This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to confirm a network intrusion

Hi:

So I just did a casual audit of my network and found something curious.
My home alarm system is from Vivint.
It has a central panel, two ip cameras, some hardwired cameras, motion detectors, and door/window opening sensors.
There's nothing on this network that's not Vivint.

The trouble is I noticed two IP addresses connecting today.
I checked back a month and only today do I have these additions.

Looking at my app, the mac addresses of the ip caneras do correspond to Vivint.
The two foreign mac addresses are as follows:

1 - 06:11:22:33:44:55  Locally administered addresses (LAA): the address is assigned to a device by a network administrator, overriding the burned-in address.
2 - 0c:83:cc:ef:7e:7eVendor name: Alpha Networks Inc.

Alpha Networks Inc.


           No.8 Li-shing 7th Rd.

Science-based Industrial Park
Hsinchu
Taiwan
R.O.C
Hsinchu Taiwan 300
TW.

Assignment Type MA-L

Mac Address Block Large (previously named OUI). Number of address 2^24 (~16 Million)


This is an ethernet connection per the logs:
"DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

Eth7 is the Ethernet network for my Vivint equipment.

This is well beyond the capabilities of the support team at Vivint.
They just grasp for the nearest script and read it back to me.  Sort of annoying, but I sympathize.

Can anyone assist in helping me figure out what's going on?



This thread was automatically locked due to age.
Parents
  • Current working theory:
    There may be some ip instability with the two cameras.
    Probably a function of buggy programming.

    I guess one could programmatically have the cameras continually change ip addresses as a function of security.
    That would be quite clever if the panel choreographed this little dance.

Reply
  • Current working theory:
    There may be some ip instability with the two cameras.
    Probably a function of buggy programming.

    I guess one could programmatically have the cameras continually change ip addresses as a function of security.
    That would be quite clever if the panel choreographed this little dance.

Children
  • The problem with a lot of camera system is they "call back home" to China or other countries and quite prone to hacking.  I use Reolink, and they are great cameras, but they don't ever touch the internet.  If I access them off-site, it's through a VPN.  Firmware updates are manually installed by me.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yeah, most have hard coded DNS entries in these cameras which bypass any internal DNS filtering like PiHole. Only way around this I found is to create a firewall rule to block the camera from connecting outbound to the internet other than to contact an NTP server so it can keep it's time synched. The idea is to never allow it to connect to their cloud service, and disable P2P, which can bypass the firewall and allow remote access even if DNAT rules are not used. Anyone with the QR code can access the camera remotely if P2P is enabled. Scary.

  • These are manufactured by the security company in Utah.  They appear to get all of their DHCP et al from the primary security panel in my house.  No data hit my UTM's DHCP server.  They appear to be hardened to some degree.  These other IP addresses are a curiosity.  They may be VM's the panel created for engineers (or scripts) to investigate the network environment I created for their gear.

  • This is part of a suite of devices from a security company.  I'm fine with them calling back home in Utah.

  • VPN's touch the internet.

  • I'm just having trouble understanding your network topology. It appears that your "Vivint security panel" hub is attempting to act as a DHCP server and assign an IP address to your cameras? But they also are on a different subnet than your DHCP server.

    Your IP logs

    "DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

    That 172.16.X.X IP range tells me you are using The XG firewall? Are you in the right forum?

    Explain your topology better:

    1. Are you using XG or UTM?

    2. How exactly does your Vivint system fit in with your network? 

    3. Is The IP address of your Sophos (the gateway, internal LAN address) is 172.16.0.1?

     

  • So I have a UTM.

    I have created the 172.16 network for the Vivint security system.
    A DHCP server has been created for every network on the UTM.
    The 172.16.0.1 range does not tell you that I am using an XG firewall.
    This is one of the unroutable public address spaces that anyone can use.
    The Vivint system is simply on this network.  It does not use the UTM's DHCP services, though I think the central panel might. The IP cameras seem to use the panel as a router, a DHCP server etc... 
    The UTM has an address on every network created.  I suspect that is the address for the Vivint network.

  • My mistake. I thought so because the XG uses 172.16.16.16 as the default gateway.