New lost camera ordered on Amazon from EmpireTech-Andy, should I be worried?

[Nic3guy333]

Updates
Found out that it isn't EmpireTech-Andy that actually send these out but actually Amazon. @EmpireTech-Andy maybe you need to speak with Amazon about that. I have never got anything that was shipped like that ever.

Bought camera from EmpireTech-Andy on Amazon. It should have arrived on the 12th but got lost somewhere for 3 days. Amazon tracking has no status of it for those 3 days. It even has a message of something along the line of it looks like your package is lost. You can wait for it or request a refund. I was going to wait for the 5 days and request for a refund but it came on the 3rd day from the expected delivery date.

Now what I'm worry about is whoever has their hands on this for those missing days might have the mac address of it. Look at how the package is shipped to me anyone in those 3 days could have opened the package and get the mac address easily. So I need advise of what to do? I thought this guy is a legit seller on here. What kinda bs packaging is that?

Pic from Amazon evidence of delivery:

 

[mat200]

Bought camera from EmpireTech-Andy on Amazon. It should have arrived on the 12th but got lost somewhere for 3 days. Amazon tracking has no status of it for those 3 days. It even has a message of something along the line of it looks like your package is lost. You can wait for it or request a refund. I was going to wait for the 5 days and request for a refund but it came on the 3rd day from the expected delivery date.

Now what I'm worry about is whoever has their hands on this for those missing days might have the mac address of it. Look at how the package is shipped to me anyone in those 3 days could have opened the package and get the mac address easily. So I need advise of what to do? I thought this guy is a legit seller on here. What kinda bs packaging is that?

Pic from Amazon evidence of delivery:
View attachment 118929View attachment 118924View attachment 118925View attachment 118926View attachment 118927View attachment 118928View attachment 118931

Hi @Nic3guy333

If you got the right camera in the box, and it works, I would be ok with it.

Remember you will be blocking this camera from random access from those on the internet using a VPN or blocking it's access from the internet completely.

 

[samplenhold]

Now what I'm worry about is whoever has their hands on this for those missing days might have the mac address of it. Look at how the package is shipped to me anyone in those 3 days could have opened the package and get the mac address easily. So I need advise of what to do? I thought this guy is a legit seller on here. What kinda bs packaging is that?

First off, Andy did not ship you the cam. Amazon did. Andy did not pack it. Amazon shipped it in the original carton. I do not see anything wrong with the carton. Any issues about that is for Amazon, not Andy.

Andy IS a 'legit seller'. Not sure what you mean by that.

As far as someone having the MAC address, so what if they do. Best practices should be to not expose the cam to the internet anyways.

 

[33696933]

Yeah thats Amazons shipping and packing method for some items and it missing was probably sitting a shipping depot for a few days. You have to watch out when checking out on Amazon for the "Item arrives in packaging that shows what’s inside. To hide it, choose Ship in Amazon packaging." or it'll show up like this if not checked

 

[mat200]

FYI - also remember, customs may also spot check packages .. amazon may also check boxes .. iirc Andy's team also checks if the cameras work before shipping often , .. so several possible people in the loop who could have checked a box ..

 

[Nic3guy333]

Ahh, thanks for the corrections, let me look into hiding the camera from the internet. Thanks guys.

 

[wittaj]

LOL - there is probably more issue with you posting pics of the serial number and QR code on a public forum than some random dude opening it up and taking the MAC address (which is highly unlikely LOL).

But in either event, if you do not give the cameras access, then nothing can be done with either number.

But if you just toss it on your router and turn on P2P, then yeah anybody can access it.

 

[garycrist]

The edges are bent up due to shipping and sorting machines. Tape the edges of the boxes so they do not
get stuck on the sorters.....

 

[Flintstone61]

Looks like Amazon could have been delivered it to the wrong address, and maybe it got kicked around a bit. or opened? then perhaps the mistake was realized and it got back into the system? Happens at my Condo from time to time, get a new driver, and shit happens. Although it's pretty dialed in now with the smart phone App they use to validate deliveries.

 

[tigerwillow1]

But if you just toss it on your router and turn on P2P, then yeah anybody can access it.

How does anybody get access via P2P?

 

[wittaj]

Do a search here. Plenty of examples of vulnerabilities. Whenever you are trusting a third party cloud service anything is possible. Camera manufactures have been found to send that data unencrypted so anyone can pull user/pw and then access the cams and the network anything else they want to do.

Best to not even give the camera that ability to interact with the internet.

 

[TonyR]

Yeah thats Amazons shipping and packing method for some items and it missing was probably sitting a shipping depot for a few days. You have to watch out when checking out on Amazon for the "Item arrives in packaging that shows what’s inside. To hide it, choose Ship in Amazon packaging." or it'll show up like this if not checked

+1 to that.
Wife gave me a new WaterPik this past Christmas, amazon shipped it in its retail box, just slapped address stickers on it, all 8 corners beat up and crushed, looked like a ball of paper mache. She was MAD.
I got a cheap analog DVR I ordered to test for someone from amazon last week...it was shipped in a #$%& plastic bag!

