Some years ago i had the chance to play around with one of these spycams:

Pasted image 20210325030231

It all started with a friend of mine who told me that his “smart” bulb was sending data to a bunch of strange ip addresses. That got me curious to check if of these cameras, which i borrowed from the IOT lab at the uni, can reveal some interesting stuff.

The first thing I’ve noticed is that the included android app for these cameras, can show the video feed without asking for credentials. Let’s see what wireshark intercepts

Pasted image 20210325040011

So by looking at the udp stream above, it was discovered that:

Looking at the traffic generated, i’ve noticed a strange behaviour:

Pasted image 20210325035438

It looks like that the spycam sends every now and then a braodcast requests with the stored credentials …and also a url to an adult website (?)

Anyway now that we received the admin credentials we can log inside the camera and do stuff.

Pasted image 20210329213330

Now back to the original question, i’ve found that this camera sends data to these ip addresses:

From what i’ve seen the data that was sent are just heartbeat messages: Pasted image 20210325042344

And among those ip addresses, the only one that is still reachable is the amazon aws Pasted image 20210325042656

It runs with a httpapi/2.0 instance… but i’ve stopped here.

So there’s my quick investigation on these devices, sadly i can’t get my hands on these anymore, nowadays i would try to pwn the web interface, but at the time i wasn’t interested in cybsersec. Lessons learned: