New lost camera ordered on Amazon from EmpireTech-Andy, should I be worried?

[SpacemanSpiff]

There are quite a few manufacturers whose network-type products have the S/N and MAC information on the exterior sticker of the factory packaging

Ahh, thanks for the corrections, let me look into hiding the camera from the internet. Thanks guys.

Here's a great read, right here on this site. In fact, take some time and read thru all of the great info on the wiki page here.

 

[Nic3guy333]

Thank you all for you feedbacks. I'm learning a lot from just this post. Been using lorex and its ddns solutions for remote viewing and motion detection notifications for years. Now I need to look into this a bit further

 

[The Automation Guy]

MAC address are not unique either.......

Most people assume that they are, but it's a false assumption. While it would be extremely rare to end up with two devices in you home with the same MAC address, it is possible (and would require that you change one of the MAC addresses). As previously noted, the first 6 digits of the MAC address are specific to the manufacturer which only leaves the last 6 digits to identify the device. This means there are only about 16 million unique combinations per manufacture (not per model). That sounds like a lot, but consider there are an estimated 900 million iPhones alone (which doesn't include all the other Apple products that have MAC addresses too) and you can see that duplicate MAC addresses are very common.

 

[SpacemanSpiff]

On the other hand...

In newer versions of iOS, apple has added a feature that is enabled by default. It assigns a random MAC address to the WiFi adapter in the interest of privacy.

 

[The Automation Guy]

On the other hand...

In newer versions of iOS, apple has added a feature that is enabled by default. It assigns a random MAC address to the WiFi adapter in the interest of privacy.

They call it "privacy" but I suspect it is really due to the fact that there are so many Apple products out there. The odds of having a duplicate Apple MAC address in your house is still extremely low, but it isn't zero. This way they ensure their products will work correctly and not spoil their image of "products that always work".

 

[SpacemanSpiff]

The first 6-digits are also known as the OUI ID, and apple has in excess of 900 OUI's registered. This puts them at 15,099,493,500+ unique MAC's. Even at 3 MAC's per device (wifi, ethernet, bluetooth) that still leaves 5 billion possibilities. No doubt they have it figured out at what age a MAC address can be re-used based on the device being no longer in use.

The effect of minimizing duplicate MAC's seems more like happy accident. It is really due to privacy, and the ability to ID the hardware of a device or track it via the MAC. With private Wi-Fi addresses, the device provides a different MAC address for each Wi-Fi network they connect to. Your Wi-Fi sessions from different Wi-Fi networks can’t be so easily linked to each other anymore.

Edit: Just looked at an Android 12 device which also has the random MAC feature (enabled by default)

 

[tigerwillow1]

ask .. and you shall receive ..

Matt200 - Thank you for a direct answer. Seeing this video makes it obvious that I've had tunnel vision specifically about P2P as it applies to Dahua devices. Instead of asking how P2P is exploited, I should have been asking how it's exploited on Dahua devices because that's what I'm interested in. These are the key points I found in the video:

1:50 Tested SVC3 camera used as test subject pinged 3 servers at commonly used (for P2P) UDP port 32100
Most used P2P software that's embedded in devices is either CS2 Network P2P or Shenzhen Yunni iLink P2P.
5:10 Most P2P devices do not go through a firewall (I tend to disagree, but that's what he said).
5:23 Major risk is remote code execution, not spying. The RCE malware has the ability to punch through firewalls.
6:40 The device user ID (UID) is generated by P2P software provider and used by the device manufacturer. Anyone who knows the UID can connect with the device. (With Dahua the UID is the device serial #. Note that "connect" is not the same as gaining access.)
12:06 General discussion on how to guess or discover UIDs
- Can locate P2P servers by brute force IP probing
- Some UIDs are revealed in amazon reviews
- In general, brute force probing for UIDs is impractical
- Checksum algorithm for iLink devices has been discovered, making brute force UID probing feasible with them
16:42 Many devices use default passwords, making only UID required to get into device (Dahua doesn't allow default passwords)
17:23 Was able to get root shell access in a Shenzen Hichip Vision Technology camera that uses the iLink P2P software
- Once in with root access, the password can be discovered
- (I was waiting for discussion of RCE here but didn't catch it)
21:44 Encryption is not built into the CS2 or iLink packages. Left to the device application
22:17 Discussion of man-in-middle attacks. Works only when the legitimate user is actively logged in.
23:45 Discussion of superdevices that relay P2P traffic, often without user knowledge or consent. (I didn't fully absorb this and don't think it's applicable
to Dahua devices).

