This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to confirm a network intrusion

Hi:

So I just did a casual audit of my network and found something curious.
My home alarm system is from Vivint.
It has a central panel, two ip cameras, some hardwired cameras, motion detectors, and door/window opening sensors.
There's nothing on this network that's not Vivint.

The trouble is I noticed two IP addresses connecting today.
I checked back a month and only today do I have these additions.

Looking at my app, the mac addresses of the ip caneras do correspond to Vivint.
The two foreign mac addresses are as follows:

1 - 06:11:22:33:44:55  Locally administered addresses (LAA): the address is assigned to a device by a network administrator, overriding the burned-in address.
2 - 0c:83:cc:ef:7e:7eVendor name: Alpha Networks Inc.

Alpha Networks Inc.


           No.8 Li-shing 7th Rd.

Science-based Industrial Park
Hsinchu
Taiwan
R.O.C
Hsinchu Taiwan 300
TW.

Assignment Type MA-L

Mac Address Block Large (previously named OUI). Number of address 2^24 (~16 Million)


This is an ethernet connection per the logs:
"DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

Eth7 is the Ethernet network for my Vivint equipment.

This is well beyond the capabilities of the support team at Vivint.
They just grasp for the nearest script and read it back to me.  Sort of annoying, but I sympathize.

Can anyone assist in helping me figure out what's going on?



This thread was automatically locked due to age.
  • Yes, then the NVR communicates out if allowed/not locked down.  It's usually the UID settings on NVRs and cameras that should be disabled to stop this. Sometimes, the camera itself has setting to disable. I had that with my first set of cameras calling back to China even though they were disabled in the camera settings.  I called the developer out on that, and they promptly gave me firmware to access the cameras.

    Regardless of them receiving information from the NVR, the cameras can also transmit.  I watch mine periodically try to do it through an entirely different IP address (a 169.254.x.x address), and I have my set up as you do - connected to the NVR via PoE (which their traffic isn't allowed out).  That doesn't mean they won't call back out.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • So I have a UTM.

    I have created the 172.16 network for the Vivint security system.
    A DHCP server has been created for every network on the UTM.
    The 172.16.0.1 range does not tell you that I am using an XG firewall.
    This is one of the unroutable public address spaces that anyone can use.
    The Vivint system is simply on this network.  It does not use the UTM's DHCP services, though I think the central panel might. The IP cameras seem to use the panel as a router, a DHCP server etc... 
    The UTM has an address on every network created.  I suspect that is the address for the Vivint network.

  • 169.254.X.X is an APIPA IP addresses that is assigned to a device when it cannot reach a DHCP server. I didn't know that devices that were assigned this address can actually access the internet, but is assigned to devices so that they can be pinged and seen on the network.

    Most of these home IP cameras do things shadily.

    My IP camera attempts to connect to it's cloud service continuously non-stop. I can set the camera to point to my internal DNS server, but if the camera ever reboots it automatically resets itself back to Google's DNS 8.8.8.8.

    The camera is programmed to automatically reboot every few hours if it cannot access a DNS server. It was interesting to use Wireshark to see exactly what was going on, but since I use Pihole as my DNS server I can see every single DNS lookup and add suspicious ones to the blacklist. Even if I allow the camera to reach config.amcrestcloud.com, what data it is sending is unknown, but it will do it nonstop almost every 6 seconds.

    A NAT rule forces all DNS lookups to be directed to the Pihole even if devices try to bypass it.

  • Yeah, that is the access via the NVR.  I have a Reolink NVR now, but I used to run Milestone on a server.  It's a great piece of software and I believe you can have up to 8 cameras on their free use license and uses a SQL database backend.  But you really need some CPU power to run it effectively.

    At any rate, the NVRs are just as shady as the cameras, so you have to be careful with them just as much. Why they make this such a high priority for their systems to get to the internet is frankly nuts.  They preach security, but the systems themselves are so hack ridden pieces of trash, the irony is astounding.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • My mistake. I thought so because the XG uses 172.16.16.16 as the default gateway.

  • I see. This reminds me of newer Android phones that have "randomized MAC addresses" when connecting to wifi. From your previous posts it seems you think that the Vivint system is communicating back home through some VM. I'm just trying to figure out how these cameras get their IP addresses as it seems the Vivint control panel is acting as the DHCP server for the cameras and not the UTM. 

    The main gist of this thread was that you were trying to "confirm a network intrusion". By that you mean does the system contact a C&C server, or have some type of exploit? 

    In the UTM there is an option block "encrypted and unscannable" content. That would be a start, if the Vivint system was using some encrypted communication. Also the web filter can block uncategorized/malicious websites, spyware communication and remote access websites.

  • Interesting.

    Where is this  "In the UTM there is an option block "encrypted and unscannable content."?
    I was considering an intrusion.  It's not clear to me what the two spurious ip addresses are.  I was thinking perhaps an engineer at the security company spun up some VMs to investigate why my network is so locked down.
    I suspect the cameras use the Control Panel as a DHCP server as well as a proxy via VPN for video traffic to go to the main servers.  As there are hardwired in addition to IP cameras, this would make sense ot me.

  • It's in WebAdmin-->Web Protection-->Filtering Options-->Misc--->Block unscannable and encrypted files.

    You have more access to the user manuals of the Vivint system than we do. Also I'm not sure if "Decrypt and scan" has to be enabled for the UTM to "block encrypted and unscannable" traffic since normal HTTPS traffic would look encrypted to it with decrypt and scan disabled.

    Anyways I'm going to go out on a limb and assume that the Vivint system probably doesn't allow you to install the web filter's HTTPS decryption certificate CA on it. If you could at least look into the options and make sure settings you don't use are disabled like P2P, UPnP, port forwarding, ect.

    Unless you have depth knowledge with packet capture and TCP dumps there's only so much you can really do.

    A lot of users are using Pi-Hole on their networks as their DNS server and keeping DNS-over-HTTPS disabled on their devices so they can see exactly what every device is connecting to and using the malware/spyware adlists.

  • Interesting. I have it set to block unscannable and encrypted files.
    I use a Wireguard VPN every day on multiple machines and it works just fine so I'm thinking this doesn't work.

  • Like I said, I think "block unscannable and encrypted files" only works when decrypt and scan is enabled since the UTM can't decrypt the HTTPS/TLS connection otherwise and it would be blocking all your web browsing thinking it was encrypted.

    The other option to consider is enabling Network Visibility in application filtering and using the flow monitor to see where the Vivint is connecting to and block that traffic or at least have more insight into what it  is connecting to and what type of traffic it's sending out.

    Try this:

    1.) go to application control-->application control rules. 

    2. Create a new application control rule

    3. Select Action: ALLOW

    4. Add ALL applications to it.

    5. Add your vivint network

    5. Select log

    Now you can see anything but this overrides any webfiltering rules you have and if the data is encrypted it might show up and tell you what service. It might not be safe to do this though.

    Or create a firewall rule at the top to allow all outgoing services from the Vivint and log it. Then search your log file the rule that matches but will override any firewall rules you have blocking anything below it in the rule list.