Thursday, 11 February 2016

Cheap Chinese IP cameras (Wanscam) and their network activity

Here's a curious item, I've had quite a few of these over the years, not just IP Cameras but home automation relays, thermostats, etc. They all generally have IP connectivity and I duly just connect them into my LAN and start to use them.
However, I've been looking at why my internet connection keeps spiking and trying to cut down on anything not required to chatter to the internet, as my home connection is a very poor ADSL that cannot sustain much traffic, so cutting any junk out will help lots!

So running packet traces on my public connection (All devices on the LAN default gateway to my home server (A linux server) and then this does NAT to the public IPs I have), and started to notice a pattern of requests constantly going out over the public interface.

The first one is shown below:

12:33:47.668240 IP OBSCURED.2614 > OBSCURED.domain: 6038+ A? www.db-power.com. (34)
12:33:47.686932 IP OBSCURED.domain > OBSCURED.2614: 6038 NXDomain* 0/0/0 (34)
12:33:47.690643 IP OBSCURED.2614 > OBSCURED.domain: 6039+ A? www.db-power.com. (34)
12:33:47.709829 IP OBSCURED.domain > OBSCURED.2614: 6039 NXDomain* 0/0/0 (34)
12:33:47.723202 IP OBSCURED.2614 > OBSCURED.domain: 6042+ A? www.db-power.com. (34)
12:33:47.742344 IP OBSCURED.domain > OBSCURED.2614: 6042 NXDomain* 0/0/0 (34)
12:33:47.746075 IP OBSCURED.2614 > OBSCURED.domain: 6043+ A? www.db-power.com. (34)
12:33:47.764766 IP OBSCURED.domain > OBSCURED.2614: 6043 NXDomain* 0/0/0 (34)
12:33:47.777307 IP OBSCURED.2614 > OBSCURED.domain: 6046+ A? www.db-power.com. (34)
12:33:47.796293 IP OBSCURED.domain > OBSCURED.2614: 6046 NXDomain* 0/0/0 (34)
12:33:47.801283 IP OBSCURED.2614 > OBSCURED.domain: 6047+ A? www.db-power.com. (34)
12:33:47.819959 IP OBSCURED.domain > OBSCURED.2614: 6047 NXDomain* 0/0/0 (34)
12:33:47.832231 IP OBSCURED.2614 > OBSCURED.domain: 6050+ A? www.db-power.com. (34)
12:33:47.850810 IP OBSCURED.domain > OBSCURED.2614: 6050 NXDomain* 0/0/0 (34)

(I've OBSCURED my IP/hostname and my upstream DNS providers resolver here)
So what was happening is something was asking for the dns entry for www.db-power.com and constantly being told this doesn't exist. So this capture was done on my external interface, switching to my internal interface (for my LAN on the NAT server) I then tracked this down to an IP Camera was making this constant request. Logging into the web interface of the camera I couldn't find anything referring to this, but clearly it has some process where it tries to 'phone home' so that was the first one tracked down. I simply put a block in my local caching DNS to stop this external request, so that stopped it from asking externally and wasting bandwidth (It was doing this every 60 seconds).

The next one I then spotted was this:


12:38:47.545925 IP OBSCURED.3203 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 24
12:38:47.546216 IP OBSCURED.3203 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 24
12:38:47.546402 IP OBSCURED.3203 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 24
12:38:49.354353 IP OBSCURED.3208 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 44
12:38:49.354574 IP OBSCURED.3208 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 44
12:38:49.354774 IP OBSCURED.3208 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 44
Again OBSCURED was my cameras IP address. So this was more interesting. The camera was constantly (every minute again) trying to contact something in the Amazon AWS cloud. This indicates somebody has a server on Amazon's cloud that these units are contacting. I have two IP cameras both different manufacturers and different interfaces but they were both doing this, so there must be a common firmware package being used that was making this communication.
Interestingly the machine at the other end was refusing the UDP connection, but still, why was it there?
First thing, I blocked this from making it out of my firewall, then set about looking to see what it's doing. The payload is UDP therefore it's stateless, so most likely it's just squirting a bit of info about itself (perhaps firmware, version, date/time) back to it's manufacturer. Possibly it was also used as a 'cloud' solution for viewing or managing your camera as I have seen this principle, but again this was all disabled on my unit, but this suggests even when disabled it still makes the initial phone-home even if nothing else was passed. As you can also see it's trying to talk to a few IP addresses in Amazon. I'm unsure if these are hard-coded in or if it's a DNS request the device makes, so next step was to sniff it's traffic and see what DNS requests it was making. In this case it didn't appear to be making any DNS requests, which suggests these hosts are hardcoded into it.
Viewing the actual payload didn't help much either:


13:17:00.226305 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 52)
    OBSCURED.3203 > 54.246.107.165.32100: [udp sum ok] UDP, length 24
 0x0000:  4500 0034 0000 4000 4011 a06c c0a8 3709  E..4..@.@..l..7.
 0x0010:  36f6 6ba5 0c83 7d64 0020 f89b f191 0014  6.k...}d........
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000                                C...
13:17:01.942156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    OBSCURED.3208 > 54.243.97.206.32100: [udp sum ok] UDP, length 44
 0x0000:  4500 0048 0000 4000 4011 aa32 c0a8 3709  E..H..@.@..2..7.
 0x0010:  36f3 61ce 0c88 7d64 0034 bf8e f110 0028  6.a...}d.4.....(
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000 0200 0721 0002 880c 0937 a8c0  C......!.....7..
 0x0040:  0000 0000 0000 0000                      ........
13:17:01.942371 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    OBSCURED.3208 > 54.251.113.251.32100: [udp sum ok] UDP, length 44
 0x0000:  4500 0048 0000 4000 4011 99fd c0a8 3709  E..H..@.@.....7.
 0x0010:  36fb 71fb 0c88 7d64 0034 af59 f110 0028  6.q...}d.4.Y...(
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000 0200 0721 0002 880c 0937 a8c0  C......!.....7..
 0x0040:  0000 0000 0000 0000
Which I couldn't work out what this was containing. It was always the same length and contained similar information, only one or two characters changed, but I couldn't see any correlation between what the camera was doing and this value, so I don't think I'll spot what it is.

One final thing, was I port scanned the camera, which showed 23 (telnet), 99 (metagram), 8600 (asterisk). Now the first telnet port was correct as I could telnet and get a login prompt. Port 99 was the web port (I'd changed it to that) and 8600 seemed to answer telnet then immediately close it again. So I thought I'd try telnet:


Escape character is '^]'.

(none) login: root
Password: 


BusyBox v1.12.1 (2012-11-20 15:16:24 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ps
  PID USER       VSZ STAT COMMAND
    1 root      1528 S    init       
    2 root         0 SWN  [ksoftirqd/0]
    3 root         0 SW<  [events/0]
    4 root         0 SW<  [khelper]
    5 root         0 SW<  [kthread]
    6 root         0 SW<  [kblockd/0]
    7 root         0 SW<  [khubd]
    8 root         0 SW<  [kswapd0]
    9 root         0 SW   [pdflush]
   10 root         0 SW   [pdflush]
   11 root         0 SW<  [aio/0]
   12 root         0 SW<  [scsi_tgtd/0]
   13 root         0 SW   [mtdblockd]
   14 root         0 SW<  [kmmcd]
   20 root      1092 S    nvram_daemon 
   23 root         0 SWN  [jffs2_gcd_mtd6]
   25 root         0 SWN  [jffs2_gcd_mtd7]
   28 root      1528 R    telnetd 
   29 root      1696 S    /system/system/bin/daemon.v5.12 
   30 root      1480 S    /system/system/bin/cmd_thread 
   31 root      1480 S    /system/system/bin/gmail_thread 
   32 root      1532 S    /bin/sh 
   33 root      1696 S    /system/system/bin/daemon.v5.12 
   36 root      1480 S    /system/system/bin/cmd_thread 
   39 root      1480 S    /system/system/bin/gmail_thread 
   40 root      1696 S    /system/system/bin/daemon.v5.12 
   41 root      1696 S    /system/system/bin/daemon.v5.12 
   43 root      1480 S    /system/system/bin/cmd_thread 
   44 root      1480 S    /system/system/bin/gmail_thread 
   50 root         0 SW   [RtmpCmdQTask]
   51 root         0 SW   [RtmpWscTask]
   89 root      1696 S    /system/system/bin/daemon.v5.12 
  135 root      1524 S    /sbin/udhcpc -i eth2 -n 
  140 root      1696 S    /system/system/bin/daemon.v5.12 
  141 root      1696 S    /system/system/bin/daemon.v5.12 
  142 root      1696 S    /system/system/bin/daemon.v5.12 
  145 root      1696 S    /system/system/bin/daemon.v5.12 
  146 root      1696 S    /system/system/bin/daemon.v5.12 
  147 root      1696 S    /system/system/bin/daemon.v5.12 
  151 root     11528 S    /system/system/bin/encoder 
  158 root     11528 S    /system/system/bin/encoder 
  159 root     11528 S    /system/system/bin/encoder 
  160 root     11528 S    /system/system/bin/encoder 
  161 root     11528 S    /system/system/bin/encoder 
  164 root     11528 S    /system/system/bin/encoder 
  165 root     11528 S    /system/system/bin/encoder 
  167 root     11528 S    /system/system/bin/encoder 
  168 root     11528 S    /system/system/bin/encoder 
  169 root     11528 S    /system/system/bin/encoder 
  170 root     11528 S    /system/system/bin/encoder 
  171 root     11528 S    /system/system/bin/encoder 
  172 root     11528 S    /system/system/bin/encoder 
  173 root     11528 S    /system/system/bin/encoder 
  178 root     11528 S    /system/system/bin/encoder 
  179 root     11528 S    /system/system/bin/encoder 
  180 root     11528 S    /system/system/bin/encoder 
  181 root     11528 S    /system/system/bin/encoder 
  182 root     11528 S    /system/system/bin/encoder 
  183 root     11528 S    /system/system/bin/encoder 
  184 root     11528 S    /system/system/bin/encoder 
  185 root     11528 S    /system/system/bin/encoder 
  186 root     11528 S    /system/system/bin/encoder 
  187 root     11528 S    /system/system/bin/encoder 
  188 root     11528 S    /system/system/bin/encoder 
  189 root     11528 S    /system/system/bin/encoder 
  190 root     11528 S    /system/system/bin/encoder 
  191 root     11528 S    /system/system/bin/encoder 
  192 root     11528 S    /system/system/bin/encoder 
  193 root     11528 S    /system/system/bin/encoder 
  194 root     11528 S    /system/system/bin/encoder 
  195 root     11528 S    /system/system/bin/encoder 
  196 root     11528 S    /system/system/bin/encoder 
  197 root     11528 S    /system/system/bin/encoder 
  198 root     11528 S    /system/system/bin/encoder 
  199 root     11528 S    /system/system/bin/encoder 
  200 root     11528 S    /system/system/bin/encoder 
  201 root     11528 S    /system/system/bin/encoder 
  202 root     11528 S    /system/system/bin/encoder 
  203 root     11528 S    /system/system/bin/encoder 
  204 root     11528 S    /system/system/bin/encoder 
  205 root     11528 S    /system/system/bin/encoder 
  206 root     11528 S    /system/system/bin/encoder 
  207 root     11528 S    /system/system/bin/encoder 
  208 root     11528 S    /system/system/bin/encoder 
  209 root     11528 S    /system/system/bin/encoder 
  210 root     11528 S    /system/system/bin/encoder 
  211 root     11528 S    /system/system/bin/encoder 
  213 root     11528 S    /system/system/bin/encoder 
  214 root     11528 S    /system/system/bin/encoder 
  215 root     11528 S    /system/system/bin/encoder 
  216 root     11528 S    /system/system/bin/encoder 
  217 root     11528 S    /system/system/bin/encoder 
  218 root     11528 S    /system/system/bin/encoder 
  221 root     11528 S    /system/system/bin/encoder 
  222 root     11528 S    /system/system/bin/encoder 
  223 root     11528 S    /system/system/bin/encoder 
  224 root     11528 S    /system/system/bin/encoder 
  225 root     11528 S    /system/system/bin/encoder 
  226 root     11528 S    /system/system/bin/encoder 
  227 root     11528 S    /system/system/bin/encoder 
  228 root     11528 S    /system/system/bin/encoder 
  229 root     11528 S    /system/system/bin/encoder 
  230 root     11528 S    /system/system/bin/encoder 
  231 root     11528 S    /system/system/bin/encoder 
  236 root     11528 S    /system/system/bin/encoder 
  237 root     11528 S    /system/system/bin/encoder 
  238 root     11528 S    /system/system/bin/encoder 
  239 root     11528 S    /system/system/bin/encoder 
  240 root     11528 S    /system/system/bin/encoder 
  252 root     11528 S    /system/system/bin/encoder 
  253 root     11528 S    /system/system/bin/encoder 
 1891 root     11528 S    /system/system/bin/encoder 
 1892 root     11528 S    /system/system/bin/encoder 
 3553 root     11528 S    /system/system/bin/encoder 
 3554 root     11528 S    /system/system/bin/encoder 
 3821 root      1532 S    -sh 
 3824 root      1528 R    ps 

As you can see, I logged in! I tried using the username and password I'd set using the web interface, but this failed. So I tried the default it shipped with, 'root' and password '123456' and it let me in! So it seems these all have this as a default, and once in it runs a basic busybox linux system. I've not had much time to look any further, but if you're interested here is the filesystem and what looks like the init script that is ran at system bootup to start the daemons
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                    3008      3008         0 100% /
/dev/root                 3008      3008         0 100% /
/dev/mtdblock6            3072      1892      1180  62% /system
/dev/mtdblock7             512       208       304  41% /param
# ls /system
system    daemon    Wireless  init      www
# cat /system/init/ipcam.sh 
export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH
export PATH=/system/system/bin:$PATH
telnetd
/system/system/bin/daemon.v5.12 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &
# 
So there looks to be 3 daemons that I'd like to have a look inside, so may do at some point in the future.

