Constant Attempt to Connect to Dan Burkett

[vegas50000]

http://blog.podsnap.com/amcrest.html

[bguzik]

http://blog.podsnap.com/amcrest.html

Good blog post!

This still doesn't explain, (unless I'm missing something?) WHY if you are NOT using cloud services of any kind, the IP2M-841 would be trying to send out?

"I fired off a nice email to [email protected], inquiring about "the methods you use to protect the privacy and security of users." Surprisingly, they wrote back. Unsurprisingly, they don't really see an issue here:

Your packet analysis is correct that FTP is used for media transfer during media upload, which is very common for almost all IP cameras. It's important to point out that our FTP server implementation does not permit user access or any file retrieval (upload only) and every camera's FTP credentials are unique to that camera, and are destroyed when the camera is removed from the cloud.
The upload-only ftp drop is very slightly reassuring, in that spies would need to to capture and reassemble each file in real time, rather than perusing a library of mp4's at their leisure. On the other hand, it did occur to me that a careful burglar - less interested in spying on me than preventing me from spying on him - might think to overwrite incriminating uploads. Please don't tell Fido, but I verified that (1) I could indeed log into the ftp server manually, (2) I could not RETR the file that my camera had uploaded, but (3) I could indeed overwrite it with one containing only the string "Hello".

Also, for what meanings of "very common" and "almost all" is "very common for almost all" distinguishable from "very common" or "almost all" separately? I worry about these things."

I am not using CamCloud or any other service outside of my LAN for the Amcrest cameras. They are sending recordings to a LAN based FTP location on a NAS (or at least are supposed to be doing so), which is ONLY available from my private LAN. If I need access to the cameras while away from my LAN, I run a VPN connection back to my LAN...and this is verified to work for access to everything needed on my LAN...and also verified that NO LAN devices are accessible from outside without the VPN. That is kind of the whole point of running a VPN...

I'm still deducing this is pure BS spying or backdoors purposefully built into the Amcrest Camera software. Lots of folks should be bitching IMHO. Aside from bitching in a loud voice, EVERYBODY should be:

1.) Using Static IPs, and putting Amcrest Cameras in a contiguous Private LAN Subnet space.
2.) Disabling ANY Amcrest Cloud functions.
3.) Disabling Amcrest p2p settings.
4.) Locking down your Router outbound traffic on the Amcrest camera IPs, to drop EVERYTHING, unless you need it like for email or NTP.

We SHOULD NOT have to do this. But I suspect that as IoT grows, we will only have to be ever more vigilant...

[Raheel]

Hello -

To clarify some of the questions regarding the camera's connection to the cloud.

1 - By design, the camera does connect to the cloud servers so that it's available to be added to a user's account. No video data is transmitted during this step and if the camera is not added to a user's account within 2 hours the connection from the cloud servers is dropped.

2 - The information related to the cloud services provider being discussed here is simply standard information contained within the server's TLS certificate. It's part of the information exchanged when establishing a trusted TLS (SSL) connection, along with exchanging encryption keys. Here's a primer on TLS for those that are interested: https://en.wikipedia.org/wiki/Transport_Layer_Security

[vegas50000]

1 - By design, the camera does connect to the cloud servers so that it's available to be added to a user's account. No video data is transmitted during this step and if the camera is not added to a user's account within 2 hours the connection from the cloud servers is dropped.

Nope. The connection remains active indefinitely, even after factory reset.

After I updated to the latest firmware from the Amcrest website, my cameras started talking to three different servers. This connection is persistent and does not stop. This did not happen before I updated the firmware.

Please explain this.

