IP Cameras trying to connect to Amazon AWS?

/usr/sbin

Successfully Trolled by Megalith
Joined
Jul 18, 2010
Messages
3,927
I picked up a few additional security cameras to add to my Zoneminder Camera system. As a rule I always block Internet access to client devices unless they need it. Right after installing the new cameras I noticed a spike in dropped packets on my camera IP reservation range. Since none of the exiting camera every try to connect out except for NTP it sparked my interest so I did a bit of logging. Apparently about every 30-45 seconds they try to reach out to 3 IPs on Amazon AWS. The data being sent out is the same in each frame. People wonder why I don't trust IoT devices (or any device really). It makes me think of this recent one issue: Backdoor in MVPower DVR Firmware Sends CCTV Stills to an Email Address in China

Anyone have an idea WTF this camera is trying to do?


sodium@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.247
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:49:22.673693 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:49:22.673873 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:49:22.673947 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:49:27.676726 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:49:27.676856 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28
22:50:02.745542 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:50:02.745690 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:50:02.745771 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:50:07.747131 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:50:07.747270 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28

Frame 1: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: Shenzhen_24:49:48 (ec:71:db:24:49:48), Dst: Ubiquiti_05:e5:d4 (24:a4:3c:05:e5:d4)
Internet Protocol Version 4, Src: 192.168.1.247, Dst: 54.86.23.37
User Datagram Protocol, Src Port: 14182 (14182), Dst Port: 32100 (32100)
Data (48 bytes)

24a43c05e5d4ec71db24494808004500004c0000400040112a87c0a801f73656172537667d6400383561f112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79

24a43c05e5d4ec71db24494808004500004c0000400040114951c0a801f73648f86837667d640038542bf112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79
 
  • Like
Reactions: rma
like this
Just a guess but they might be trying to register themselves as active (warranty/cloud service) and/or checking for firmware updates.
 
Just a guess but they might be trying to register themselves as active (warranty/cloud service) and/or checking for firmware updates.
Close, this seems to be how all these cheap ip cameras register themselves so you can use the crappy mobile apps they come with to check your cameras remotely without having to port forward. If you google something like webcam udp port 32100 you'll get a bunch of interesting pages.

Interesting, because most of these cameras are so hilariously insecure they're terrifying. Telnet daemons that you can log into with root and no password, active webservers that will happily spit out the entire system config, including plaintext passwords without authentication, dozens of open ports for various services, it goes on and on. And since the devices almost always use UPnP, most routers will happily open up all the ports to the outside world.

I'd never realised how terrible these cameras are, glad I stumbled across this stuff before I bought some for myself.
 
If you google something like webcam udp port 32100 you'll get a bunch of interesting pages.

Interesting, because most of these cameras are so hilariously insecure they're terrifying. Telnet daemons that you can log into with root and no password, active webservers that will happily spit out the entire system config, including plaintext passwords without authentication, dozens of open ports for various services, it goes on and on. And since the devices almost always use UPnP, most routers will happily open up all the ports to the outside world.

I'd never realised how terrible these cameras are, glad I stumbled across this stuff before I bought some for myself.

Interesting on the port number google search. Thanks for that.

For those wondering, here was a good read: http://forums.whirlpool.net.au/archive/2270750
 
Which is why all my cameras live on an isolated POE switch with nothing on it but the cameras and a dedicated NIC on the NVR. They are all set on static IPs and there is just no path from the camera to anything but the NVR (and the other cameras, I guess...). No path to the Internet except by going through the NVR. And the NVR has carefully controlled firewall rules that prevent anything unexpected from getting to it or out of it.

Paranoid. But given the amount of Malware, backdoors and other crap in the cheap camera firmware it is warranted. I don't want anyone I don't know about or permit using my own cameras to take a look-see at my property.
 
I don't remember seeing any outbound traffic on my Dahua cams, but I do a similar vlan setup, they do not get outbound routing.
 
Very interesting. Shows how it does not hurt to be "paranoid" and secure stuff like this.
 
  • Like
Reactions: rma
like this
Back
Top