Yes, by all means when the option is avaialble to "ship in amazon packaging", check the box....you can't leave it up to the discretion of the soon-to-be-unionized Bezos-bots to use their judgement. Probably get a better decision from one of my dogs....

 

[sdkid]

Ahh, thanks for the corrections, let me look into hiding the camera from the internet. Thanks guys.

quick version---
use your router to set aside a number of IP's for your cams outside the range it uses for DHCP.
The range you set aside for your cams-- block internet access to those ip's.
ONLY let the cams talk to your NVR or BI server on your network.

 

[fenderman]

Absolutely nothing can be done with a mac address. Literally nothing. Its like knowing the default IP that comes with every camera. Considering that the first six digits of the mac are vendor specific randomly selecting the last six would allow you to guess the mac address of the millions of dahua cameras. How would a camera be sold after a return or used?

 

[Nic3guy333]

quick version---
use your router to set aside a number of IP's for your cams outside the range it uses for DHCP.
The range you set aside for your cams-- block internet access to those ip's.
ONLY let the cams talk to your NVR or BI server on your network.

I have a lorex system. I'm currently using their ddns to setup for remote viewing. If I go with that route you mentioned, push notifications for motions will not work anymore correct?

 

[tigerwillow1]

Do a search here. Plenty of examples of vulnerabilities.

I've been reading the vulnerabilities posts here for years, It's pretty well understood how port forwarding can be exploited. I've never once seen an explanation for how P2P gets exploited. If anybody can do it, surely somebody here must know how.

 

[mat200]

I've been reading the vulnerabilities posts here for years, It's pretty well understood how port forwarding can be exploited. I've never once seen an explanation for how P2P gets exploited. If anybody can do it, surely somebody here must know how.

ask .. and you shall receive ..

 

[wittaj]

Wow a simple search showed that you asked the same question in another thread and plenty of people commented showing how P2P is insecure...I realize reviewing that thread that you use P2P and you wanna believe you are safe using it, but there are risks associated with it....just because you refuse to believe that doesn't mean that the risk doesn't exist...best practice is not to allow these systems access to the internet.

Do any of you actually use Dahua P2P for external access to your cams?

It frightens me to think about using Dahua P2P. I turn p2p off and access the cams remotely with my WireGuard VPN. But I saw another thread mentioning using P2P which made me wonder, do any of you use it? Do you have any insight into how secure it might be?

ipcamtalk.com

But for those new and reading, here are advisories from Dahua themselves explaining P2P vulnerabilties that they found and have since closed, but that just means another exploit is out there they haven't closed yet...

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

www.dahuasecurity.com

Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

https://github.com/mcw0/PoC/blob/master/Dahua-3DES-IMOU-PoC.py @bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials 1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM...

ipcamtalk.com

Security Advisory –Login authentication compatibility vulnerabilities found in some Dahua products

Security Advisory –Login authentication compatibility vulnerabilities found in some Dahua products

www.dahuasecurity.com

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

www.dahuasecurity.com

Security Advisory –Session ID predictable vulnerability found in some Dahua products

Security Advisory –Session ID predictable vulnerability found in some Dahua products

www.dahuasecurity.com

PoC/Dahua-3DES-IMOU-PoC.py at master · mcw0/PoC

Issues has been disabled for these PoC's, as they are simply PoC, Public Domain and unsupported. - mcw0/PoC

github.com

 

[wittaj]

I mention this in that thread, but worth repeating here...

So millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up, so they make it easy.

So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network.

I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam wifi camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera through the magic of P2P.

A few years later she bought a wifi printer and again, simply dowloaded the app from the manufacturer and scanned the QR code and she could start printing.

One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and indeed her printer did print something in the middle of the night and the printed page says I SEE YOU and a picture of her from her Foscam camera was below the text.

She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password, which was password because she liked things simple.

Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router and sets up a stronger password for wifi and changed the passwords of all of her devices. Problem still persists. She gets rid of camera and printer.

At some point Foscam issues a security vulnerability and issued a firmware update. Based on chatter on forums, basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.

Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.

Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company), it can happen to anyone, especially all the no-name brands being sold on Amazon.

For that reason, most of us here prevent the cams from having access to the internet.

 

[EMPIRETECANDY]

@Nic3guy333 thanks for your feeding back and really sorry for the trouble!

The amazon orders all processed by amazon itself, we don't know what is going on. But normally they will undertake the lost if the parcel missing or something else.
Normally they make a wrong routin, so they need some days to recover.

Just check the box inside, if all sealed well, then the box not open, this camera they haven't use extra box to ship, make the box a little bad shape.

Security issue no worry at all.

Andy