This afternoon I took the opportunity of being in work at a weekend to install a monitoring bridge between one of my customer LANs and their Managed Broadband service. The managed broadband provider doesn’t give any insight into the traffic flowing through their CISCO router and I found a spare ALIX box sitting around that would be perfect to install between the LAN and the CISCO to bridge and monitor the cable.
This will give me insight into which machines on the LAN are using the most bandwidth at any given time and also allow me my own firewalling (don’t get me started on how insecure the managed, double-NAT, broadband service is. A formal complaint that is currently going through bureaucracy to get remedied).
However the first thing I noticed while tcpdumping was the CCTV DVR system making a lot of requests and, some, to a host in China!
The customer uses a Swann DVR9-4200 with “Build No.”: “build 1113”.
Traffic looks a bit like this – constantly:
Ironically the first IP I chucked into Google / whois was “220.127.116.11”:
inetnum: 18.104.22.168 – 22.214.171.124
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
Which was more than worrying.
The next I searched was “126.96.36.199”, which resolves to an Amazon AWS / Cloud Computing system. This time when the search was twinned with the word “Infection” it came out with a SANS Internet Storm Center article (The SANS Institute is a private U.S. company that specializes in information security and cybersecurity training.).
This article is by someone who bought a Smart Plug from Supra-Electronics. They were clearly interested in how the device worked and also noticed their device sending information to some of the same IP addresses that the Swann DVR is sending packets to in my captures. His discoveries are here:
IP FQDN NetName Country 188.8.131.52 m1.iotcplatform.com AMAZON-EC2-8 US 184.108.40.206 m2.iotcplatform.com AMAZON-EC2-SG Singapore 220.127.116.11 m3.iotcplatform.com AMAZON-EU-AWS Ireland 18.104.22.168 JINHUA-MEIDIYA-LTD China 22.214.171.124 CHINANET-SC China 126.96.36.199 CHINANET-IDC-BJ China 188.8.131.52 m4.iotcplatform.com ALISOFT China 184.108.40.206 m5.iotcplatform.com ALISOFT China 220.127.116.11 AMAZON-AP-RESOURCES-JP Japan
All the same IPs were also present in my packet captures from the Swann DVR.
Luckily the article on the SANS site references some hostnames, The domain relating to the IPs is IOTCPLATFORM.COM. I’m not sure how the SANS guy got hold of the host names because the DVR, in my case, didn’t send any DNS requests.
This domain doesn’t appear much on Google, a few DVR exe files seem to use it (results on VirusTotal) and an Android application does too. The website at http://www.IOTCPLATFORM.COM is just a GoDaddy holding page.
The SANS article and whois then link to ThoughTek who apparently provide p2p style communication between devices. This is likely to allow roaming users to connect to the DVR without having to fiddle about knowing the device IP or having to port forward.
However – the IOTCPlatform site should at least explain what their connections / hosts do!
The DVR should explain that it will make requests to a 3rd party even if you don’t use their “find my device using it’s QRCode” function!
For the moment I’ve just removed the default gateway from the DVR so it isn’t sitting there flapping around sending whatever data it wants to some random 3rd party.