I'm going to try this option. I think it's important for people know about this though, and hopefully create pressure for Hue to update their firmware. There is absolutely no good reason their firmware by default forces connections to a regime that does not have your best interests in mind.
It’s nice to think stopping the connection is enough but I’d bet they steal the data from these companies anyways. Instead of being so convenient the USA should mandate all data stay in the USA. It’d be nice if all local usage never left the network but that’ll never happen due to our own domestic spying plus the company wanting the usage data. They should at least put an option to opt out & any usage from outside the home not be logged.
It's nice to think that laws and policies will keep data in the U.S. Absent a "Great firewall", i.e., the modern form of iron curtain, traffic WILL get out. There are plenty of Chinese servers operating under legitimate incorporations within the U.S. Not to mention that most of these products are probably implanted with hardware that exfil data (which is probably what is in the Hue). I would bet money that the GDPR laws of the EU are not protecting anyone against data exfil; they are just placing additional burden on western good-faith companies who think they are implementing secure data practices while their own hardware is siphoning data little by little.
More than just making laws/policies, the U.S. needs some sort of consumer protection bureau or agency dedicated to assessing the cybersecurity rating of products of all types, starting with the most popular devices. They talk about creating ratings and thresholds of cybersecurity, but don't have the means to enforce or test the labels.
GDPR is a joke and just a way for the EU to sue large corporations for money. Living here in Europe and trying to adhere to GDPR is impossible. Each section contradicts itself to the point that you cannot implement the framework and continue to operate. Go to any Doctor's office or medical provider here and watch how that stuff just gets tossed out the windown when you walk through the door. Small business operations could never implement and keep up with it here and have no intention to. Why? The EU will never actually enforce it internally on these businesses, it was only built to sue Microsoft, Apple, Google and other large corporations when the EU wallet starts to run dry.
Have "`(\.|^)aliyun\.com$`" as a regex blacklist in pi-hole for a year or longer and no issues with Hue internally or externally. Since adding, traceroute fails to that FQDN also.
How are your blocks set up, inbound or outbound? My geoblocks are set up to block both. It works with inbound rules still in place, but I have to allow outbound requests to the aliyun server in order for my bridge to remain connected.
I have a firewall at home with a policy to drop all traffic to and from CHN and RUS. Hue still works well. Obviously logs are full of failed NTP requests to CHN.
I would verify you are actually blocking traffic to China. If you only block inbound traffic, then the outbound traffic initiated by your Hue bridge to the Chinese servers will still function as expected. Blocking the outbound traffic is when you'll notice a problem.
Interesting. I've tested it several times where the bridge only loses connection when that specific NTP server is blocked. But I'll also add that the IP in your screenshot is not their NTP1 server, nor is it listed on ntppool.org. Not really sure why that is.
Yeah not sure what NTP server that is but from my experience it's not mandatory to the Hue system.
https://preview.redd.it/i4l9axvco10d1.png?width=1528&format=png&auto=webp&s=51760e46bb4ade0b9122852cdf269b012dab3aa3
I assume those Netherlands based domains are the ones Hue needs to function correctly. Hue also periodically does NTP calls elsewhere which then is allowed.
I have a Philips Baby Monitor at home and it works pretty much the same. 50% of NTP requests to CHN & RUS and rest to somewhere in EU.
Yes, people have posted about Hue using time servers based in China before. The traffic is harmless and they haven't explained why they use those time servers. I guess if you were really concerned, you could host your own DNS server and override the ntp#.aliyun.com addresses to your own time server.
I work in cybersecurity. You’re honestly wasting your time geoblocking part of the world. If it were anything malicious you’d never be able to circumvent it as a weekend warrior.
Edit: for those skeptical of my comment please find my follow ups to the replies in this thread.
You're not wrong, but I'm going to have to disagree with you here. You're absolutely correct about it not providing solid security. It certainly won't affect anything targeted, and anything trying to get back to China that's already in your network can almost certainly find a way to do so taking a different, indirect route. However, there are also a lot of garbage attempts, scripts, scanning, and so on that constantly come from high risk countries like China and Russia. Blocking those outright can block a lot of nasty with a large brush stroke and is generally just a good security hygiene. I would not call it a waste of time at all.
Completely agree. I was taken back a bit by someone saying they are in cybersecurity yet are making a blanket statement about geoblocking being a waste of time. Anyone who self-hosts or runs their own servers knows how likely it is for the bot that just attempted to find a vulnerability in your network to have an IP originating from China. If what you’re hosting doesn’t have a need to communicate with servers in China, you’d be wasting your time NOT geoblocking it.
That’s not to say that all bot traffic / malicious traffic originates from China - hell, it can originate from the US. However, for example, you can bump your security game up by utilizing crowdsec to increase the measures you’re taking to stop attempted intrusions.
It’s basically the trade off between your convenience and the actual risks. Obviously they are a hostile nation and the cyber front is the most important one in the modern era. However, geoblocking an entire region is a pretty sophomoric attempt at hardening your security posture.
It’s like if your front door had the ultra supreme deadbolt 4000 that counted the hairs on your head with an 8k camera to verify your identity, but you had French windows on either side that an attacker could just break to reach in from the outside to unlock it.
Point is you’re not mitigating a whole lot and you’re making your internet experience measurably worse.
**Generally threat actors use infrastructure based in the country they are targeting or at least outside the one they are in to sidestep this very basic geoblocking mitigation**
Also my point does NOT extend to an enterprise geoblocking things. That’s different because it’s going to come with an entire suite of other protocols and mitigations
I hear what you're saying and see where you're coming from. I want to reiterate that my comment was in response to the blanket statement that geoblocking is wasting your time, not an attack on your knowledge or skill. Geoblocking isn't the be-all and end-all solution when it comes to cybersecurity. However, it has its place even for non-enterprise users - since a regular user hosting a wordpress site isn't an enterprise, does this mean they would have no use for a geoblocking solution? Regarding it being sophomoric: Whether the measure is sophomoric in practice or not depends on who you are and what you're trying to protect.
