GW Security camera phoning home

Apollo · Aug 5, 2016

In another thread I mentioned that I recently purchased a GW Security camera from Amazon. My experience with the camera has been mixed, the biggest problem being very jerky video when there's any significant motion captured. Adding to my buyer's remorse was the lack of any meaningful user information available for the camera, a really buggy web interface, and technical support that leaves something to be desired.

To my dismay, I just discovered that the camera has established connections with several IP addresses in China, one in Singapore, one in the Netherlands, and a few in the US, including alibaba.com. Here's a list of the addresses that I've identified:

45.125.192.226
47.88.84.166 (alibaba.com)
61.143.160.183
61.164.252.245
111.38.109.95
125.46.39.69
173.208.220.138 (wholesaleinternet.com)
174.139.192.218 (krypt.com)
195.162.69.19

I remember reading about similar occurrences with Foscam cameras. I find it disturbing that any information (or video) from my camera is being sent anywhere without my consent, and without any disclosure.

In any case, I've blocked outbound traffic at my router and I'm pretty sure I'm going to return the camera to Amazon for a refund. Hopefully I can find a replacement with a varifocal lens or a fixed lens providing the relatively narrow angle of view that I need.

tangent · Aug 6, 2016

return it. but be aware amazon isn't as generous about returns as they used to be. If you decreased the bit rate you might be able to keep it from choking on motion.

You can get a similar Dahua for about the same price: http://www.aliexpress.com/item/Dahua-IPC-HDW4421C-IR-IP-Camera-4MP-Full-HD-Network-IR-security-cctv-DH-IPC-HDW4421C/32407581743.html

If the camera has a "P2P" type NAT traversal feature, you might try disabling that and making sure you switch the time server to somewhere in the US. I wonder if the IP's are hard coded or it it's doing DNS lookups.

fenderman · Aug 6, 2016

Post a link to this thread in the amazon reviews...others should know about this....

tangent · Aug 6, 2016

If you're curious, you could fire up wireshark on a pc with 2 NICs to get a sense of what's actually being exchanged with these addresses. If you don't have a pc with 2 nic's, you might be able to turn on IGMP snooping.

Brad_C · Aug 6, 2016

tangent said:
If you're curious, you could fire up wireshark on a pc with 2 NICs to get a sense of what's actually being exchanged with these addresses. If you don't have a pc with 2 nic's, you might be able to turn on IGMP snooping.

You don't need to go to that extent. Fire up an alias ip address on your NIC using a different subnet. Have the camera on that subnet and using your alias IP address as the default gateway. It'll route all traffic straight through your OS network stack.
This is a 10 second command line exercise on Linux. I know Windows used to have some form of "Internet connection sharing" that might facilitate the same thing if that OS is more your pace.
I keep an old 10BaseT 8 port hub around for stuff like this when I can't easily do what I need to do in software, the switch does not support snooping, or I'm on someone elses network, but on your network at home it should be a piece of cake. Heck, run tcpdump on the router directly!

Frankly I'm half surprised and half not surprised.

alastairstevenson · Aug 6, 2016

I keep an old 10BaseT 8 port hub around for stuff like this when I can't easily do what I need to do in software

Snap.
But you do have to wade through masses of retransmissions when examining the traffic, even with just 2 devices connected.
Your alias suggestion is good.

Apollo · Aug 6, 2016

Thanks for the replies everyone. I will link back to here in my upcoming Amazon review. I found several more attempts to these addresses:

8.8.8.8 (google DNS)
46.137.188.54 (Amazon cloud. Also referenced in this Foscam forum post)
50.19.254.134
61.188.37.216
74.125.31.99 (google)
180.76.76.76
220.181.111.147 (Also referenced in this article about a Swann DVR )
220.181.111.148
223.6.6.6

I may try to look at the data being exchanged if I can find the time to set it up. I have Wireshark installed on my main PC but only one NIC. I might try Brad_C's suggestion, or I might just say the hell with it and move on with a better camera like the Dahua suggested by tangent.

Apollo · Aug 6, 2016

I wonder if the IP's are hard coded or it it's doing DNS lookups.

Possibly both. There were two China-based IP addresses in the DNS fields. The interface wouldn't let me delete them so I changed them to all zeros.

rnatalli · Aug 7, 2016

Most IP cameras will do this to some extent. Ironically, the only camera I recall not doing it was the Foscam FI9803P v2 after a recent firmware update following an outcry from users on their forums. The solution is simple, set the camera to static IP and then wipe out the gateway and DNS addresses. You can also block the cameras at the router, but I would only do this after the other step as doing this alone will put some load on the router.

Brad_C · Aug 7, 2016

rnatalli said:
Most IP cameras will do this to some extent.

I'd debate that. Perhaps most cheap Chinese IP cameras do it, but real cameras used in real security environments don't attempt to call home. They'd be laughed out of the industry if they did.

rnatalli · Aug 7, 2016

Brad_C said:
I'd debate that. Perhaps most cheap Chinese IP cameras do it, but real cameras used in real security environments don't attempt to call home. They'd be laughed out of the industry if they did.

Good point of clarification.

Sent from my iPhone using Tapatalk

Apollo · Aug 7, 2016

Removing the DNS addresses didn't stop the camera from continuing to try several IP addresses every few seconds, so I did have to block outbound traffic.

rnatalli · Aug 8, 2016

Apollo said:
Removing the DNS addresses didn't stop the camera from continuing to try several IP addresses every few seconds, so I did have to block outbound traffic.

Remove the gateway address too. Often times it is 192.168.1.1.

Sent from my iPhone using Tapatalk

tangent · Aug 8, 2016

rnatalli said:
Remove the gateway address too. Often times it is 192.168.1.1.

Sent from my iPhone using Tapatalk

If certain dynamic routing options are enabled on your router blocking it could be harder than you realize. If a cam was truly designed with malintent, it could be hard coded to try various common gateway addresses or request a dhcp address even if dhcp is disabled on the cam.

nayr · Aug 8, 2016

also note that configuring cameras w/no gateway is very liable to render remote access via VPN impossible.. remote vpn clients are often on another subnet and routed to your LAN through the gateway.

network security is always best when its enforced externally.. as @tangent just pointed out, dont trust the devices.

Apollo · Aug 9, 2016

Happily, the camera has not been able to connect to any of the IPs since I set up a rule to deny any attempts to access the internet. I was not able to remove the gateway (from the camera interface), but was able to change it to non-existent IP, but that had no discernible effect.

Search

GW Security camera phoning home

Apollo

Young grasshopper

tangent

fenderman

tangent

Brad_C

Banned

alastairstevenson

Apollo

Young grasshopper

Apollo

Young grasshopper

rnatalli

Getting the hang of it

Brad_C

Banned

rnatalli

Getting the hang of it

Apollo

Young grasshopper

rnatalli

Getting the hang of it

tangent

nayr

Apollo

Young grasshopper