46 comments:

  1. Makes you think dunnit? Give a few years and these IoT appliances that are starting to become popular could be sending lots of info to whoever. I guess all data is of interest to someone and, I presume, has value to anyone other than the end user. You just don't think of your web-enabled fridge to have Bloatware..

    ReplyDelete
  2. Sorry to hijack your blog, but I've found something worth mentioning and I don't have anywhere else I can post this info. Since your page came near the top of google search, it seems to be a good spot to post for others to see.
    First off, my camera is the Wanscam HW0041, so YMMV depending.
    My FW came with telnet disabled (I've checked the ports, only ones open are all relating to normal camera functions).
    Digging on the web gui, there's a hidden page: tplatform_men.html which toggles the P2P function on/off. Although on mine it looks broken, the settings do get saved when I clicked Apply (verified by my router's syslog that all those cloud connections stopped after doing this, also verified after a reboot the P2P ID is blank on the device information). There's also the upnp_men.html page (also hidden) that controls the upnp function. With the NTP function turned off, and ddns off. My camera's quiet as a rock after a restart. With the cloud off, and changed default password, this camera should be fairly secure.
    Cheers.

    ReplyDelete
  3. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. vpn reviews

    ReplyDelete
  4. As technology continues to advance, it is time to ask yourself if your current DVR system will permit you to upgrade your cameras to IP based security cameras. Newer IP Cameras can even provide megapixel resolution video recording (4-10 times the resolution of standard security cameras). Hybrid NVR/DVR systems are becoming very prevalent, as they will allow you to use older analog security cameras alongside newer megapixel IP cameras. Dashcam Accessories

    ReplyDelete
  5. I appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more.  lemigliorivpn.com

    ReplyDelete
  6. That is really nice to hear. thank you for the update and good luck. IP cameras

    ReplyDelete
  7. Thanks for the valuable information and insights you have so provided here... Photo cameras user manuals

    ReplyDelete
  8. Find out the truth behind those "FREE" Melbourne Hikvision offers worth $850. Are free security systems really free? We see them all the time in newspapers, TV ads, the yellow pages and even with door-to-door salesmen, all claiming to be free, so what's the catch? How does a security company make any money on a free system? All of these questions are answered and more.

    ReplyDelete
  9. Closed-circuit television is a kind of a security technique which involves the usages of video camera which are commonly called CCTV cameras. The purposes of these are to transmit a signal to TV sets or monitors for the purpose of security. Close circuit TV is a lot different than broadcast television. It differs in that the signal of a Camera Systems in Sydney is not openly transmitted. CCTV systems employ point to point wireless links.

    ReplyDelete
  10. I have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! best dslr camera under 30000 quora

    ReplyDelete
  11. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. custom packaging boxes

    ReplyDelete
  12. Thank you! In our industry, we know that you only get a few crucial seconds to make a good impression and engage potential customers. We aim to help you make the best of it!
    Custom Packaging Boxes

    ReplyDelete
  13. Thank you! In our industry, we know that you only get a few crucial seconds to make a good impression and engage potential customers. We aim to help you make the best of it!
    Custom Stickers

    ReplyDelete
  14. This is a great post; it was very edifying. I look ahead in reading more of your work.
    weatherproof security cameras

    ReplyDelete
  15. Really your article is very helpful for me I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    Custom Boxes To Go

    ReplyDelete
  16. I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really that good.Thanks alot!
    Sticker Printing Press

    ReplyDelete
  17. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    Craft Boxes

    ReplyDelete
  18. This is also a very good post which I really enjoyed reading. This is just the information I am finding everywhere. Thanks for your blog, I just subscribe your blog. This is a nice blog. and Thank you For Sharing...
    Custom Stickers Printing

    ReplyDelete
  19. I have read your excellent post. This is a great job. I have enjoyed reading your post the first time. I want to say thanks for this post. Thank you...
    Custom Packaging Boxes

