Kasa HS200 ARP poisoning
This pas week I spent 3 days troubling shooting why certain systems in my home network would either randomly drop off the internet or consistently fail to connect to the internet.
I went as far as to restore my firewall from backup and some of the VMs having consistent issues.
Finally after doing some digging, while looking at the ARP tables on one of the VMs having persitent connectivity issues... I noticed the MAC for my gateway on said VM was showing an odd MAC address in it's ARP table.
I did some more research to see just what MAC it was and what was causing the issue. After some network huning and reviewing of my documentation and DHCP reservation settings I was able to discover it was my second Hallway light switch, a TP-LINK KASA HS200. It's DHCP reservation ended in .212 and I am able to ping the device and control it via that IP address. But it was also broadcasting that it "Owns" .1 my Gateway IP and poisoning my ARP tables on random devices.
I've set static ARP entries on a few Windows VMs and the issue is fixed for those, but things like my 3D printer and other devices don't have such capabilities. But that isn't the biggest concern of mine.
I've seen where cheap IoT devices can do this while attempting to advertise themselves as a cloud gateway for other IoT devices on the network. Thus I'm not sure if this is the case here or if my device has been compromised.
I'm going to look into factory reseting the device / wiping it and reflashing the firmware (if possible). But I am also going to start down the correct path of isolating these troublesome devices into their own VLAN.
Has anyone else had this issue? Is this a firmware flaw or a compromised device? And if it's a firmware flaw, has anyone seen a fix?
Thank you
That is interesting, my ARP tables at the time showed otherwise.
Of course I cropped the MAC for security reasons, but that HS200 switch would at random calim 10.0.0.1
This issue persisted until I created an IoT SSID on my wifi network, moved all Kasa devices to it and then enabled client device isolation.
Maybe I will run wireshark and monitor the device to see what it is infact broadcasting to the network. But having experienced it first hand and spending days trouble shooting the issue, I can say it was infact happening.
As a side note, it would impact various machines on my network, including my 3D printer, home automation system and also various Windows based machines.
If I set a static ARP entry on the Windows machines they would have no issue.