I noticed repeated activity on the firewalls of two of my computers.
The activity originates from 10.0.0.94, which was not assigned by my DHCP server. After much sleuthing, I determined the MAC address that is trying to connect was from a Philips device, which in my case would have to be a Philips Hue hub.
I could understand it trying to discover other Philips devices, but all communication with my Hue bulbs happens over Zigbee.
I’ve tried googling, but no explanations so far.
I don’t think I am being, or have been hacked, just trying to understand what’s happening in my home.
My questions are:
- Why doesn’t the hub use DHCP (even though I have DHCP enabled in the Hue app)?
- Why is it trying to connect to other computers on the network?
- What is it trying to discover?
In the Log entries below, the first six hex numbers (three bytes) are the destination MAC address, the second six are the source MAC address. After learning this, I was able to look them up and determine the manufacturer using this website. E.g. 00:17:88
is Philips Lighting Bv, 10:dd:b1
is Apple, Inc., and 48:4d:7e
is Dell Inc.
Log entry from computer A:
Nov 23 23:19:26 mac-mini kernel: [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:99:xx:xx:00:17:88:6a:e6:1c:08:00 SRC=10.0.0.94 DST=10.0.0.8 LEN=316 TOS=0x00 PREC=0x00 TTL=64 ID=26510 DF PROTO=UDP SPT=1900 DPT=44248 LEN=296
Log entry from computer B:
Nov 23 23:17:43 pop-os kernel: [UFW BLOCK] IN=enp0s31f6 OUT= MAC=48:4d:7e:fa:42:f9:yy:yy:88:6a:e6:1c:08:00 SRC=10.0.0.94 DST=10.0.0.13 LEN=319 TOS=0x00 PREC=0x00 TTL=64 ID=43299 DF PROTO=UDP SPT=1900 DPT=58869 LEN=299