In trying to solve a network problem, I was examining packets with tcpdump on the local network when I noticed that there were packets routinely being exchanged between my Microseven M7B77-WPS security camera and an IP address on the Internet. Since the camera was powered on, but not being used, I was curious why the camera would be contacting an IP address on the Internet. I won’t bore you with the process but the end result of further examination was both surprising and disappointing.
What I found is that every 10 seconds the camera was sending a packet on port 7007 to IP address 173.254.193.108, mail.microseven.org. The information that was in those packets each time, in plain readable text, was what I would consider privileged information. The information that I was able to recognize included the Camera Type, the Camera ID (serial) Number, the User Name to access the camera, the Password to access the camera, and the camera’s PIN.
First of all, I can see no need for the camera to send this information to anyone, so why is it being sent to a Microseven server? The camera is used only locally and any video that is retained is retained locally. There is no need for the camera to have any dealings with any IP address beyond the LAN much less be passing this sort of information. Second, even if the information might be needed for some purpose on the Internet at some point, it should be requested and the user permitted to decide if it should be sent. It should not be routinely and secretly sent to the camera’s manufacturer for an unknown purpose 6 times a minute. Lastly, even if the user gives permission for the information to be revealed for a particular purpose, it should not pass over the Internet in plain text form. Even the most mundane web information is now routinely encrypted between the user and a web site. To not encrypt information such as passwords in transit is to my mind irresponsible regardless how trivial their use might be considered.
Has any one else seen this behavior from Microseven cameras, or figured out a way to prevent it short of blocking it at the boundary with router rules?
Below is a captured packet with the camera configured to use the default username/password and with identifying information obfuscated.
192.168.1.220.55641 > 173.254.193.108.7007: Flags [P.], cksum 0x052f (correct), seq 856610904:856610992, ack 2084556313, win 457, options [nop,nop,TS val 10916452 ecr 148998708], length 88
0x0000: 4500 008c 3a1c 4000 4006 c571 c0a8 0acb E...:.@.@..q....
0x0010: adfe c16c d8f6 1b5f 340e d858 7c3f ce19 ...l..._4..X|?..
0x0020: 8018 01c9 052f 0000 0101 080a 00a6 9264 ...../.........d
0x0030: 08e1 8a34 0100 0000 0100 0000 0000 0000 ...4............
0x0040: 4800 0000 3130 3833 4432 3030 3536 3841 H...1083D200568A
0x0050: 3631 3835 0d0a 3535 347c 3830 7c38 3139 6185..554|80|819
0x0060: 327c 3230 307c 3132 387c 6164 6d69 6e7c 2|200|128|admin|
0x0070: 7061 7373 776f 7264 7c4d 594d 3731 3038 password|MYM7108
0x0080: 3069 2d41 2d46 322e 302e 3137 0i-A-F2.0.17
What I found is that every 10 seconds the camera was sending a packet on port 7007 to IP address 173.254.193.108, mail.microseven.org. The information that was in those packets each time, in plain readable text, was what I would consider privileged information. The information that I was able to recognize included the Camera Type, the Camera ID (serial) Number, the User Name to access the camera, the Password to access the camera, and the camera’s PIN.
First of all, I can see no need for the camera to send this information to anyone, so why is it being sent to a Microseven server? The camera is used only locally and any video that is retained is retained locally. There is no need for the camera to have any dealings with any IP address beyond the LAN much less be passing this sort of information. Second, even if the information might be needed for some purpose on the Internet at some point, it should be requested and the user permitted to decide if it should be sent. It should not be routinely and secretly sent to the camera’s manufacturer for an unknown purpose 6 times a minute. Lastly, even if the user gives permission for the information to be revealed for a particular purpose, it should not pass over the Internet in plain text form. Even the most mundane web information is now routinely encrypted between the user and a web site. To not encrypt information such as passwords in transit is to my mind irresponsible regardless how trivial their use might be considered.
Has any one else seen this behavior from Microseven cameras, or figured out a way to prevent it short of blocking it at the boundary with router rules?
Below is a captured packet with the camera configured to use the default username/password and with identifying information obfuscated.
192.168.1.220.55641 > 173.254.193.108.7007: Flags [P.], cksum 0x052f (correct), seq 856610904:856610992, ack 2084556313, win 457, options [nop,nop,TS val 10916452 ecr 148998708], length 88
0x0000: 4500 008c 3a1c 4000 4006 c571 c0a8 0acb E...:.@.@..q....
0x0010: adfe c16c d8f6 1b5f 340e d858 7c3f ce19 ...l..._4..X|?..
0x0020: 8018 01c9 052f 0000 0101 080a 00a6 9264 ...../.........d
0x0030: 08e1 8a34 0100 0000 0100 0000 0000 0000 ...4............
0x0040: 4800 0000 3130 3833 4432 3030 3536 3841 H...1083D200568A
0x0050: 3631 3835 0d0a 3535 347c 3830 7c38 3139 6185..554|80|819
0x0060: 327c 3230 307c 3132 387c 6164 6d69 6e7c 2|200|128|admin|
0x0070: 7061 7373 776f 7264 7c4d 594d 3731 3038 password|MYM7108
0x0080: 3069 2d41 2d46 322e 302e 3137 0i-A-F2.0.17