My conclusions from this, to exploit Dahua P2P:

1. Must somehow find out the device serial # and password.
-OR-
2. Find out the device serial # and be able to get backdoor root access.

And the first questions I don't know the answer to are:
1. Is there a known hack to gain access to a shell with root privileges?
2. It it possible to achieve remote code execution? (My guess is no via a firmware update, and maybe via writing code to RAM).

 

[Nolesfan]

Updates
Found out that it isn't EmpireTech-Andy that actually send these out but actually Amazon. @EmpireTech-Andy maybe you need to speak with Amazon about that. I have never got anything that was shipped like that ever.

Bought camera from EmpireTech-Andy on Amazon. It should have arrived on the 12th but got lost somewhere for 3 days. Amazon tracking has no status of it for those 3 days. It even has a message of something along the line of it looks like your package is lost. You can wait for it or request a refund. I was going to wait for the 5 days and request for a refund but it came on the 3rd day from the expected delivery date.

Now what I'm worry about is whoever has their hands on this for those missing days might have the mac address of it. Look at how the package is shipped to me anyone in those 3 days could have opened the package and get the mac address easily. So I need advise of what to do? I thought this guy is a legit seller on here. What kinda bs packaging is that?

Pic from Amazon evidence of delivery:
View attachment 118929View attachment 118924View attachment 118925View attachment 118928View attachment 118931

Over the past 3 years, I have bought approximately $40k worth of cameras and hardware from Andy and have yet to have an issue. Any time that I have ever ran into an issue, I have reached out to Andy and he is more than happy to help resolve any issue that I have, or that my customer has ran into.

By Andy using Amazon to ship his hardware, it has saved me tons of time on the shipping process as the items do not get tied up in customs.

 

[tigerwillow1]

I realize reviewing that thread that you use P2P and you wanna believe you are safe using it, but there are risks associated with it....just because you refuse to believe that doesn't mean that the risk doesn't exist...best practice is not to allow these systems access to the internet.

Did I say I thought I was safe using P2P? I've been asking for specifics on what is unsafe about Dahua's P2P:
For example, in thread Do any of you actually use Dahua P2P for external access to your cams? I made these comments
:
What is insecure about Dahua's P2P using current firmware and reasonable attention to security on the user's part?
If anybody has real information about Dahua's P2P implementation instead of these broad assumptions that have been put forth, I'd certainly like to see it.
I'm not addressing anything for Armcrest cameras.
I maintain that P2P is a red herring. It's the software behind the P2P that's the issue, and specifically how secure Dahua's current P2P software is.
I don't recall seeing a report anywhere of a breach due to P2P on a current model with current firmware.

Where did I ever say I believed I was safe using Dahua's P2P? Where did I say I refuse to believe the risk doesn't exist? I've been asking for examples of the risk with Dahua equipment, and just get examples from other equipment in response.

For the record, I'm paranoid about security and being hacked. As I've stated multiple times, I cannot use a VPN with my ISP. My choices are P2P, port forward, or no remote access. I allow P2P only on the NVR. Cameras don't have outside access. P2P is enabled only when I'm away from home. When P2P is enabled, the NVR is the only device on my network.

Whenever the general slander of P2P comes up, I often ask how it's done. The video a few posts up provides a lot of answers. Is current Dahua equipment open to any of the exploits in the video? If anybody answered this, I missed it.

 

[ccssid]

Just purchased a IPC-T5442TM-AS 3.6mm from Amazon (one of Andy's) last night. Already received it, wired it up and running in Blue Iris. Thanks Andy ( and Amazon). Not one issue.

