Security and Technology Ramblings…

There are a lot of IP security cameras out there today at really good deals.
Putting one in your house to keep an eye on things is a great idea and they are easy to setup.

But, do you trust them? What about the cheaper ones you can get from China? After all, you hear in the news all the time about some of the products being imported being prebuilt with Trojans or other malicious software.

I have several cameras by a popular Chinese based manufacturer. I decided to check up and see what happens when it boots up and whom it tries to talk to while it’s running.
Disclaimer: I run these in a dedicated / isolated VLAN and they normally have no ability to talk to the Internet or see the rest of my network. Essentially for my purposes, I really don’t care whom they try to talk to.
For my test, I tried to boot the camera two ways. First boot was with the firewall blocking the connection. Second test was with the firewall wide open allowing the camera to do whatever it felt like doing.

Firewall: Cisco ASA5505
Switch: Cisco 2960 (Camera port #13, traffic mirrored to #33)
Sniffer: WireShark on my laptop, plugged into #33

My first test with the firewall blocking all connections resulted in the camera trying to establish a remote TCP connection to one of six different IP addresses; all of which are located in China. Destination ports 80, 443 and 8000 are attempted. All firewall blocked.

My second test resulted in the camera actually connecting to three separate IP addresses 61.188.37.216(china), 50.19.254.134(amazonEC2) and 114.215.137.159(china). This can’t be good, right?

After those connections were established, every three minutes or so, the camera then tried to talk to three more IP addresses, 50.7.235.90(Czech Republic), 107.20.132.192(amazonEC2) and 114.215.179.104(china).

I would call it highly suspicious that these cameras call home like they are doing and would suspect either malware or some other nefarious purpose.

Leave a Reply