This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to confirm a network intrusion

Hi:

So I just did a casual audit of my network and found something curious.
My home alarm system is from Vivint.
It has a central panel, two ip cameras, some hardwired cameras, motion detectors, and door/window opening sensors.
There's nothing on this network that's not Vivint.

The trouble is I noticed two IP addresses connecting today.
I checked back a month and only today do I have these additions.

Looking at my app, the mac addresses of the ip caneras do correspond to Vivint.
The two foreign mac addresses are as follows:

1 - 06:11:22:33:44:55  Locally administered addresses (LAA): the address is assigned to a device by a network administrator, overriding the burned-in address.
2 - 0c:83:cc:ef:7e:7eVendor name: Alpha Networks Inc.

Alpha Networks Inc.


           No.8 Li-shing 7th Rd.

Science-based Industrial Park
Hsinchu
Taiwan
R.O.C
Hsinchu Taiwan 300
TW.

Assignment Type MA-L

Mac Address Block Large (previously named OUI). Number of address 2^24 (~16 Million)


This is an ethernet connection per the logs:
"DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

Eth7 is the Ethernet network for my Vivint equipment.

This is well beyond the capabilities of the support team at Vivint.
They just grasp for the nearest script and read it back to me.  Sort of annoying, but I sympathize.

Can anyone assist in helping me figure out what's going on?



This thread was automatically locked due to age.
Parents Reply
  • The burned in was just text I copied from a MAC address lookup.  It just means this is a custom MAC not the one assigned to the hardware from the manufacturer.  I can create a network definition, but no data was ever sent or received from the UTM's DHCP server.  It's irrelevant.

Children
  • I see. This reminds me of newer Android phones that have "randomized MAC addresses" when connecting to wifi. From your previous posts it seems you think that the Vivint system is communicating back home through some VM. I'm just trying to figure out how these cameras get their IP addresses as it seems the Vivint control panel is acting as the DHCP server for the cameras and not the UTM. 

    The main gist of this thread was that you were trying to "confirm a network intrusion". By that you mean does the system contact a C&C server, or have some type of exploit? 

    In the UTM there is an option block "encrypted and unscannable" content. That would be a start, if the Vivint system was using some encrypted communication. Also the web filter can block uncategorized/malicious websites, spyware communication and remote access websites.

  • Interesting.

    Where is this  "In the UTM there is an option block "encrypted and unscannable content."?
    I was considering an intrusion.  It's not clear to me what the two spurious ip addresses are.  I was thinking perhaps an engineer at the security company spun up some VMs to investigate why my network is so locked down.
    I suspect the cameras use the Control Panel as a DHCP server as well as a proxy via VPN for video traffic to go to the main servers.  As there are hardwired in addition to IP cameras, this would make sense ot me.

  • It's in WebAdmin-->Web Protection-->Filtering Options-->Misc--->Block unscannable and encrypted files.

    You have more access to the user manuals of the Vivint system than we do. Also I'm not sure if "Decrypt and scan" has to be enabled for the UTM to "block encrypted and unscannable" traffic since normal HTTPS traffic would look encrypted to it with decrypt and scan disabled.

    Anyways I'm going to go out on a limb and assume that the Vivint system probably doesn't allow you to install the web filter's HTTPS decryption certificate CA on it. If you could at least look into the options and make sure settings you don't use are disabled like P2P, UPnP, port forwarding, ect.

    Unless you have depth knowledge with packet capture and TCP dumps there's only so much you can really do.

    A lot of users are using Pi-Hole on their networks as their DNS server and keeping DNS-over-HTTPS disabled on their devices so they can see exactly what every device is connecting to and using the malware/spyware adlists.

  • Interesting. I have it set to block unscannable and encrypted files.
    I use a Wireguard VPN every day on multiple machines and it works just fine so I'm thinking this doesn't work.

  • Like I said, I think "block unscannable and encrypted files" only works when decrypt and scan is enabled since the UTM can't decrypt the HTTPS/TLS connection otherwise and it would be blocking all your web browsing thinking it was encrypted.

    The other option to consider is enabling Network Visibility in application filtering and using the flow monitor to see where the Vivint is connecting to and block that traffic or at least have more insight into what it  is connecting to and what type of traffic it's sending out.

    Try this:

    1.) go to application control-->application control rules. 

    2. Create a new application control rule

    3. Select Action: ALLOW

    4. Add ALL applications to it.

    5. Add your vivint network

    5. Select log

    Now you can see anything but this overrides any webfiltering rules you have and if the data is encrypted it might show up and tell you what service. It might not be safe to do this though.

    Or create a firewall rule at the top to allow all outgoing services from the Vivint and log it. Then search your log file the rule that matches but will override any firewall rules you have blocking anything below it in the rule list.