Foscam Forum • View topic - Foscam Dialing Out to Suspect Hosts

Important Message from Foscam Digital Technologies Regarding US Sales & Service

Foscam.US (aka Foscam Digital Technologies and now Amcrest Technologies) is an independent United States based distributor of "Foscam" branded products. We have been offering telephone support, US local warranty and building the Foscam brand in the US for the past 7 years. Based on our experiences with Foscam and feedback from end users we have launched our own new and improved line of wireless IP cameras and security systems under the Amcrest brand. Working in partnership with the second largest security camera manufacturer in the world, Amcrest was founded with a deep commitment to end-user privacy and security, highly reliable software and hardware as well a seamless and intuitive user experience. For more information, please visit www.Amcrest.com

If you are having trouble with your Foscam cameras, we sincerely apologize for this inconvenience and would love to help. For technical support, response to inquiries and for obtaining replacements for any Foscam IP Cameras or NVR products, please reach out to tech@foscam.com or call 1-844-344-1113.

If you are interested in exchanging your Foscam camera for an Amcrest camera, we can offer you a massive loyalty discount, even if you are out of warranty. Please send an email to support@amcrest.com, sales@amcrest.com or call 1-888-212-7538

If you are subscribed to Foscam Cloud (www.foscamcloud.com), please contact cloud@foscam.us for support.

If you currently use the manufacturer's cloud service (www.myfoscam.com or linked in any way to www.foscam.com), you will need to contact them directly for support, at www.myfoscam.com.


Foscam Dialing Out to Suspect Hosts

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

Re: Foscam Dialing Out to Suspect Hosts

Postby jimfreex » Mon Jan 11, 2016 11:49 am

The following email is what I sent Foscam concerning the issue with some of their cameras sending out UDP messages.

FYI Foscam Tech Support,

If I do not get a clear and understandable answer to the following technical concern with my Foscam cameras I will be forwarding this to the National Security Agency/Central Security Service (NSA/CSS).

Seeing my ACTIVITY light on my modem was flashing more than usual I looked at the Outgoing Message Logs on my Linksys Router and found some of my Foscam cameras were sending out UDP messages to various IPs. The following cameras that are active and doing this are:

Model: FI9821W
Model: FI9831P V2
Model: FI9804W

The cameras are sending out the UDP port 10001 messages every minute or less and are putting a load on my router and modem. I do not see any suspicious incoming messages trying to access the cameras and I have them password protected so I am not too concerned that someone or thing is connecting to them. However, I do not know what information might be sent with the UDP outgoing messages and that is a concern. The cameras are sending out the UDP messages to the same IPs and they are all communication or network related sites around the US and to the UK. The following is what they are sending UDP messages to:

Cogent Communications IP 50.7.124.48; IP 50.7.44.82; IP 50.7.114.59
TDS Telecom IP 24.56.178.140
Softlayer Technologies IP 168.1.83.89
Abovenet Communications IP 50.7.176.18
Telecitygroup International limited IP 176.58.116.160
Hostspace Networks IP 23.234.53.61

I used iplocation.net to identify the IPs

I contacted Foscam Tech Support on 1/6/2016 and they could not give me an answer or fix for this concern. I see that others on the Foscam Forum have seen this but there is not any answer there as to why the cameras are doing this. Tech Support said they would turn in a report and suggested I send an email to tech@foscam.us.

I have tried blocking features in my Linksys Router but think the blocking feature might just be for incoming access IPs since the outgoing UDP messages are not being blocked.

At this point I have not tried to see what is being sent out with the UDP messages. I will wait to hear from you before I forward this on to one of the US government agencies.
jimfreex
 
Posts: 7
Joined: Sun Dec 01, 2013 9:54 am

Re: Foscam Dialing Out to Suspect Hosts

Postby awkwardrodent » Mon Jan 11, 2016 11:55 am

Nice letter, I think also mentioning FCC which regulates electronic communications and licenses electronic devices might be helpful, as they are more consumer oriented and can ban imports / products that may harm consumers.

