I recently installed a new internet router at home to improve the wireless coverage and give me the option to set custom family friendly name servers for all connected devices [1].
While making sure the wireless network setup was the same way as the previous router, I noticed a few unknown devices in the DHCP client list [2].
All the unknown devices I could quickly identify using mac address lookup sites [3], showing which vendor the network cards came from. All except one.
Before you read on, just a quick remark; I am not a trained information security guy, I just know a couple of things from being a long time linux user and having worked with computers and network.
The network card in this device could not be identified, which to me was a bit odd I thought. I scanned the IP address for open ports using network tools such as Nmap for linux/unix and Port Authority for Android, and found a couple of open ports, 9080 and 50002, which didn’t help much.
I fired up Wireshark, a software which let me see what is going on in the network traffic, and filtered on everything coming from that IP address, to see if there were anything fishy going on (pun intended). Then I noticed something. Every 20th second, the device sent tiny multicast DNS (mDNS) UDP request packages going out to every IP address on the network, looking for Chromecast-devices!
My first thought was; is this a Chromecast device doing this? I know I have three of them in my network, but all those were accounted for in the DHCP client list on the router already, so it cannot be them.
To limit my search further, I turned of the wireless radio in the router, to see if this device was connected via cable or wireless. Immediately, the tiny mDNS packages stopped. So this had to be a wireless device.
I then tried to disconnect TVs, gaming consoles, printers that I have in my network, but still the packages kept flowing in the sea of network traffic. What could this be? Surely, I’m not being hacked I thought.
Then, after chatting briefly with a couple of friends about this, I learned that similar mDNS traffic occur when phones and tablets connects to a wireless network [4]. Odd, why is that?
At last it dawned on me, I had not checked mobile devices connected to my wireless network, such as phones and tablets. So I checked each, one by one, which IP address they had. Finally I found it. It was an Android phone belonging to my oldest of two sons!
I let out a deep sigh. It was like finding shore after a long time out at sea. I felt calm, but something was still annoying me. Why was his phone doing this, and what was the purpose of these tiny packages?
I checked my phones IP address and used Wireshark again to listen to the signal waves coming from it. The same happened there. It sent out the same type of packages all the time. Does that mean all phones do this?
I let my phone to sleep and the traffic stopped. Then I woke the phone by pressing a button on the side, and the packages flooded in.
According to the information in the UDP packages found using Wireshark and the behavior of the phones, it seems that these Android devices look for Chromecast devices in the network, once connecting while active on the network, to see if there are somewhere to cast to. Just in case the user of the device want to cast anything to them.
According to an article, the same might happen with PCs running Chrome browsers installed [4]. These packages will continue to flood your network even if you don’t have any Chromecast devices in your network. Just a bunch of devices flooding the network with these questions all the time, looking for someone that just are not there.
I looked for an option to prevent the phone from doing this, but could not find it. Perhaps a “feature” of Google play/Android/Chrome software?
UPDATE: I posted a question on https://networkengineering.stackexchange.com/questions/78197/can-i-prevent-android-from-looking-for-chromecast-devices-in-the-network to see if anyone could answer this. An answer came quickly that is wasn’t the proper forum to ask for such and was pointed to android.stachexchange.com where I found this similar question [6] when I was about to submit the question there: https://android.stackexchange.com/questions/68169/ever-since-connecting-to-a-chromecast-my-device-floods-the-network-with-ssdp-pa
So it seem that the amount of traffic I experienced isn’t much at all, just clients chatting away on the network as expected. Also, other operating systems will do similar discovery-chatting and fill the sea with voices.
Case closed!
[1] https://blog.cloudflare.com/introducing-1-1-1-1-for-families
[3] https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol