Chinese Temperature/Humidity Sensor Is Easily Hacked

There’s a new piece of electronics from China on the market now: the USR-HTW Wireless Temperature and Humidity Sensor. The device connects over Wi-Fi and serves up a webpage where the user can view various climate statistics. [Tristan] obtained one of these devices and cracked open the data stream, revealing that this sensor is easily manipulated to do his bidding.

Once the device is connected, it sends an 11-byte data stream a few times a minute on port 8899 which can be easily intercepted. [Tristan] likes the device due to the relative ease at which he could decode information, and his project log is very detailed about how he went about doing this. He notes that the antenna could easily be replaced as well, just in case the device needs increased range.

There are many great reasons a device like this would be useful, such as using it as a remote sensor (or in an array of sensors) for a homemade thermostat, or a greenhouse, or in any number of other applications. The sky’s the limit!

25 thoughts on “Chinese Temperature/Humidity Sensor Is Easily Hacked

    1. You know the communication protocol because the friendly hacker documented it in TFA. If you’re concerned about the wireless humidity and temperature sensor being a source or point of ingress for an attack, feel free to Isolate it on your untrusted wifi network and just allow conforming traffic through your firewall. Where was your wifi kit manufactured btw?

      1. Came across this while looking for documentation for this device.

        Actually you know the protocol because it is clearly described in the product documentation. It is one of the oldest if not the oldest protocols used by PLCs and RTUs called Modbus (circa 1979). Took me all of about 30 seconds to connect to a SCADA system like any other industrial controller but a damn lot cheaper.

        As for concerns about it being a weak point. As long as the AP feature is disabled or at least secured with a password there should be no concern.

      1. Yeah I always put unknown/untrusted devices on a ‘DMZ’ network that’s walled off from everything else until I’m extra sure it’s not gonna fuck something up. It’s just routed for internet access and nothing else. This includes devices brought by friends and family. Especially family.

          1. Easiest to buy a wireless router that has that functionality (guest network) built in – Airport Extremes have had it for a while. Pretty sure there are non-Apple wireless routers that do as well.

  1. Interesting, but I’d say it’s too expensive. It uses a costly serial Wifi module, which costs ~$20 in single pieces.
    Wait till the Chinese develpers switch to ESP8266, that should drop the price significantly.

  2. This is awesome. I’ve been wishing for a low cost WiFi thermometer. Now it’s time to get cracking on an Android app. I’d love to have the temperature outside my house in the notification area on my phone and TVs.

    1. I know, right? And that stuff is *everywhere* now. Used to be you had to get a sunburn and wait a few days to have that much fun peeling.

      Even more fun when calls you to diagnose their webcam, which is producing blurry images… and you just peel off the film. (Must. Stifle. Laughter.)

  3. Well.. this device, when connected in STA mode (client), without anyone accessing it, tries to perform a dns lookup about once every two seconds (208.67.222.222:53) and once every minute a UDP packet is sent to 61.164.36.105:123

    1. So the device appears to be updating time via NTP. What is the DNS lookup it is doing? What is in the UDP stream? Anything to suggest that this is malicious and not just an NTP update?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.