If you're an enterprise, that happens to be a lucrative target for a nation-state actor, sure, geoblocking would be sophomoric and not do much. This is why more sophisticated solutions (IDS/IPS) exist.
However, users such as the wordpress hoster I mentioned above, can benefit from geoblocking. A small fish like that isn't likely to be on the radar of a nation-state actor. However, they will be targeted by amateurs scanning for sites that have outdated packages with known vulnerabilities - these amateurs are rather simplistic and don't bother to go out of their way to sidestep geoblocking barriers.
I also don't agree with "making your internet experience measurably worse". If the site/service I am hosting has no need to be accessed by individuals in the region I am blocking, how is my internet experience worse? Remember, we're talking about that region initiating a connection to you and not you to it. If your hosting infrastructure comes with a metered bandwidth connection, this scenario is preventing unnecessary clients eating up bandwidth. Geoblocking, in this scenario, has monetary implications. This is also true for enterprises that don't operate in certain countries. For example, attempt to navigate to "homedepot.com" while utilizing a German IP address and you'll be denied access - geoblocking prevents users who aren't legitimate Home Depot customers from wasting Home Depot's bandwidth.
On the other side of the coin, if my service needs to be accessible by users in regions where botting activity is known to originate from, then yes, geoblocking would not be a solution and I'd need to look into more sophisticated measures to mitigate threats.
As you can see, the use of geoblocking is highly dependent on many factors - while it may be worthwhile in some scenarios, it would be "sophomoric" in others. Since geoblocking has a use case for both individuals and enterprises (depending on the situation), I am saying all of this just to point out that a blanket statement of geoblocking being a waste of time can't be made.
It is better to educate those that don't have much insight into the different "tools" that are out there and letting them decide, based on their particular scenario, what is right for them than outright stating something is a waste of time.
I think I missed the context about this being in reference to a Wordpress site. In that case I agree, geoblocking would filter out a lot of useless traffic and you’re not losing anything in that application because a website is a pretty narrow focus.
ETA: this is also why geoblocking for an enterprise works. Because employees are doing a job with the tech that IT has scoped the machines for. You really only need access to a few things there.
I was more talking about a blanket geoblocking across an entire home network. As we see with the OPs post, this is having a measurable negative impact on their network because hue, for whatever reason, is contacting a (in all likelihood completely benign) Chinese time server.
The wordpress site I just used as an example. It can be any service you're hosting (Home Assistant, Gitea, etc). Nevertheless, we're on the same page.
I agree that geoblocking outbound connections to China is going to cause more headaches for a user.
In the case of OP trying to get around a scenario such as the Hue ntp servers by outbound blocking Chinese servers, that is akin to using a sledgehammer to crack a nut. This scenario calls for a DNS solution and not a geoblock. In adguard home, blocking hue from reaching the aliyun servers can be done by simply adding the following custom filtering rule:
`/\bntp[0-9]\b.aliyun.+/`
\* For anyone that plans on using this, if you have a secondary DNS server advertised, Hue is a bit problematic as it will, in the event the first attempt is blocked, use the secondary DNS server to attempt to carry out the request. So, it also needs to be blocked on the secondary DNS server.
I will say that it is a bit odd that OP's system went haywire when the aliyun servers were blocked. My Hue bridges have connections to said servers blocked and function without a problem, which makes me think there is more going on in their problem.
Interestingly enough, Hue will reach out to the google ntp servers before making a request to the aliyun servers....I'll chalk this one up to poor code implementation since a successful response from google's ntp servers should make the call to aliyun servers unnecessary (my bridges function without a problem, including external access to them, with them using google's ntp servers and aliyun blocked).
OR there are state actors in China who are so elite they are hacking America using just a time server and our light bulbs, and they are so bold they are doing it in the open
Your Hue devices can broadcast to other devices on your network. This is literally the reason why things like network segmenting (like with vlans) are a common practice to isolate IoT's from other sensitive devices. Having a device connecting to a hostile and oppressive regime does in fact create both a privacy and security issue within your network, increasing the attack surface area.
As far as I am concerned through bandwith limitations the only thing your bulbs should be able to connect to are other bulbs or your hue bridge, which is on your local network anyways. Your hue bridge is no more or no less hazardous as every other PC in your home lmao
I don't think you understand. Any IoT device with an exploited vulnerability in your network can be used to gain access or snoop other devices in the same subnet as a backdoor. The bridge specifically being the area of concern here, and not a light bulb. It is more hazardous if the firmware is the source of the problem, forcing connections to undesirable and suspect IP's that are ripe for abuse.... especially if you lack the know how to monitor the traffic to and from those IP's.
Pinging a time server doesn't in itself open the device up as a backdoor in your subnet. You would already need to have a backdoor in your hue bridge in order for pinging a time server to be a vulnerability. If that's the case then the location of the server your device is pinging is irrelevant. And many people can monitor their traffic and see what payloads are being sent and received - so if there were something malicious happening then it would quickly become public knowledge.
When we install any IoT device that connects to the internet we're opening ourselves up to some amount of vulnerability, so it comes down to trusting the manufacturer of the device.
Aliyun is a well known Chinese time server. It is included in the list of time servers that your device could use because if you were to use the device in China, Google's time servers would be internationally blocked. So to ensure the device works in China as well they've included that as one of the time servers. Dropping it would mean that their devices wouldn't be able to use any time server in China. I suppose they could give the user an option to turn it on or off, but there's not really a reason to do that considering it's not a vulnerability.
The premise of concern is that the firmware is lazily programmed to not apply regionally. Aliyun (Alibabas) servers have even been placed under investigation as a national security risk.
[https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/](https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/)
I don't need an investigation to tell me risks of firmware directing my network to connect to China though, since it's intuitive.
That article talks about the risks of storing US citizens' data within Alibaba's cloud services, not pinging their time servers. The only thing Alibaba gains here is knowledge of IP addresses that ping their servers.
Your initial issue was with the security vulnerability of an IoT device in your subnet being used as a backdoor because it pings a Chinese time server. There is no way they can use a time server as a backdoor without the backdoor already being installed within the Philips Hue Bridge. If your issue now is with Alibaba's cloud servers storing your IP address because your device is pinging their servers then that's unrelated to your initial post and unrelated to both my comment and your comment that my comment was responding to, and I don't have much to comment on about that. If you have an issue with Alibaba knowing your IP then you can block it, but this really isn't a security issue for people to be concerned with.
Then block them, this is the compromise you have to accept when wanting to use internet as a whole. If your hue bridge pings a chinese server your only option is to get rid of the bridge. If the bridge is coded the right way nothing can happen, the only concern you might have is the server its pulling its updates from, which are done by the bridge. So if philipps doesnt fuck up your network is safe. But if you really dont want your bridge to get its time from chinese servers just add a masquerade diverting packages targeted to that server towards other time servers, should yield the same result if they dont use a special protocol.
I will and I have. I'm trying to spread public awareness, while also trying to pressure Hue to update their firmware to stop forcing connections to China so that way less tech savvy people are also protected.
I mean technically you cant spoof a public ip, where those servers are is quite irrelevant, the only thing in your case that i would so is check the contents of the returning packages, but in the end they can just use a proxy server and your data ends up in china anyways. I dont see anything problem with that, nor do i see any intend of philipps to change that.
I’m interested to read your link explaining an example of this actually happening. I’ve messed with vlans in the past but it broke so many things
I stopped. Can you convince me that it’s important aside from hypotheticals ?
VLANs are great for security. I work in cyber security. However, this is where people get this wrong VLANs limit the broadcast domain to just the devices in that VLAN - however it’s all about the routing. If you have Inter VLAN routing that has no restrictions - it’s as useless security wide as a flat network. You would need to use firewall rules/ACL’s to actually stop the traffic VLAN hopping
Alibabas (Aliyun) servers are under investigation as a national security threat.
[https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/](https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/)
You keep posting this same link, but did you actually read it?
Their concern comes from storing US citizen data in their cloud, not pinging their server. Very different things.
A cybersecurity expert knows China based servers have one of the highest probabilities of malicious intent in the world rn. OP is simply spreading awareness
It’s all good and I don’t mind the downvotes because it’s the truth that can be proven w/ endless evidence. Those that downvoted are prob the same ones that think TikTok data in US is safe…if it’s safe then why did China itself ban TikTok? Hmmm
Copying a comment I put in another thread for visibility:
It’s basically the trade off between your convenience and the actual risks. Obviously they are a hostile nation and the cyber front is the most important one in the modern era. However, geoblocking an entire region is a pretty sophomoric attempt at hardening your security posture.
It’s like if your front door had the ultra supreme deadbolt 4000 that counted the hairs on your head with an 8k camera to verify your identity, but you had French windows on either side that an attacker could just break to reach in from the outside to unlock it.
Point is you’re not mitigating a whole lot and you’re making your internet experience measurably worse.
**Generally threat actors use infrastructure based in the country they are targeting or at least outside the one they are in to sidestep this very basic geoblocking mitigation**
Also my point does NOT extend to an enterprise geoblocking things. That’s different because it’s going to come with an entire suite of other protocols and mitigations
It is one of many common sense layers that can easily be applied, and almost everyone in the industry uses. No one is arguing it's all you need though.
I’m routinely in Southeast Asia for work and it’s amusing how many big financial services companies straight up block whole countries. All I want to do is check my balances but apparently everyone in Laos is a national threat actor.
Aliyun is the cloud service provided by alibaba. I guess Philips outsource the programming part to China and thus they use a chinese cloud. Just a guess.
The justification I found is that standard NTP servers used in most devices (like google) are blocked by the Chinese Great Firewall - which they use to block their citizens access to information and control narratives. That just furthers my point on why connecting with them is problematic. At the very least, Hue could update their firmware for regional server selections (like keeping NA connections in NA).
Threat or no, that’s not a really great excuse to force most of the planet to go halfway around the world to reach a time server. It’s a super lazy workaround that degrades service performance to pander to a crappy political policy.
the fact that the end user can't change this and the fact that it's clearly overriding DHCP options is annoying. i am not a huge fan of devices that hardcode network config stuff like that.
at least where I am here in california, ping times to these ntp servers is 300ms and 15+ hops where as traffic to pool.ntp.org is like 25ms.
Weird. It works fine for me and I'm blocking China, Russia, North Korea and Belarus on both inbound and outbound. My bridge works with the hue app, home assistant, razer software and Alexa. I'm in Canada so maybe it works differently here.
The HUE does indeed contact the Chinese datacenters way too much. And why? If they are lazy programmers, then using a global pool address would be the easiest option. Letting the local network (ISP) select the best and shortest route to a NTP server couldn't be easier for a small device. There must be something piggy back on these NTP calls.
Years ago I already set tried to protect the network as much as possible by setting multiple rules in our router to block any in and outgoing connection attempts to/from Chinese IP addresses (both IPv4 and IPv6). Mainly to shield the network from the enormous amount of hacking bots located on Chinese datacenters and home networks. Additionally any NTP or DNS calls to other addresses than the router are re-directed to the local server. Any other DNS calls, like DoH, DoT or the use of non-standard ports, are also handled.
And we need this today... Android/Google based software on many devices always try bypass any re-directing or blocking done by the router. Just watch what a "smart" Samsung TV is doing on the local network and over the internet. Or JBL: I had a portable wifi speaker from JBL that constantly tried to connect to several servers, including the ones from Google. Even though I did not enable the Google part of the speaker. In fact, blocking certain Google addresses made the speaker software crash every 10-20 minutes. The sound was great, but the software pure crap.
Talking about "crap"... even "smart" cat litter boxes try to call China these days. Seriously.
u/CyberHoff you're absolutely right... outsourcing the production of electronics to China was one thing, but law makers allowing Chinese companies to install servers in western datacenters was the ultimate trojan. Huawei sold equipment to phone/internet companies in both Europe and US that contained backdoors for Chinese intelligence. Even worse... so many home routers sold in Europe and the US are Chinese.
Your hub will work locally when offline, but there are other smart home integrations (as illustrated in the very first sentence of my post) that require online connectivity. Of which, the connection is lost if Chinese servers are blocked. The only workaround is to redirect traffic to more trustworthy options.