EDIT: also to add, FBI may also help. FBI raids businesses all the time in relation to corporate espionage, etc.

PS - read this link: http://www.speedguide.net/port.php?port=10001

10001 is used by a couple of known trojans spyware (so developer's PC may have been infected by a trojan at the time of writing code?), as well as legitimate NAS services, and gaming services.
awkwardrodent
 
Posts: 8
Joined: Tue Jul 21, 2015 3:01 am

Re: Foscam Dialing Out to Suspect Hosts

Postby jimfreex » Mon Jan 11, 2016 2:40 pm

Thanks, I thought some others might agree with this concern. I thought the NSA might be enough to have Foscam look into this since it could seriously affect their sales; however, the FBI, FCC and other agencies might also need to know about this issue. My old Linksys Router will not block the messages and I do not want to disconnect the cameras so I am hoping Foscam will respond. Until they do, I will not purchase or recommend their cameras to anyone.
jimfreex
 
Posts: 7
Joined: Sun Dec 01, 2013 9:54 am

Re: Foscam Dialing Out to Suspect Hosts

Postby dannyo » Mon Jan 11, 2016 4:00 pm

Fortunately I am able to block port 10001 in my router.......downside is that I see some high memory/cpu utilization issues. The cameras work fine and it's only happening with my "P" cameras (Fi9803P) A Post earlier in this thread mention a FI9821W that is also calling port 10001. That camera is not a "P" style camera. Foscam needs to mention why their cams send unsolicited UDP datagrams to port 10001! I too am holding off buying anymore Foscam camera!
dannyo
 
Posts: 225
Joined: Tue Jan 08, 2013 11:22 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby dannyo » Tue Jan 12, 2016 12:43 pm

I emailed foscam.com tech support about the issue discussed here. They replied back that they feel that port 10001 is being used for P2P. I have already turned off P2P and don't use it but still get those unsolicited port calls to 10001. They have asked for all of my log files and I have sent them the NAT tables that show the calls to port 10001. Awaiting their response......
dannyo
 
Posts: 225
Joined: Tue Jan 08, 2013 11:22 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Jan 12, 2016 2:24 pm

awkwardrodent wrote:Thanks for the long, interesting thread.

I'm thinking it's likely some idiot / lazy programmer set up these pings to test out the cameras in Development / QA, and forgot to turn them off for production. In my experience, it's usually incompetence, rather than intentional malfeasance that causes these strange issues.

But who knows... would really like to know the resolution of this issue.


I don't believe it is from a lazy programmer but you never know.

I also have turned off P2P and other services. I saved copies of all of the NAT tables when port 10001 was turned back on. I also had (see prior posting) excessive router RAM usage and a router message indicating Virus may be present in network. Turning off the two newest suspect cameras (F19821P V2 and F19804P) and the router RAM utilization drops immediately and the warning message disappears. Sometimes there would be upward near 30 open ports for each camera to different IP WAN addresses. As soon as port 10001 is turned off, the open ports in session with WAN drop down to zero. I have 5 cameras and the older models do not have this problem with port 10001. My Blue Iris software is useless now for remote access because the router does not allow me to just turn off 10001. Consequently, the BI server port is also turned off. I am looking for another router that has more port control granularity.

Here is just a partial list of the IP destination servers contacted:

Chicago - FDC servers, net
London
Australia, Omni connect, ply ltd
Netherlands - VIA club
California - Defender
Germany - FDC servers, net
China Telecom - SiChuan data center
UK - Liso3-160-members.linode.com
Korea
China - Ali
China - Advertising firm

Thanks to you all for pursing this problem. I was going to fire up Wireshark and look at the capture data but you beat me to it. I was also going to forward all of my NAT table information with IP address destination information to an author that writes about IP camera security matters. Foscam needs to get a proper response on the matter before it makes headlines, IMO.
Last edited by drooler on Tue Jan 12, 2016 2:45 pm, edited 1 time in total.
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Jan 12, 2016 2:32 pm

awkwardrodent wrote:Nice letter, I think also mentioning FCC which regulates electronic communications and licenses electronic devices might be helpful, as they are more consumer oriented and can ban imports / products that may harm consumers.