192.168.1.6 is my Amcrest IP2M-841 camera
192.168.1.7 is my Amcrest IP3M-943 camera
192.168.1.8 is my Amcrest IP3M-943 camera


Source IP Destination_IP Status _time Destination Port count Protocol
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:18:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:18:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:18:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:17:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:17:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:17:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:16:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:16:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:16:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:15:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:15:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:15:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:14:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:14:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:14:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:13:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:13:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:13:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:12:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:12:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:12:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:11:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:11:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:11:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:10:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:10:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:10:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:09:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:09:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:09:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:08:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:08:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:08:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:07:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:07:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:07:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:06:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:06:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:06:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:05:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:05:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:05:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:04:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:04:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:04:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:03:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:03:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:03:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:02:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:02:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:02:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:01:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:01:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:01:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 15:00:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 15:00:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 15:00:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:59:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:59:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:59:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:58:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:58:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:58:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:57:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:57:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:57:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:56:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:56:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:56:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:55:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:55:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:55:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:54:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:54:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:54:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:53:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:53:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:53:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:52:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:52:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:52:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:51:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:51:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:51:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:50:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:50:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:50:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:49:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:49:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:49:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:48:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:48:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:48:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:47:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:47:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:47:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:46:00 443 1 tcp
192.168.1.7 107.23.233.106 ESTABLISHED 2017-04-19 14:46:00 443 1 tcp
192.168.1.8 52.91.65.92 ESTABLISHED 2017-04-19 14:46:00 443 1 tcp
192.168.1.6 52.90.88.253 ESTABLISHED 2017-04-19 14:45:00 443 1 tcp

[Raheel]

1 - By design, the camera does connect to the cloud servers so that it's available to be added to a user's account. No video data is transmitted during this step and if the camera is not added to a user's account within 2 hours the connection from the cloud servers is dropped.

Nope. The connection remains active indefinitely, even after factory reset.

After I updated to the latest firmware from the Amcrest website, my cameras started talking to three different servers. This connection is persistent and does not stop. This did not happen before I updated the firmware.

Please explain this.

Hey there vegas50000,

The camera will reboot after a firmware update, meaning the connection would be active again for the 2-hour window where the camera will ping the external servers. Can you confirm if this is happening after the 2-hour window from the time the camera reboots?

[driz]

i didnt want to paste a ton of spam, but i'm well beyond the 2 hour window.

19:21:39.917645 IP 52.91.189.219.8802 > 192.168.128.51.43211: UDP, length 28
19:21:46.799666 IP 54.88.9.177.443 > 192.168.128.51.38103: Flags [P.], seq 1339879989:1339880046, ack 4086784577, win 259, options [nop,nop,TS val 570156962 ecr 83040], length 57
19:22:00.828865 IP 52.91.189.219.8802 > 192.168.128.51.43211: UDP, length 28
<truncated>
19:29:43.074343 IP 52.91.189.219.8802 > 192.168.128.51.43211: UDP, length 28
19:29:46.748735 IP 54.88.9.177.443 > 192.168.128.51.38103: Flags [P.], seq 1339880901:1339880958, ack 4086785537, win 259, options [nop,nop,TS val 570276965 ecr 131039], length 57

[[email protected]]

Just a "me too" on this. I installed my first 5 cameras about 10 days ago. I am not using Amcrest Cloud. I noticed today that there have been nearly 6000 DNS requests to resolve config.amcrestcloud.com (logged by my DNS provider)

I then set up a firewall rule to block outgoing connections from the cameras. There are actually about 5 DNS requests PER SECOND, PER CAMERA from the 3 IP2M-841B cameras (indoor pan/tilt zoom cameras). Interestingly, the 2 IP2M-842B cameras (outdoor bullet cameras) do NOT seem to generate these outbound connection attempts.

I have attached a screen shot of a partial log from my firewall...just for 2 seconds of activity. The 3 cameras in question are on 192.168.7.190, 191 and 192.

This seems to me to be a fairly serious problem with the IP2M-841B cameras running the 2.420.AC00.17.R, Build Date: 2017-03-22 firmware. (I do not know if older builds of the firmware have the same behavior.)

[vegas50000]

When is this getting fixed?

[Melvin]

Hello all,

The issue has been reported to our developers and they are looking into it. Thank you for the information provided.

[Intrigued]

I read the full thread and I like to know if changing Default Gateway and/or DNS Servers in Network > TCP/IP in the camera to something like 192.168.0.254 (i.e. not the proper one -> 192.168.0.1) would be a workaround to impede outbound Internet traffic. Thank you.