Pandame43 · May 8, 2020, 5:38 AM

The device must have came from those who has access to your LAN...either household or guest. I even believe your Alexa uses Android. For sure, pfSense has NOTHING to do with this issue.