EDIT: also to add, FBI may also help. FBI raids businesses all the time in relation to corporate espionage, etc.

PS - read this link: http://www.speedguide.net/port.php?port=10001

10001 is used by a couple of known trojans spyware (so developer's PC may have been infected by a trojan at the time of writing code?), as well as legitimate NAS services, and gaming services.


Thanks for the url. I will keep it for looking up port information. I noticed in the comments section someone recently wrote:

"Some Foscam IP cameras make connections to external hosts on this port (even with DDNS and P2P disabled, on the latest firmware)."
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby _1234567 » Wed Jan 13, 2016 12:12 am

dannyo wrote:I emailed foscam.com tech support about the issue discussed here. They have asked for all of my log files and I have sent them the NAT tables that show the calls to port 10001. Awaiting their response......


You would expect them to be happy with all the people reporting those issues to them first ( instead of reporting it to authorities, or even slashdot or reddit :-) ).
Also discussing it on this forum should be of help to Foscam, but instead they choose to remain silent....
This makes me ( and obviously others) even more nervous.

The point of course is that blocking port 10001 is not a real solution but only a temporary workaround.
Indeed they need to restore trust by explaining what is is ( even if it is just a bug, f.e. a p2p feature not completely shutting down when disabling p2p) and by providing a fix.
_1234567
 
Posts: 10
Joined: Thu Jan 07, 2016 8:38 am

Re: Foscam Dialing Out to Suspect Hosts

Postby _1234567 » Wed Jan 13, 2016 4:49 am

To get better insight I wrote a bashscript for my owrt router to monitor the connection for some time.
Apart from the connections to 10001 I also found other connections to the following IP addresses, to port 80,443 and 8000. The script ran for 1.5 hours.

Code: Select all
TCP:
    dst=46.137.188.54
    dst=50.19.254.134
    dst=61.188.37.216
   dst=74.125.31.99
UDP:
   dst=175.41.238.100:21047


Looking up the addresses on ipaddress.com gives:

46.137.188.54 -> amazon
50.19.254.134 ->amazon
61.188.37.216 -> China Telecom SiChuan Telecom Internet Data Center
74.125.31.99 -> google
175.41.238.100 -> Amazon

remarks:
- Note that this is without the port 10001-connections since I blocked those.
- I switched of network functions like p2p, ntp, etc. However, there might still be stuff like update checks etc.
_1234567
 
Posts: 10
Joined: Thu Jan 07, 2016 8:38 am

Re: Foscam Dialing Out to Suspect Hosts

Postby dannyo » Wed Jan 13, 2016 12:45 pm

This is the response I received from Foscam.com tech support concerning the issue......

Hi Daniel,

Thanks for all your information!

After double checking with our R&D team, they found those IP addresses that camera communication with are our P2P server IP , the port 10001.... are the server port.
23.234.53.67
23.234.53.61
176.58.116.160
50.7.176.18

50.7.114.59
50.7.124.48
50.7.44.82
Because the camera FI9803P is P2P cameras, if you want to view the camera on phone or other monitor, P2P server is a bridge, camera information transfer to phone through P2P server, also if you do some settings on your phone, the commands transfer to camera through P2P server.
That's why you can see the communication on the router log.

But don't worry, these communications are encryption, higher security.

Have a nice day!

Any problem, please feel free to contact me.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your satisfaction is our goal.
Are you satisfied with our service?
Our aim is to provide perfect service,so your suggestions are appreciated.
If you are not satisfied, please e-mail aftersales@foscam.com with your assessment or feedback.

Best Regards
Tina Lu (Ms.)
Customer Service Dep.
Email: tech3@foscam.com
ShenZhen Foscam Intelligent Technology co., Ltd.
Website:www.foscam.com
dannyo
 
Posts: 225
Joined: Tue Jan 08, 2013 11:22 pm

PreviousNext

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 7 guests