P2P camera protocol technical info

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
444
Reaction score
155
Hello,

A few days ago I tried the P2P feature of the Escam QD900 using a generic P2P camera client software on my Smartphone and also on a my PC from a different Internet access point.

As expected it worked well, zero setup, I just had to enter the UID that is unic for each camera (depending the camera's vendor the structure of this UID may differ but mine is something like ABCD-012345-ABCDE) a login and a password.

Then I wondered how it was possible to make this thing so easy with no usual NAT translation, DynDNS stuff...

So I started digging trying to understand how this P2P camera protocol works and did some network sniffing.

First the camera send some info to a server "somewhere" and transmit its UID so the server can associate IUD and IP address source (public IP of the router) a bit like any DynDNS service.

After that I also wondered how the video stream flow could work between client and camera as both are behind a router with internal private IP addr no DMZ and not port redirection/NAT or also no uPNP configured (checked on both side's routers).

So I did some network sniffing that showed some UDP communication with three kind of packets :

At the begining the P2P Client sent some "request for info packet" to some server with the UID of the camera I entered during configuration.

upload_2017-2-18_16-52-52.png

Then I saw direct UDP communication between the camera and the P2P Client.

The first UDP packets contained the IUD so I suppose they first checked "are you camera IUD XXXX" ?

Then came some http-like GET requests to check if some user account login/password exist in the camera, and a few more to retrieve some technical info from the camera and finally the video stream started but as you can see the packets are clear text with full login/password !!! so the video stream may not be encrypted too :-( but may be this P2P protocol allow encryption and it is the camera (or the P2P client) that do not support it, but I have no info about this but may be some reader of this thread will have an answer.

upload_2017-2-18_17-2-23.png

The video stream itself is a mixed content of 1032 bytes incoming UDP packet containing the video stream and UDP 10 bytes out (I guerss some ACK), plus some GVSP UDP packets (GigE Vision - Wikipedia) but as I did no NAT nor uPNP I suppose the camera (did not fully sniff that side yet) initiated some outgoing UDP forged packet to let the router allow the UDP packet answer back with the IP src of the P2P Cient that may have been comunicated by the server to the camera so from now we do have direct video stream between Camera and P2P client, and the server is not used anymore and is not used as a "proxy" as it should have been done if protocol has been TCP not UDP.

upload_2017-2-18_17-38-57.png

One user of this forum @Fastb said that one of its P2P camera used more than 2Go/month without any P2P Client watching the stream and this is very strange as my camera do not send anything out if no P2P client is connected (except a few packets time to time to the chinese server but those represent only a few bytes per day).

But may be there are multiple ways this P2P protocol is implemented ? or may be someone hacked into its system I don't know some investigation/network sniffing would be interesting @Fastb

So this is how far my investigation is about this P2P camera protocol and I am fully open to any explanation because I am really curious about it and especially the security aspect that for what I saw is non-existent... it's open bar !

regards.
 
Last edited:

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,340
Reaction score
5,300
Location
Denver, CO
Nice work

Different vendors have different implementations, Dahua P2P will not work with generic 3rd party apps and only works with there own.. Also depending on the network you might not see much traffic, but if your ISP has a hard set connection timeout limit, close any idle sockets open longer than 15mins.. then its going to repeat that handshake over and over all day long and tha'll start adding up.. Mobile networks really dont like you keeping persistant connections open (screws with roaming between towers) so they tend to be agressive at killing connections that are held open for a while.

Cameras dont encrypt anything generally; RTSP is not encrypted and will transmit credentials in the plain, even if you enabled HTTPS for the web your still leaking login info in plain text all over.. P2P is a security risk thats for sure and should only be used when you have absolutely no other choice..
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
444
Reaction score
155
P2P is a security risk thats for sure and should only be used when you have absolutely no other choice..
This is what I think too, I do not use P2P myself, just wanted to try and was really curious because I found no intel about how it really works, the vendor provide P2P in the camera but say nothing about security, where are the P2P server located, what info they get from your camera, if they store any log and if yes were are they stored, how long, who access them... I mainly do HealthCare medical data and services hosting at work, with huge legal/technical constraints about security/privacy/accessibility/traceability... so as soon I get a new "connected" device the first thing that come in my mind is "how secure it is" and "how do it ensure my privacy"
 

richtj99

Getting the hang of it
Joined
May 11, 2016
Messages
141
Reaction score
16
I know this is a fairly old thread but how do you packet sniff this stuff? The apps I am using are android & I am a bit confused on how to grab the data on my network. I have a few windows PC's & am happy to learn. I am just not quite sure how to do it.

I keep these 'things' on a internetless vlan so I dont mind if it phones home as it cant (or I think it cant).
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
444
Reaction score
155
use WireShark or smartsniff or tcpdump (I use smartsniff 99% of the time, small simple easy and wireshark is only for deeper analyze, and tcpdump is I use a console and save the sniffed packets into .pcap file I can reopen it in Wireshark or smartsniff) but for how to use and undertsand those tools ... google is your friend.
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,602
Reaction score
2,097
Location
Reno, NV
out of curiosity... the OP used a generic camera for this testing over 5 years ago.
I always turn off P2P on all my Dahua cameras so do not know how other manufacturers do P2P.
Has anyone wiresharked P2P for the top 5 various cloud based cameras such as Ring or even Dahua? I could wireshark Dahua VTO video doorbell and see exactly what happens. Just curious of the more popular cloud based camera systems.
 

richtj99

Getting the hang of it
Joined
May 11, 2016
Messages
141
Reaction score
16
Sorry - I wouldnt use P2P but the camera apps are using 'lookcam' the android packet sniffer I am using isnt finding the URL but the app can see video so somehow the stream is coming.

I would love to find the stream as its a brandx cheapie cam that definitely wants to phone home. Regardless there is a stream & IP but I cant find the info - but would like to do so.
 
Top