UPDATE (10/25/2016): They are now being sold under the brand name “SkyGenius”. STAY AWAY. These are the same backdoored cameras as before. Theses are the kinds of cameras that were likely used in the DDOS attacks that took place last week. Link: https://www.amazon.com/dp/B01LZRFGXN?m=A3G20NDO3H60P2&th=1
I just wanted to make a quick post that these camera companies are removing and deleting reviews on the Amazon pages that alert people to the behavior that I outlined in my previous post: Chinese IP Cameras – The next Trojan Horses? VimTag/BEW/Fujikam
ALL the reviews on the BEW version are gone and the ones I left on the VimTag ones are removed as well. In addition to that they are now being sold under the “LeFun” brand.
I have been recently looking for a decent HD IP camera for keep an eye on things when I am away from home. I frequently buy items from SnagShout to review. They had this “BEW” brand camera for $52 so I figured I would give it a shot.
I bought the “BEW” 826-X 1080P IP camera and got it all setup. I started looking at the network traffic and it was sending all it’s video and audio to a server at 126.96.36.199 that is located in China. When you go to that address it takes you to the “VimTag” website and you can see this “BEW” is a re-branded CP1 from their products. I located their US support at www.VimTag.US and called them asking why it’s sending the traffic there and if it can be disabled. They told me that it cannot and when I told them it was concerning they just hung up. For reference their number is 1-800-371-2929.
I left it connected and there were multiple connections going to and from the camera. I also noticed that it was scanning the network with PING requests. I have attached a WireShark Packet capture from start to finish of the setup of the camera. The 172.16.74.0/24 network is my private LAN and the 192.168.137.0/24 is the AP that I was running off my laptop, .1 being the laptop/GW.
I will also add that if you try to run a port scan on the camera it renders it completely DOA and will not restart. I did this using Zenmap on my PC and the camera is now DOA. The paranoid part of me suspects this is to prevent seeing what it’s doing and has open. The other part of me just chalks this up to poor firmware/software on the device.
That being said I just wanted to put a quick post out there in case someone else was thinking about getting these cameras. They also do NOT work with any standard IP cam applications or DVR software, this means no RTSP or ONVIF support.
Pictures of the camera I had:
I posted last week that there was a suspected breach with TeamViewer. They have confirmed it. Please see the ArsTechnica article below, however they are still blaming the users.
On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was “significant,” but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services.
I previously posted an article about the latest TeamViewer hack that has been spreading around the last few days. I myself have switched over to using AnyDesk for personal remote support (family, friends, etc) but I still had it on a few systems. I did check my logs and luckily none of my systems were accessed. However in the TeamViewer web console, I did see multiple sessions from China that were active in the last 30 days. I have since closed my TeamViewer account and notified all people that I know who use the service to uninstall it and switch to another provider.
Whether you were hacked or not please fill out this Google Form that one of the /r/TeamViewer mods put together: https://docs.google.com/forms/d/1E5U8iPWk_bLuRFnlpmGOYWY0yfCsBi9SPR3y5YhVefY/viewform
Accessing the Connection Log
If you want to see if your system was accessed (even if you uninstalled the program) you just need to check the TeamViewer directory. The default installation paths are below:
- 32-Bit (x86) Systems: C:\Program Files\TeamViewer\Connections_incoming.txt
- 64-Bit (x64) Systems: C:\Program Files (x86)\TeamViewer\Connections_incoming.txt
Here is the log file from one of my systems with the personal information blurred out for security reasons.
- If you have any logs that are NOT from you please save the log and report the information to TeamViewer and Post in the Reddit Thread here: https://www.reddit.com/r/teamviewer/comments/4m6omd/teamviewer_breach_masterthread_please_post_your/
- If you need assistance checking your system for malware that the attackers could have placed on your system please call your preferred IT person or contact me through the site, I offer remote and onsite support.
- Most importantly if your system has been accessed by someone else DO NOT USE THE SYSTEM! There have been multiple reports of keyloggers and other malicious software being installed from the attackers when they gained access to the system. I recommend doing a full OS installation and thoroughly going through any other drives/devices that have been connected to the PC.
TeamViewer continues to deny that they had a breach but there have been multiple users that have had proper passwords and even 2-factor authentication enabled at the time of the attack. Their system is flawed and cannot be trusted until they own up to what happened and post a 100% certain resolution to the breach.