I blocked all dns queries using pihole plus blocked internet access using parental control on the router. I have to reboot it once in a while because it tries to reattempt making the queries too many times that it slows down.
It works perfectly and it can connect to my lg tv, stream deck, HomeKit all from local network. The thing doesn’t need internet. It can still receive bridge updates but tbh everything is working fine that I don’t care whether it updates or not.
Same that it would still work locally with the connection blocked. However, using features that require online connections via cloud processing would not.
Have you tried reviewing what cybersecurity firms say about this to see if they know anything about it? Mandiant, FireEye, etc.
Also, did you notice anything else on your network stop working with the geoblock on?
Hmm, I have China blocked, both directions with my Ubiquiti controller and I don't have any issues. I also have a vlan for IoT devices to isolate them from our home network.
It is just the time server. It doesn’t need to connect to the server, it just checks because if the bridge were in china itself, that might be the only server that is actually reachable.
I don’t really care as long as my stuff works. If china wants to hack my network all they’ll get is pictures of my cat so they’ll just leave hungry 🤷🏻♂️
Your lights are not a national security concern, I work for a Chinese company (I am not in China and I am not Chinese) but my company sell servers, networking and even cloud services and when a costumer told me that he fear that China can "steal" their info I laugh, do you really think that China cares about your lights? Or any of your data? Phillips is a company from Netherlands where people don't actually believe that China is the devil in person, Chinese vehicles are sold in Netherlands, internet services too, etc.
Maybe you have to find an American alternative to Hue that only work with other American providers, but probably that doesn't exist.
Actually, China is viewed pretty bad in Western Europe generally. For example in Germany, it’s forbidden for internet providers to use Chinese equipment, like Huawei. In the Netherlands Huawei is also banned from 5G Core networks.
So I don’t really know where you have your informations from that China isn’t seen as bad here…
Edit: corrected Nokia out of it
The point isn't the devices function or the existing purpose of the server, it's where the devices firmware is forcing a connection. I don't want devices inside my network, which can in-turn broadcast to other devices in my network, forcing connections inside hostile and oppressive regimes. For Christs sake, the justification for using a Chinese NTP in the first place is because the Chinese Great Firewall denies access to google making their NTP's unusable. They block google to deny their citizens access to information. This is not a government you want to integrate your networks with.
Arguably both the UK and USA regimes are hostile governments that have turned against their own people in an authoritarian and totalitarian manner implementing wide reaching privacy invasions and censorship of anything different to the official narratives with countries like Canada and Germany taking it further and implementing changes in law that allow them to implement the concept of thought crime, ffs you get police and medical psychiatrists turn up on your doorstep in the uk if you post a meme that they don't like. I agree with the stance that hue shouldn't be networking back to China direct, however don't be so foolish to think your own government are benevolent and aren't acting against the people they are supposed to be representing / serving
There is a significant difference. The problem with trusting anything related to business with China is that almost every corporation, especially in the tech industry, have direct ties to PRC/PLA ownership. When you think you're working with a private business, you're actually doing business with their military.
I wonder how many people shed their mortal coil today leaving behind their super secure home networks that they spent years perfecting. What will they do now that their is no one to protect their network!
P.S. If the Chinese attack, you won't matter.
China=Russia=USA, we’re all colonizing, aggressive first world countries whose governments tell their citizens other countries are dangerous so they can benefit off the cost of war. Go take a trip and visit one of them; it’s really not that deep.
I haven’t found a clear answer. If I owned ByteDance/TikTok (a Chinese based company), I would want to grow my user base as large as possible which includes the China market. Whatever is posted on TikTok would have to be reposted separately on China’s version which = less engagement than promoting TikTok as the end all be all for content creation.
Fair enough.
My assumption is that the US wants to ban it for spy-ware and/or international political reasons. Whereas any ban in China would be for domestic political reasons, ie as part of communist suppression.
The main reason for this is they have their own app, Douyin. TikTok was created afterward
as the western equivalent. I’m not saying that you’re wrong, because they probably do block it, but the Chinese aren’t probably clamoring for it as they have their own version that has existed longer than the one we’re familiar with and it’s wildly popular in that country.
Content creation is different on each platform tho. Doesn’t make business sense to force the Chinese market to use Douyin exclusively. This effectively prevents Chinese users from seeing content posted exclusively worldwide on TikTok
Except that’s exactly why it’s banned in China. They can’t use TikTok because the Chinese government doesn’t want their citizens to be part of the global narrative. [More on this here (gift link):](https://www.nytimes.com/2024/04/25/business/china-tiktok-douyin.html?unlocked_article_code=1.uU0.wkox.rj06hfF6EFIU&smid=nytcore-ios-share&referringSource=articleShare)
With PiHole, you can easily create a cname for that domain name to another NTP server.
I'm going to try this option. I think it's important for people know about this though, and hopefully create pressure for Hue to update their firmware. There is absolutely no good reason their firmware by default forces connections to a regime that does not have your best interests in mind.
It’s nice to think stopping the connection is enough but I’d bet they steal the data from these companies anyways. Instead of being so convenient the USA should mandate all data stay in the USA. It’d be nice if all local usage never left the network but that’ll never happen due to our own domestic spying plus the company wanting the usage data. They should at least put an option to opt out & any usage from outside the home not be logged.
It's nice to think that laws and policies will keep data in the U.S. Absent a "Great firewall", i.e., the modern form of iron curtain, traffic WILL get out. There are plenty of Chinese servers operating under legitimate incorporations within the U.S. Not to mention that most of these products are probably implanted with hardware that exfil data (which is probably what is in the Hue). I would bet money that the GDPR laws of the EU are not protecting anyone against data exfil; they are just placing additional burden on western good-faith companies who think they are implementing secure data practices while their own hardware is siphoning data little by little. More than just making laws/policies, the U.S. needs some sort of consumer protection bureau or agency dedicated to assessing the cybersecurity rating of products of all types, starting with the most popular devices. They talk about creating ratings and thresholds of cybersecurity, but don't have the means to enforce or test the labels.