 

[JNDATHP]

Received a camera from Andy (not his Amazon store). Ordered it directly from Andy on Saturday night PDT, it was shipped on Sunday and I received via FedEx this morning. Superb service!

Here is the packaging.

 

[samplenhold]

I cannot use a VPN with my ISP.

I have the same problem. So when I am away, I use TeamViewer.

 

[tigerwillow1]

I use TeamViewer.

I don't know anything about TeamViewer. Does it have fewer risks than are attributed to P2P? Or maybe it uses P2P? I've always just said no to any of the general remote access applications.

 

[samplenhold]

Read about it here
TeamViewer: The Remote Desktop Software

 

[ccssid]

Read about it here
TeamViewer: The Remote Desktop Software

Look into Zero Tier

 

[mchlrv]

Received a camera from Andy (not his Amazon store). Ordered it directly from Andy on Saturday night PDT, it was shipped on Sunday and I received via FedEx this morning. Superb service!

Just had very similar experience with Andy. Ordered directly from @EMPIRETECANDY and they arrived within 6 days in excellent state. Communication with him has been very fast and smooth.

@Nic3guy333 Don't worry about someone having your camera's MAC address. MAC addresses are L2 addresses and thus not routed over the internet. However some cloud services use these MAC addresses for security. You should be more worries about those services relying on MAC address security than you should on someone having your MAC address. MAC addresses can easily be spoofed and thus should only be locally unique to avoid conflicts.

As suggested by other members already, make sure your camera's are in a separate VLAN that has not connection to the internet. Preferably use a VPN with username/password, certificates and 2FA to connect from outside your network to your camera's / NVR and you will be fine.

 

[tigerwillow1]

Too bad the P2P security debate popped up in this thread. I apologize to anybody I'm annoying by responding to it.
I looked at teamviewer, and it does look interesting. It does use P2P, so anybody who subscribes to the broad-brush condemnation of P2P should stay away from it. For anybody who believes that P2P in and of itself is not bad, my meager learnings about teamviewer look favorable:

• They claim full end-to-end encryption.
• It's not a chinese company (absolutely no intention to associate Andy with this comment. We love you Andy!)
• The login credential protection sounds pretty good based on the company's security info.
• Only screen images are transferred. No raw data is transferred.

The big downside for me using it is that I'd have to leave a computer running while away from home. Nothing I want to do, but in the big picture it is an option.

Quickly looking at zero tier, pretty much everything I said about team viewer applies, except zero tier transfers data as opposed to screen images. Teamviewer, zero tier, and Dahua P2P are all P2P applications. What's missing for me is any reliable info on how secure Dahua's P2P implementation is or isn't.

 

[wittaj]

While Teamviewer uses P2P, it does have in its favor more frequent security updates than these cameras and NVRs. Frequency of security updates should always be a factor of consideration.

Unfortunately any reliable info on Dahua P2P implementation is questionable and the truth probably not out there unless someone plays the hacking game. Of course they will not announce a breach until they have a solution. And as we have seen with some of these in the past, that might be years after the fact.

Perhaps someone here wants to take on the task of trying to hack it. I think someone here did something similar with a Hikvision several years ago (or they purposely put a Hik on P2P to see how long before it was breached or something like that).

 

[user8963]

I don't know anything about TeamViewer.

Teamviewer is a piece of crap, is someone using this shit without a license?

Problem is that they mark your ID as business if you use it to frequent (even if you only use it for connecting to always the same ID) ..
at first you will be locked out after 1 hour, and at the end you can only connect for 5 secs and they will give you a popup that you violating their license terms.

You have to write their support that they unblock you, but it will occur again and again.

stop using teamviewer. its a piece of crap.
use anydesk instead, its free for private use and they dont block your account with bullshit.

Anydesk is from Germany and they have privacy protection, not like US where NSA/FBI/CIA/Homeland can dial in to your computer if they want because of "terrorism"
Teamviewer also from germany, but they want you to buy a overpriced license.

 

[tigerwillow1]

Wow, I didn't have a clue how many remote access packages there are. Here's a list of over 50 of them:

Comparison of remote desktop software - Wikipedia