Very high bandwidth use to a URL

I have a C5 hub that I got a while ago to play with. Now that SmartThings is going to disable Echo Speaks it is time for me to move off the ST platform. I'm planning on migrating to Hubitat but I've hit a major snag.

My hub is having a constant conversation with a URL. Even after disabling all installed apps, rebooting the hub and verifying that all apps are still disabled, Wireshark can see this conversation ticking along.

Over a 45 minute period the hub has transferred 26.84 MB (20.98 down, 5.86 up) to/from According to my router it is the top traffic generator on my home network. Again, this is after rebooting the hub with every single app disabled. So it seems the traffic is being generated by the hub itself.

Anybody have any idea what's going on? Could my hub have been compromised in some way?

26MB is high bandwidth? What is a Netflix stream considered!

The hub does register against the Hubitat’ cloud, which I believe runs in AWS. Things like the dashboard app, there are cloud endpoints that can be used to interact with the hub, and it interact with the internet to update various components. I suspect that’s what you’re seeing, communication with Hubitat’s backend.

Honestly 26MB is not a lot of web traffic.

1 Like

Any bandwidth is a lot of bandwidth when it is not expected to be there...

1 Like

26MB in 45 minutes is a lot of network traffic for a smart home hub that isn't doing anything. I haven't migrated to Hubitat yet. All of my devices are still running against the SmartThings hub. It is #13 in bandwidth use on my home network vs the HE which is #1. And remember, this is with every app disabled, including the dashboard app.

My EdgeRouter's traffic analysis board shows that this hub has received 508 MB over its analysis period (unfortunately I don't know how long that is), but that compares to 89.8 MB from the #2 device, my wife's laptop that she's been doing Zoom meetings on all day.

Hi, @christian2, welcome to the community!

I'm with you and feel that ANY amount of traffic is high when it's unaccounted for. This is just one reason I block HE from reaching the Internet with my firewall.

Temp throw in a blackhole router for that destination, and see if another pops up (It probably will). That is where next-gen features come in to stop the whack-a-mole of blackhole routes to try to stop things.

Or like previous post said, don't let HE go to the Internet. Leave out the gateway or something like that.

@LosinIt, I'd doing that, but unfortunately blocking the hub from the Internet would break one of my major use cases: Echo Speaks. It's why I'm finally making the switch. I have a couple of automations that rely on being able to make dynamic voice announcements.

Then you could employ another tool that I use, Pi-hole. You could blacklist all of HE's domains except for what your echo uses :grin:

1 Like

I'd still temp break it to maybe see if anything logs about it being broken. Can't hurt during troubleshooting.

That's a good idea. I was sitting here thinking I didn't just want to block it, I want to know what is making the requests. I'll try that.

1 Like

Nice call, are you doing this now for Echo Speaks? I've got a pi-hole, love it!

No, I don't use echo...or ANYTHING that's cloud based.

I know, I know... I've turned to the dark side on this one. WAF factor for me for Echo to make our lives easier and give up all privacy...

I do like the Echo saying it's favorite 'Good Morning' when motion knows I'm getting the coffee going!

1 Like


Privacy is an illusion anyway.


Fair enough, to me personally that’s not a lot of data, especially considering the hub does check in to Hubitat’s back end. But I get that is a lot to you, especially if it’s unexpected. I believe that would be the data you’re seeing though, traffic back and forth to Hubitat’s cloud.

If you don’t want it to do that, you’ll have to sinkhole that DNS entry, an IP block to cloudfront will likely be difficult as the IPs likely change with some level of frequency.

I love my Pi-hole. The V5 added groups so you can make any kind of blocking you want. For example, I'm not a FaceBook type either so I block it on my mobile devices where I can't remove the bloatware that loves to feed info to FB and any number of others. My desktop, OTOH, has nothing that does that BS and every once in a while a friend sends me a link to something I just HAVE to see there and it's not blocked.

For HE I have several domains blocked so it doesn't even try to get out, which it can't anyway because of the f/w rule. HE has it's own group of blocked domains on Pi-hole so when I want to get updates I just have to disable that group and drop the f/w rule that keeps it "in house". As soon as HE is done I restore both to their normal settings.

Perhaps, but there is no point in making it easy for them. And then there's the increased number of attack vectors to my gear as well as the bandwidth that I don't wish to let others use. But to each his own.

1 Like

For anyone who cares, the last 24 hours

Is this on an Android device? For those with privacy concerns, I would think iOS would be a much better choice. :thinking: