This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to confirm a network intrusion

Hi:

So I just did a casual audit of my network and found something curious.
My home alarm system is from Vivint.
It has a central panel, two ip cameras, some hardwired cameras, motion detectors, and door/window opening sensors.
There's nothing on this network that's not Vivint.

The trouble is I noticed two IP addresses connecting today.
I checked back a month and only today do I have these additions.

Looking at my app, the mac addresses of the ip caneras do correspond to Vivint.
The two foreign mac addresses are as follows:

1 - 06:11:22:33:44:55  Locally administered addresses (LAA): the address is assigned to a device by a network administrator, overriding the burned-in address.
2 - 0c:83:cc:ef:7e:7eVendor name: Alpha Networks Inc.

Alpha Networks Inc.


           No.8 Li-shing 7th Rd.

Science-based Industrial Park
Hsinchu
Taiwan
R.O.C
Hsinchu Taiwan 300
TW.

Assignment Type MA-L

Mac Address Block Large (previously named OUI). Number of address 2^24 (~16 Million)


This is an ethernet connection per the logs:
"DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

Eth7 is the Ethernet network for my Vivint equipment.

This is well beyond the capabilities of the support team at Vivint.
They just grasp for the nearest script and read it back to me.  Sort of annoying, but I sympathize.

Can anyone assist in helping me figure out what's going on?



This thread was automatically locked due to age.
Parents
  • Interestingly, the only device on this network that has ever connected to the internet is the primary security panel, so the cameras only communicate with the panel - good security architecture.

  • Yes, then the NVR communicates out if allowed/not locked down.  It's usually the UID settings on NVRs and cameras that should be disabled to stop this. Sometimes, the camera itself has setting to disable. I had that with my first set of cameras calling back to China even though they were disabled in the camera settings.  I called the developer out on that, and they promptly gave me firmware to access the cameras.

    Regardless of them receiving information from the NVR, the cameras can also transmit.  I watch mine periodically try to do it through an entirely different IP address (a 169.254.x.x address), and I have my set up as you do - connected to the NVR via PoE (which their traffic isn't allowed out).  That doesn't mean they won't call back out.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 169.254.X.X is an APIPA IP addresses that is assigned to a device when it cannot reach a DHCP server. I didn't know that devices that were assigned this address can actually access the internet, but is assigned to devices so that they can be pinged and seen on the network.

    Most of these home IP cameras do things shadily.

    My IP camera attempts to connect to it's cloud service continuously non-stop. I can set the camera to point to my internal DNS server, but if the camera ever reboots it automatically resets itself back to Google's DNS 8.8.8.8.

    The camera is programmed to automatically reboot every few hours if it cannot access a DNS server. It was interesting to use Wireshark to see exactly what was going on, but since I use Pihole as my DNS server I can see every single DNS lookup and add suspicious ones to the blacklist. Even if I allow the camera to reach config.amcrestcloud.com, what data it is sending is unknown, but it will do it nonstop almost every 6 seconds.

    A NAT rule forces all DNS lookups to be directed to the Pihole even if devices try to bypass it.

Reply
  • 169.254.X.X is an APIPA IP addresses that is assigned to a device when it cannot reach a DHCP server. I didn't know that devices that were assigned this address can actually access the internet, but is assigned to devices so that they can be pinged and seen on the network.

    Most of these home IP cameras do things shadily.

    My IP camera attempts to connect to it's cloud service continuously non-stop. I can set the camera to point to my internal DNS server, but if the camera ever reboots it automatically resets itself back to Google's DNS 8.8.8.8.

    The camera is programmed to automatically reboot every few hours if it cannot access a DNS server. It was interesting to use Wireshark to see exactly what was going on, but since I use Pihole as my DNS server I can see every single DNS lookup and add suspicious ones to the blacklist. Even if I allow the camera to reach config.amcrestcloud.com, what data it is sending is unknown, but it will do it nonstop almost every 6 seconds.

    A NAT rule forces all DNS lookups to be directed to the Pihole even if devices try to bypass it.

Children
  • Yeah, that is the access via the NVR.  I have a Reolink NVR now, but I used to run Milestone on a server.  It's a great piece of software and I believe you can have up to 8 cameras on their free use license and uses a SQL database backend.  But you really need some CPU power to run it effectively.

    At any rate, the NVRs are just as shady as the cameras, so you have to be careful with them just as much. Why they make this such a high priority for their systems to get to the internet is frankly nuts.  They preach security, but the systems themselves are so hack ridden pieces of trash, the irony is astounding.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)