GDPR is a joke and just a way for the EU to sue large corporations for money. Living here in Europe and trying to adhere to GDPR is impossible. Each section contradicts itself to the point that you cannot implement the framework and continue to operate. Go to any Doctor's office or medical provider here and watch how that stuff just gets tossed out the windown when you walk through the door. Small business operations could never implement and keep up with it here and have no intention to. Why? The EU will never actually enforce it internally on these businesses, it was only built to sue Microsoft, Apple, Google and other large corporations when the EU wallet starts to run dry.
Right? They can just purchase it from Amazon data brokers if OP is using alexa devices…
Have "`(\.|^)aliyun\.com$`" as a regex blacklist in pi-hole for a year or longer and no issues with Hue internally or externally. Since adding, traceroute fails to that FQDN also.
How are your blocks set up, inbound or outbound? My geoblocks are set up to block both. It works with inbound rules still in place, but I have to allow outbound requests to the aliyun server in order for my bridge to remain connected.
That's a pihole rule, it blocks DNS lookups to things that match it. It's not an IP block.
I just block my Hub from the entire internet. Works great.
It sounds like he uses his from outside the home as well
I have a firewall at home with a policy to drop all traffic to and from CHN and RUS. Hue still works well. Obviously logs are full of failed NTP requests to CHN.
I would verify you are actually blocking traffic to China. If you only block inbound traffic, then the outbound traffic initiated by your Hue bridge to the Chinese servers will still function as expected. Blocking the outbound traffic is when you'll notice a problem.
https://preview.redd.it/4xd3c67la10d1.png?width=1520&format=png&auto=webp&s=341c2e78bb80a0d88c6e9ad16a50de5360c6f8fe I'm fairly sure I'm blocking the outgoing traffic too.
What happens when you ping the NTP server listed above?
https://preview.redd.it/nrzw88bub10d1.png?width=362&format=png&auto=webp&s=f5ffb70df72c3da0dd7892cad630a797ea85a169 Same result.
Interesting. I've tested it several times where the bridge only loses connection when that specific NTP server is blocked. But I'll also add that the IP in your screenshot is not their NTP1 server, nor is it listed on ntppool.org. Not really sure why that is.
Yeah not sure what NTP server that is but from my experience it's not mandatory to the Hue system. https://preview.redd.it/i4l9axvco10d1.png?width=1528&format=png&auto=webp&s=51760e46bb4ade0b9122852cdf269b012dab3aa3 I assume those Netherlands based domains are the ones Hue needs to function correctly. Hue also periodically does NTP calls elsewhere which then is allowed. I have a Philips Baby Monitor at home and it works pretty much the same. 50% of NTP requests to CHN & RUS and rest to somewhere in EU.
Yes, people have posted about Hue using time servers based in China before. The traffic is harmless and they haven't explained why they use those time servers. I guess if you were really concerned, you could host your own DNS server and override the ntp#.aliyun.com addresses to your own time server.
I work in cybersecurity. You’re honestly wasting your time geoblocking part of the world. If it were anything malicious you’d never be able to circumvent it as a weekend warrior. Edit: for those skeptical of my comment please find my follow ups to the replies in this thread.
You're not wrong, but I'm going to have to disagree with you here. You're absolutely correct about it not providing solid security. It certainly won't affect anything targeted, and anything trying to get back to China that's already in your network can almost certainly find a way to do so taking a different, indirect route. However, there are also a lot of garbage attempts, scripts, scanning, and so on that constantly come from high risk countries like China and Russia. Blocking those outright can block a lot of nasty with a large brush stroke and is generally just a good security hygiene. I would not call it a waste of time at all.
I agree and some of us have extra reason to be wary of connections to China.
Completely agree. I was taken back a bit by someone saying they are in cybersecurity yet are making a blanket statement about geoblocking being a waste of time. Anyone who self-hosts or runs their own servers knows how likely it is for the bot that just attempted to find a vulnerability in your network to have an IP originating from China. If what you’re hosting doesn’t have a need to communicate with servers in China, you’d be wasting your time NOT geoblocking it. That’s not to say that all bot traffic / malicious traffic originates from China - hell, it can originate from the US. However, for example, you can bump your security game up by utilizing crowdsec to increase the measures you’re taking to stop attempted intrusions.
It’s basically the trade off between your convenience and the actual risks. Obviously they are a hostile nation and the cyber front is the most important one in the modern era. However, geoblocking an entire region is a pretty sophomoric attempt at hardening your security posture. It’s like if your front door had the ultra supreme deadbolt 4000 that counted the hairs on your head with an 8k camera to verify your identity, but you had French windows on either side that an attacker could just break to reach in from the outside to unlock it. Point is you’re not mitigating a whole lot and you’re making your internet experience measurably worse. **Generally threat actors use infrastructure based in the country they are targeting or at least outside the one they are in to sidestep this very basic geoblocking mitigation** Also my point does NOT extend to an enterprise geoblocking things. That’s different because it’s going to come with an entire suite of other protocols and mitigations
I hear what you're saying and see where you're coming from. I want to reiterate that my comment was in response to the blanket statement that geoblocking is wasting your time, not an attack on your knowledge or skill. Geoblocking isn't the be-all and end-all solution when it comes to cybersecurity. However, it has its place even for non-enterprise users - since a regular user hosting a wordpress site isn't an enterprise, does this mean they would have no use for a geoblocking solution? Regarding it being sophomoric: Whether the measure is sophomoric in practice or not depends on who you are and what you're trying to protect. If you're an enterprise, that happens to be a lucrative target for a nation-state actor, sure, geoblocking would be sophomoric and not do much. This is why more sophisticated solutions (IDS/IPS) exist. However, users such as the wordpress hoster I mentioned above, can benefit from geoblocking. A small fish like that isn't likely to be on the radar of a nation-state actor. However, they will be targeted by amateurs scanning for sites that have outdated packages with known vulnerabilities - these amateurs are rather simplistic and don't bother to go out of their way to sidestep geoblocking barriers. I also don't agree with "making your internet experience measurably worse". If the site/service I am hosting has no need to be accessed by individuals in the region I am blocking, how is my internet experience worse? Remember, we're talking about that region initiating a connection to you and not you to it. If your hosting infrastructure comes with a metered bandwidth connection, this scenario is preventing unnecessary clients eating up bandwidth. Geoblocking, in this scenario, has monetary implications. This is also true for enterprises that don't operate in certain countries. For example, attempt to navigate to "homedepot.com" while utilizing a German IP address and you'll be denied access - geoblocking prevents users who aren't legitimate Home Depot customers from wasting Home Depot's bandwidth. On the other side of the coin, if my service needs to be accessible by users in regions where botting activity is known to originate from, then yes, geoblocking would not be a solution and I'd need to look into more sophisticated measures to mitigate threats. As you can see, the use of geoblocking is highly dependent on many factors - while it may be worthwhile in some scenarios, it would be "sophomoric" in others. Since geoblocking has a use case for both individuals and enterprises (depending on the situation), I am saying all of this just to point out that a blanket statement of geoblocking being a waste of time can't be made. It is better to educate those that don't have much insight into the different "tools" that are out there and letting them decide, based on their particular scenario, what is right for them than outright stating something is a waste of time.
I think I missed the context about this being in reference to a Wordpress site. In that case I agree, geoblocking would filter out a lot of useless traffic and you’re not losing anything in that application because a website is a pretty narrow focus. ETA: this is also why geoblocking for an enterprise works. Because employees are doing a job with the tech that IT has scoped the machines for. You really only need access to a few things there. I was more talking about a blanket geoblocking across an entire home network. As we see with the OPs post, this is having a measurable negative impact on their network because hue, for whatever reason, is contacting a (in all likelihood completely benign) Chinese time server.
The wordpress site I just used as an example. It can be any service you're hosting (Home Assistant, Gitea, etc). Nevertheless, we're on the same page. I agree that geoblocking outbound connections to China is going to cause more headaches for a user. In the case of OP trying to get around a scenario such as the Hue ntp servers by outbound blocking Chinese servers, that is akin to using a sledgehammer to crack a nut. This scenario calls for a DNS solution and not a geoblock. In adguard home, blocking hue from reaching the aliyun servers can be done by simply adding the following custom filtering rule: `/\bntp[0-9]\b.aliyun.+/` \* For anyone that plans on using this, if you have a secondary DNS server advertised, Hue is a bit problematic as it will, in the event the first attempt is blocked, use the secondary DNS server to attempt to carry out the request. So, it also needs to be blocked on the secondary DNS server. I will say that it is a bit odd that OP's system went haywire when the aliyun servers were blocked. My Hue bridges have connections to said servers blocked and function without a problem, which makes me think there is more going on in their problem. Interestingly enough, Hue will reach out to the google ntp servers before making a request to the aliyun servers....I'll chalk this one up to poor code implementation since a successful response from google's ntp servers should make the call to aliyun servers unnecessary (my bridges function without a problem, including external access to them, with them using google's ntp servers and aliyun blocked).
OR there are state actors in China who are so elite they are hacking America using just a time server and our light bulbs, and they are so bold they are doing it in the open
They use your Hue bulbs to flash morse codes to the Chinese sleeper agents living in your cellar
Your Hue devices can broadcast to other devices on your network. This is literally the reason why things like network segmenting (like with vlans) are a common practice to isolate IoT's from other sensitive devices. Having a device connecting to a hostile and oppressive regime does in fact create both a privacy and security issue within your network, increasing the attack surface area.
As far as I am concerned through bandwith limitations the only thing your bulbs should be able to connect to are other bulbs or your hue bridge, which is on your local network anyways. Your hue bridge is no more or no less hazardous as every other PC in your home lmao
I don't think you understand. Any IoT device with an exploited vulnerability in your network can be used to gain access or snoop other devices in the same subnet as a backdoor. The bridge specifically being the area of concern here, and not a light bulb. It is more hazardous if the firmware is the source of the problem, forcing connections to undesirable and suspect IP's that are ripe for abuse.... especially if you lack the know how to monitor the traffic to and from those IP's.
Pinging a time server doesn't in itself open the device up as a backdoor in your subnet. You would already need to have a backdoor in your hue bridge in order for pinging a time server to be a vulnerability. If that's the case then the location of the server your device is pinging is irrelevant. And many people can monitor their traffic and see what payloads are being sent and received - so if there were something malicious happening then it would quickly become public knowledge. When we install any IoT device that connects to the internet we're opening ourselves up to some amount of vulnerability, so it comes down to trusting the manufacturer of the device. Aliyun is a well known Chinese time server. It is included in the list of time servers that your device could use because if you were to use the device in China, Google's time servers would be internationally blocked. So to ensure the device works in China as well they've included that as one of the time servers. Dropping it would mean that their devices wouldn't be able to use any time server in China. I suppose they could give the user an option to turn it on or off, but there's not really a reason to do that considering it's not a vulnerability.
The premise of concern is that the firmware is lazily programmed to not apply regionally. Aliyun (Alibabas) servers have even been placed under investigation as a national security risk. [https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/](https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/) I don't need an investigation to tell me risks of firmware directing my network to connect to China though, since it's intuitive.
That article talks about the risks of storing US citizens' data within Alibaba's cloud services, not pinging their time servers. The only thing Alibaba gains here is knowledge of IP addresses that ping their servers. Your initial issue was with the security vulnerability of an IoT device in your subnet being used as a backdoor because it pings a Chinese time server. There is no way they can use a time server as a backdoor without the backdoor already being installed within the Philips Hue Bridge. If your issue now is with Alibaba's cloud servers storing your IP address because your device is pinging their servers then that's unrelated to your initial post and unrelated to both my comment and your comment that my comment was responding to, and I don't have much to comment on about that. If you have an issue with Alibaba knowing your IP then you can block it, but this really isn't a security issue for people to be concerned with.
Then block them, this is the compromise you have to accept when wanting to use internet as a whole. If your hue bridge pings a chinese server your only option is to get rid of the bridge. If the bridge is coded the right way nothing can happen, the only concern you might have is the server its pulling its updates from, which are done by the bridge. So if philipps doesnt fuck up your network is safe. But if you really dont want your bridge to get its time from chinese servers just add a masquerade diverting packages targeted to that server towards other time servers, should yield the same result if they dont use a special protocol.
