1

So honestly I think I’m semi-SOL unless I see it pops up again, but I want to get people’s thoughts nonetheless.

This morning, in the course of some other work I was doing, I accidented upon the web ui below. No surprise, I was not happy to see this. I started the process of tracking it down, but its been a while since I needed to so I took a bit reminding myself and figuring out the best way to do it with some new switches we have.

So I figured out its MAC was 64:5d:d7:0b:3f:93, the prefix is registered to Shenzhen Lifesense Medical, which I doubt is accurate. And I tried to pull the port by searching the MAC address tables for our switches. Unfortunately while I was getting myself back up to speed, it seems the responsible party may have unplugged their device as the UI stopped responding and I can’t get the MAC address to show in any of the tables.

Should the MAC table entry clear out pretty immediately if the device is unplugged?

Anything I can do to track down where this came from even though its been unplugged or do I just need to try and catch it faster if there is a next time?

Any other generic advice?

Thanks for your time.

2019-09-27_09_24_33-ipconfig-cn.htm.png
2019-09-27_09_24_33-ipconfig-cn.htm.png536×515 14.9 KB
8 Spice ups
2

Sounds like it may be a FitBit type device. Some type of personal fitness tracker which downloads its data to an app. Do any of your users turn up sweaty in the mornings and immediately head for the shower ? They may be worth asking, although they may deny attaching an unsanctioned device to your network it might be a good time to remind them of the policy. Keep watching for it at the same time on other days, if they’re in the habit of plugging it in as they arrive, you may see it again. Good luck.

1 Spice up
3

Im not 100% sure, but if you download Fing, and connect it to your network, you should be able to block the Mac from there.

1 Spice up
4

Sorry guys, forgot to include the promised picture, I’ve added it now, mind you it first loaded in Chinese with made the eyebrows go extra high. Definitely doesn’t look like a fitbit to me and a fitbit shouldn’t be on this network either for that matter.

I can block the MAC from getting a new IP in my DHCP server but based on the “Bridge” heading I think this is someone attaching networking equipment and I want to track them down if possible.

5

The MAC address shouldn’t fall off of the switch immediately. Did you not note the port when querying the switch? Is that device actually using your DHCP server to acquire an IP address?

Googling looks like there are also apps on Smartphones from this company. Kind of weird i would set up a bridged connection.

6

Thats what I was trying to say; I wasn’t immediately on top of checking the switches because it had been a while and these are new units with a different process, but when I did check them…30ish minutes after I first found the IP, non of them returned a result for the MAC address and I realized that I couldn’t access the unknown device’s web UI anymore, so I assume it was removed. I was asking about the fall off to try and get an idea of if that was normal or if that was another wrinkle in the story. I’ll note that more or less from the get go, I could not ping the IP. It was only showing via the web UI.

7

I would hazard a guess it is coming over wifi. It may also be generating a new MAC address every time the software fires up so blocking by MAC address might not be viable. This is just one of the reasons I have BYOD and the willy nilly installation of apps on smartphones.

8

That company appears to have 3 health related devices and each one requires a smart phone app.
Fitbit type watch
Blood pressure cuff
weight scale
It also appears each is blue tooth capable. The company looks to be fairly new or is just really slow updating their web page.
I agree with previous post, look for someone who exercises prior to coming to work and might be checking their vitals to gauge personal progress.

1 Spice up
9

It may well be coming over the wifi, though even then, I’m still annoyed with someone because this is the normal network and personal devices are supposed to go on our guest network. That said, unless I was just too slow and it got flushed, I would normally still see the mac address tagged against the switch port used by the AP they are connecting to correct?

10

Probably the boss that has their phone setup to connect to the corporate WLAN. Because special snowflakes.

2 Spice ups
11

The webpage you found could very well be the health tracker app on someone’s smartphone, acting as an internet bridge for the bluetooth device, which is how you got the bluetooth mac address.

https://apps.apple.com/us/app/transtek-health/id1234955774

12

I would love to packet sniff what these apps are really doing.

13

After 30 minutes you probably wouldn’t see it anymore unless you have your mac-address-table timeout set really high. Defaults are usually around 5 minutes, if I remember correctly.

1 Spice up