Investigation in Isolation: Sense

While it's been quite some time since I did any detailed investigation into my home's IoT devices, I've spent that time incorporating a whole spate of new gadgets into my home network. So there's plenty to write about. Let's get to it!

Back in April, my family moved into a new home. After we were all settled in, I heard about the Sense energy monitor, which is a very clever concept: it attaches to your fuse panel, monitors the fluctuations in your power usage, and sends that data to a cloud-based service. There, the data is ingested by machine learning models, which decipher the ebb and flow to identify the devices consuming power in your home. It can tell based on the usage patterns when your coffee pot starts percolating in the morning, when you make your morning toast, or that Sunday is laundry day. Over time, the Sense cloud can identify the various appliances in your house.

While it's certainly interesting to know the power consumption of the various things in your house, it can be actionable too. Is your refrigerator running non-stop? Time to call the repairman. Did you forget to turn your oven off? Better turn the car around and switch it off before going on vacation.

Because the Sense device adapts its models over time, it takes patience to have it learn about your appliances. I've had it installed for many months now, and it's still got a large "Other" blob in its display chewing through over 400W of power that it hasn't been able to deconstruct yet. But I am patient... sort of.

One of the nice things about Sense is that it also integrates with other devices that can monitor power. For example, if you have an old WeMo Insight plug, Sense will be able to retrieve the power consumption of whatever's plugged into it, and label that appliance in its display with the WeMo's name. Likewise the Kasa power strips from TP Link. Since I have several of each of those kicking around the house, I've been able to "jumpstart" Sense's understanding of my home's electricity use that it would've had to learn on its own otherwise.

The Setup

The Sense device is a small, orange-ish device that clamps around the power leads coming into your electrical panel and draws power from an unused breaker. The setup was quick and painless using their bundled app, although I did have an issue with the unit I received via Amazon, in that it had clearly been used before and returned – I was seeing someone else's cloud data! A quick chat with the Sense support team cleared that up.

I attached it to my "IOT" wifi network, which is its own VLAN that has limited access to local network resources: internet access, and L2 access on that same VLAN.

External Communication

As I've done with other devices in this series, I set up a packet capture for the device and let it run for approximately 48 hours.

DHCP, NTP

Fingerbank identifies the DHCP request from Sense as "Linux OS" – not particularly enlightening. My DHCP server on my IOT network doesn't give out an NTP server – I do this to see what sorts of NTP servers device manufacturers use by default. Interestingly, Sense appears to use time.apple.com as its default. It is communicating with several different hosts at Apple.

Sense Cloud

The capture shows two streams of communication from the device to the cloud: monitorapi.sense.com (hosted in Amazon EC2) and s3.amazonaws.com. The connections to monitorapi.sense.com are both frequent and persistent – there seems to be an active connection to the server at all times. I imagine this is for the "real time" feed that you see when using the Sense app; the app shows power usage, updated every second.

The connections to s3.amazonaws.com happen every 10-12 minutes and involve a fairly substantial upload of information: 800K-1MB seems to be the range during my testing. It's not clear what this connection is for, but I do recall reading that the Sense will retain data for up to 24 hours if the network connection is unavailable. Perhaps this is a periodic synchronization of more detailed power consumption metric data, beyond the simple utilization metrics that are sent every second.

Filed under miscellany:

  • the Sense device uses TLS 1.3 for its connections to both (nice!)
  • I couldn't find any matches to its JA3 signature in various online databases

SSDP

Sense sends out SSDP discover messages every five minutes to the well-known multicast address 239.255.255.250:1900/udp. This is how it communicates with the Belkin WeMo products. On my network, it sends out two discovers back-to-back: one to ST: ssdp:app, and another to ST: ssdp:Belkin:service:basicevent:1.

The Sense can collect information (name and power utilization) from TP-Link Smart Plugs – I have several HS300 in the house – and render them on its display. The discovery process is quite seamless; the Sense participates in the TP-Link Smart Home Protocol, which consists of broadcast packets (destination: 255.255.255.255:9999/udp). Each HS300 I've added since installing Sense has been found and integrated painlessly.

Sense sends these broadcast packets every two seconds. Because I'm not actually sniffing packets on the switch, I don't see any of the traffic between the TP-Link devices and the Sense, just the broadcast traffic.

128T Configuration

Because all of the things that Sense talks to locally are on the same VLAN, I didn't need to add any configuration in support of it. I did however create an SSDP "bridge" between my IOT VLAN and my trusted WiFi network – mostly as an experiment.

admin@labsystem1.fiedler# show config running authority service SSDP

config

    authority

        service  SSDP
            name                     SSDP
            description              "Simple Service Discovery Protocol"
            scope                    private
            security                 internal

            transport                udp
                protocol    udp

                port-range  1900
                    start-port  1900
                exit
            exit
            address                  239.255.255.250

            access-policy            trusted
                source  trusted
            exit

            access-policy            iot
                source  iot
            exit

            multicast-sender-policy  trusted
                source  trusted
            exit

            multicast-sender-policy  iot
                source  iot
            exit
            share-service-routes     false
            source-nat               disabled
        exit
    exit
exit

Conclusion

I really enjoy watching Sense's meters, following along with my power utilization. It is a very well-built product, easy to set up and use, and it is constantly learning more about my home every week. (Over this past weekend it identified our oven after my sister-in-law and mother-in-law got finished baking some delicious pies.) Very much recommended!