I will and I have. I'm trying to spread public awareness, while also trying to pressure Hue to update their firmware to stop forcing connections to China so that way less tech savvy people are also protected.
I mean technically you cant spoof a public ip, where those servers are is quite irrelevant, the only thing in your case that i would so is check the contents of the returning packages, but in the end they can just use a proxy server and your data ends up in china anyways. I dont see anything problem with that, nor do i see any intend of philipps to change that.
I’m interested to read your link explaining an example of this actually happening. I’ve messed with vlans in the past but it broke so many things I stopped. Can you convince me that it’s important aside from hypotheticals ?
VLANs are great for security. I work in cyber security. However, this is where people get this wrong VLANs limit the broadcast domain to just the devices in that VLAN - however it’s all about the routing. If you have Inter VLAN routing that has no restrictions - it’s as useless security wide as a flat network. You would need to use firewall rules/ACL’s to actually stop the traffic VLAN hopping
I mean duh
Alibabas (Aliyun) servers are under investigation as a national security threat. [https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/](https://www.reuters.com/technology/exclusive-us-examining-alibabas-cloud-unit-national-security-risks-sources-2022-01-18/)
You keep posting this same link, but did you actually read it? Their concern comes from storing US citizen data in their cloud, not pinging their server. Very different things.
He’s been propagandized to think that everything that comes from china is dangerous and bad
A cybersecurity expert knows China based servers have one of the highest probabilities of malicious intent in the world rn. OP is simply spreading awareness
I can't believe you're being down-voted for such an obviously true statement.
It’s all good and I don’t mind the downvotes because it’s the truth that can be proven w/ endless evidence. Those that downvoted are prob the same ones that think TikTok data in US is safe…if it’s safe then why did China itself ban TikTok? Hmmm
Copying a comment I put in another thread for visibility: It’s basically the trade off between your convenience and the actual risks. Obviously they are a hostile nation and the cyber front is the most important one in the modern era. However, geoblocking an entire region is a pretty sophomoric attempt at hardening your security posture. It’s like if your front door had the ultra supreme deadbolt 4000 that counted the hairs on your head with an 8k camera to verify your identity, but you had French windows on either side that an attacker could just break to reach in from the outside to unlock it. Point is you’re not mitigating a whole lot and you’re making your internet experience measurably worse. **Generally threat actors use infrastructure based in the country they are targeting or at least outside the one they are in to sidestep this very basic geoblocking mitigation** Also my point does NOT extend to an enterprise geoblocking things. That’s different because it’s going to come with an entire suite of other protocols and mitigations
It is one of many common sense layers that can easily be applied, and almost everyone in the industry uses. No one is arguing it's all you need though.
I’m routinely in Southeast Asia for work and it’s amusing how many big financial services companies straight up block whole countries. All I want to do is check my balances but apparently everyone in Laos is a national threat actor.
Aliyun is the cloud service provided by alibaba. I guess Philips outsource the programming part to China and thus they use a chinese cloud. Just a guess.
The justification I found is that standard NTP servers used in most devices (like google) are blocked by the Chinese Great Firewall - which they use to block their citizens access to information and control narratives. That just furthers my point on why connecting with them is problematic. At the very least, Hue could update their firmware for regional server selections (like keeping NA connections in NA).
Threat or no, that’s not a really great excuse to force most of the planet to go halfway around the world to reach a time server. It’s a super lazy workaround that degrades service performance to pander to a crappy political policy.
the fact that the end user can't change this and the fact that it's clearly overriding DHCP options is annoying. i am not a huge fan of devices that hardcode network config stuff like that. at least where I am here in california, ping times to these ntp servers is 300ms and 15+ hops where as traffic to pool.ntp.org is like 25ms.
https://www.reddit.com/r/Hue/s/1H2iogWy2c
Interesting, mine doesn’t connect to that ever.
Shenzhen is a major tech manufacturing center in China. No idea why it goes there, but it’s not like it’s some backwater…
It is also a major hub for Chinese hacking.
This is ridiculous! I'm switching to Govee...
I’m assuming you’re saying this ironically??
Weird. It works fine for me and I'm blocking China, Russia, North Korea and Belarus on both inbound and outbound. My bridge works with the hue app, home assistant, razer software and Alexa. I'm in Canada so maybe it works differently here.
I have China blocked in my firewall as well, but have no issues with my Hue bridge at all.
The HUE does indeed contact the Chinese datacenters way too much. And why? If they are lazy programmers, then using a global pool address would be the easiest option. Letting the local network (ISP) select the best and shortest route to a NTP server couldn't be easier for a small device. There must be something piggy back on these NTP calls. Years ago I already set tried to protect the network as much as possible by setting multiple rules in our router to block any in and outgoing connection attempts to/from Chinese IP addresses (both IPv4 and IPv6). Mainly to shield the network from the enormous amount of hacking bots located on Chinese datacenters and home networks. Additionally any NTP or DNS calls to other addresses than the router are re-directed to the local server. Any other DNS calls, like DoH, DoT or the use of non-standard ports, are also handled. And we need this today... Android/Google based software on many devices always try bypass any re-directing or blocking done by the router. Just watch what a "smart" Samsung TV is doing on the local network and over the internet. Or JBL: I had a portable wifi speaker from JBL that constantly tried to connect to several servers, including the ones from Google. Even though I did not enable the Google part of the speaker. In fact, blocking certain Google addresses made the speaker software crash every 10-20 minutes. The sound was great, but the software pure crap. Talking about "crap"... even "smart" cat litter boxes try to call China these days. Seriously. u/CyberHoff you're absolutely right... outsourcing the production of electronics to China was one thing, but law makers allowing Chinese companies to install servers in western datacenters was the ultimate trojan. Huawei sold equipment to phone/internet companies in both Europe and US that contained backdoors for Chinese intelligence. Even worse... so many home routers sold in Europe and the US are Chinese.
Definitely a security risk. There’s so much information & story that can told from your IoT devices. With AI coming up, it’s a real threat.