    ReplyDelete
  20. The superbly written article, if only all bloggers offered the same content as you, the internet would be a far better place. and thank you for sharing for the amazing article...
    Custom Stickers Printing

    ReplyDelete
  21. I wanted to thank you for this great read!! This is a wonderful article, Given so much info in it, I definitely enjoying every little bit!! These type of articles keeps the user's interest in the website, and keep on sharing more ... good luck.
    Custom Packaging Boxes

    ReplyDelete
  22. Thanks for the article, looks amazing! This is a very useful post for me. This article gives the light in which we can observe the reality. This is a very nice one and gives in-depth information. Thanks for this nice article.
    Custom Packaging Boxes

    ReplyDelete
  23. We provide top quality Kraft Boxes. to customers along with the customization in any size, style or color. The elegance and quality of our boxes are unbeatable, thus making it perfect to pack the grocery products.

    ReplyDelete
  24. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. 192.168.0.1

    ReplyDelete
  25. The Custom Printed Boxes Co. has opened the new passes for custom printed boxes. We have a high quality of personalized packages with 4 color digital and unique box printing services.

    ReplyDelete
  26. The Custom Hair Packaging Boxes has opened the new passes for custom printed boxes. We have a high quality of Silver Foil Boxes with 4 color digital and unique box printing services.

    ReplyDelete
  27. Brilliant Packaging Suppliers UK is providing you Custom Printed Boxes With Logo - Custom Boxes Wholesale Packaging Suppliers UK ✅ Free Design support ✅ Free Digital Proofing ✅ Free Shipping

    ReplyDelete
  28. Packaging News Online presents a international news about the packaging related. And all updates are in your pocket.

    ReplyDelete

  29. Custom Boxes World is fastest custom sticker’s online printing company in the UK. We are printing custom sticker’s cheap rates by using our in-house production.

    ReplyDelete
  30. To disable the WANSVIEW Camera from connecting to remote port 32100 you can use the following command http://IPADRESS:80/hy-cgi/factory_param.cgi?cmd=setsmartp2p&enable=0. However you will not be able to use the camera application but to get around it you can connect directly to the camera via IP.

    ReplyDelete
  31. If you are looking for custom tags printing company, you are at the right place to get wholesale custom cardboard tags. Custom hang tag can stand out your product when you placed on your products.

    ReplyDelete
  32. Packin is one of the well known industry in UK providing Online Packaging Solution for your required Custom Boxes

    ReplyDelete
  33. Custom Boxes World UK providing best box printing services with free box templates, Free Design Support including free shipping. Get 50% discount on your first Order

    ReplyDelete
  34. Y-Zee provide you customs packaging solution with free box template, and design support including free shipping. get 50% discount on first order

    ReplyDelete

  35. Brilliant Packaging Suppliers.co.uk is a perfect custom printing company that has been giving its administrations for over 10 years. Brilliant Packaging Suppliers is committed to furnishing clients with great items and tweaked administrations and unimaginable conveyance time.

    ReplyDelete
  36. Are you looking for Box templates ? you are in the right place Please Download Free Box Templates Free of Charges

    ReplyDelete
  37. Contact freestickerstemplates.co.uk if you want to have a fun and versatile stickers fast and easy with one of our professionally designed sticker

    ReplyDelete
  38. Good Job, thanks for sharing this informative
    topic
    with us

    ReplyDelete
  39. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. CCTV in Bayswater

    ReplyDelete
  40. Thanks for sharing an informative article, you are really hardworking

    ReplyDelete




  41. Check out our custom printed tags selection for the very best in unique or custom, handmade pieces from our party & gifting shops

    ReplyDelete

  42. Download FREE Printable envelope template for different formats. Business & Personal Envelope Template available on freeenvelopetemplates.co.uk

    ReplyDelete
  43. You can choose the box shape that you want to print from our wide variety of brilliant packaging suppliers. If you can’t find your right sizes in our product log; don’t need to worry about that, we’ll design a packaging newsletter as per your required specifications.

    ReplyDelete
  44. Thanks!!! for sharing this informative topic with us...

    ReplyDelete
  45. If you can’t find your right sizes in our product log; don’t need to worry about that. We’ll design a custom packaging boxes as per your required specifications.

    ReplyDelete
  46. I like all the content articles, I really cherished, I would like more information concerning this, due to the fact it is extremely great., Thank you regarding talking about.
    Custom Packaging Boxes Wholesale
    Custom Mailer Boxes
    Slider Boxes
    Cigarette Boxes
    Candle Boxes Wholesale

    ReplyDelete