This afternoon I took the opportunity of being in work at a weekend to install a monitoring bridge between one of my customer LANs and their Managed Broadband service. The managed broadband provider doesn’t give any insight into the traffic flowing through their CISCO router and I found a spare ALIX box sitting around that would be perfect to install between the LAN and the CISCO to bridge and monitor the cable.

This will give me insight into which machines on the LAN are using the most bandwidth at any given time and also allow me my own firewalling (don’t get me started on how insecure the managed, double-NAT, broadband service is. A formal complaint that is currently going through bureaucracy to get remedied).

However the first thing I noticed while tcpdumping was the CCTV DVR system making a lot of requests and, some, to a host in China!

The customer uses a Swann DVR9-4200 with “Build No.”: “build 1113”.

Traffic looks a bit like this – constantly:

Ironically the first IP I chucked into Google / whois was “61.188.37.216”:

inetnum: 61.188.0.0 – 61.188.255.255

netname: CHINANET-SC

descr: CHINANET Sichuan province network

descr: China Telecom

descr: A12,Xin-Jie-Kou-Wai Street

descr: Beijing 100088

country: CN

admin-c: CH93-AP

tech-c: XS16-AP

Which was more than worrying.

The next I searched was “46.137.188.54”, which resolves to an Amazon AWS / Cloud Computing system. This time when the search was twinned with the word “Infection” it came out with a SANS Internet Storm Center article (The SANS Institute is a private U.S. company that specializes in information security and cybersecurity training.).

This article is by someone who bought a Smart Plug from Supra-Electronics. They were clearly interested in how the device worked and also noticed their device sending information to some of the same IP addresses that the Swann DVR is sending packets to in my captures. His discoveries are here:

IP FQDN NetName Country 50.19.254.134 m1.iotcplatform.com AMAZON-EC2-8 US 122.248.234.207 m2.iotcplatform.com AMAZON-EC2-SG Singapore 46.137.188.54 m3.iotcplatform.com AMAZON-EU-AWS Ireland 122.226.84.253 JINHUA-MEIDIYA-LTD China 61.188.37.216 CHINANET-SC China 220.181.111.147 CHINANET-IDC-BJ China 120.24.59.150 m4.iotcplatform.com ALISOFT China 114.215.137.159 m5.iotcplatform.com ALISOFT China 175.41.238.100 AMAZON-AP-RESOURCES-JP Japan

All the same IPs were also present in my packet captures from the Swann DVR.

Luckily the article on the SANS site references some hostnames, The domain relating to the IPs is IOTCPLATFORM.COM. I’m not sure how the SANS guy got hold of the host names because the DVR, in my case, didn’t send any DNS requests.

This domain doesn’t appear much on Google, a few DVR exe files seem to use it (results on VirusTotal) and an Android application does too. The website at http://www.IOTCPLATFORM.COM is just a GoDaddy holding page.

The SANS article and whois then link to ThoughTek who apparently provide p2p style communication between devices. This is likely to allow roaming users to connect to the DVR without having to fiddle about knowing the device IP or having to port forward.

However – the IOTCPlatform site should at least explain what their connections / hosts do!

The DVR should explain that it will make requests to a 3rd party even if you don’t use their “find my device using it’s QRCode” function!

For the moment I’ve just removed the default gateway from the DVR so it isn’t sitting there flapping around sending whatever data it wants to some random 3rd party.

Some other people have also grumbled about this but were harder to find on the internet. QNAP NAS devices also might do similar.