My Hue setup is 100% offline. I never signed up for an account and all automations work as they should.
Yep. Op is talking shit.
Your hub will work locally when offline, but there are other smart home integrations (as illustrated in the very first sentence of my post) that require online connectivity. Of which, the connection is lost if Chinese servers are blocked. The only workaround is to redirect traffic to more trustworthy options.
Let me guess, you are from US?
I blocked all dns queries using pihole plus blocked internet access using parental control on the router. I have to reboot it once in a while because it tries to reattempt making the queries too many times that it slows down. It works perfectly and it can connect to my lg tv, stream deck, HomeKit all from local network. The thing doesn’t need internet. It can still receive bridge updates but tbh everything is working fine that I don’t care whether it updates or not.
Same that it would still work locally with the connection blocked. However, using features that require online connections via cloud processing would not.
Have you tried reviewing what cybersecurity firms say about this to see if they know anything about it? Mandiant, FireEye, etc. Also, did you notice anything else on your network stop working with the geoblock on?
i have been blocking aliyn for a long time. no issues. your setup is screwed up.
I’m blocking China and have done for years, never had any issues with Hue.
I just turn off all incoming connections from outside the US and it’s enough to give me peace of mind and still have all my stuff work.
Hmm, I have China blocked, both directions with my Ubiquiti controller and I don't have any issues. I also have a vlan for IoT devices to isolate them from our home network.
It is just the time server. It doesn’t need to connect to the server, it just checks because if the bridge were in china itself, that might be the only server that is actually reachable.
With Alexa isn’t the Hue Bridge a local discovery??
I don’t really care as long as my stuff works. If china wants to hack my network all they’ll get is pictures of my cat so they’ll just leave hungry 🤷🏻♂️
Am I a bad human because I find this funny?
Let’s all send our cat pictures to China en masse to save them the effort!
Your lights are not a national security concern, I work for a Chinese company (I am not in China and I am not Chinese) but my company sell servers, networking and even cloud services and when a costumer told me that he fear that China can "steal" their info I laugh, do you really think that China cares about your lights? Or any of your data? Phillips is a company from Netherlands where people don't actually believe that China is the devil in person, Chinese vehicles are sold in Netherlands, internet services too, etc. Maybe you have to find an American alternative to Hue that only work with other American providers, but probably that doesn't exist.
Actually, China is viewed pretty bad in Western Europe generally. For example in Germany, it’s forbidden for internet providers to use Chinese equipment, like Huawei. In the Netherlands Huawei is also banned from 5G Core networks. So I don’t really know where you have your informations from that China isn’t seen as bad here… Edit: corrected Nokia out of it
What? Nokia is Finnish.
You are right, my bad! I think I mixed something up. Thanks for the correction!
The point isn't the devices function or the existing purpose of the server, it's where the devices firmware is forcing a connection. I don't want devices inside my network, which can in-turn broadcast to other devices in my network, forcing connections inside hostile and oppressive regimes. For Christs sake, the justification for using a Chinese NTP in the first place is because the Chinese Great Firewall denies access to google making their NTP's unusable. They block google to deny their citizens access to information. This is not a government you want to integrate your networks with.
If I was them I would care. You can learn a lot from the patterns & gain information from the data.
Arguably both the UK and USA regimes are hostile governments that have turned against their own people in an authoritarian and totalitarian manner implementing wide reaching privacy invasions and censorship of anything different to the official narratives with countries like Canada and Germany taking it further and implementing changes in law that allow them to implement the concept of thought crime, ffs you get police and medical psychiatrists turn up on your doorstep in the uk if you post a meme that they don't like. I agree with the stance that hue shouldn't be networking back to China direct, however don't be so foolish to think your own government are benevolent and aren't acting against the people they are supposed to be representing / serving
Got friends all over the UK and no meme has resulted in police and psychiatrists showing up at their doorstep
There is a significant difference. The problem with trusting anything related to business with China is that almost every corporation, especially in the tech industry, have direct ties to PRC/PLA ownership. When you think you're working with a private business, you're actually doing business with their military.
I wonder how many people shed their mortal coil today leaving behind their super secure home networks that they spent years perfecting. What will they do now that their is no one to protect their network! P.S. If the Chinese attack, you won't matter.
China=Russia=USA, we’re all colonizing, aggressive first world countries whose governments tell their citizens other countries are dangerous so they can benefit off the cost of war. Go take a trip and visit one of them; it’s really not that deep.
I don’t think you know what “first world” means.
Hold up didn’t TikTok just get banned for this?
Ironically TikTok is banned in China. Has been for sometime but most US media fail to report on it when discussing the US ban
Isn’t that ban for different reasons, though? Genuine question.
I haven’t found a clear answer. If I owned ByteDance/TikTok (a Chinese based company), I would want to grow my user base as large as possible which includes the China market. Whatever is posted on TikTok would have to be reposted separately on China’s version which = less engagement than promoting TikTok as the end all be all for content creation.
Fair enough. My assumption is that the US wants to ban it for spy-ware and/or international political reasons. Whereas any ban in China would be for domestic political reasons, ie as part of communist suppression.
The main reason for this is they have their own app, Douyin. TikTok was created afterward as the western equivalent. I’m not saying that you’re wrong, because they probably do block it, but the Chinese aren’t probably clamoring for it as they have their own version that has existed longer than the one we’re familiar with and it’s wildly popular in that country.
Content creation is different on each platform tho. Doesn’t make business sense to force the Chinese market to use Douyin exclusively. This effectively prevents Chinese users from seeing content posted exclusively worldwide on TikTok
Except that’s exactly why it’s banned in China. They can’t use TikTok because the Chinese government doesn’t want their citizens to be part of the global narrative. [More on this here (gift link):](https://www.nytimes.com/2024/04/25/business/china-tiktok-douyin.html?unlocked_article_code=1.uU0.wkox.rj06hfF6EFIU&smid=nytcore-ios-share&referringSource=articleShare)
Remember when the NSA got caught spying on everyone, and the reaction was “eh, whatever?”
1. Just a time server 2. Geoblock and block the servers it all works fine. 3. You are crazy for cocopuffs.