$25 WiFi Webcam from China – I am livin’ on the edge!

Rock on – what could possibly go wrong with cheapest-possible piece of equipment that is designed to capture both sound and video, is made in China and costs about 25 USD, and comes with real internet connectivity – you know: cloud backends and all.

So, I went off to dig some more blood from my nose. I bought one – no, I bought three Xiaomi Xiaoyi Ants web cameras, and went to see what’s inside and how (in)secure they are.

These little beasts provide 720p picture, night vision, cloud connectivity – they got it all and great picture quality too. (Now please do not expect GoPro Hero 4 black -level; more like Hero 2, with this 25 dollar price point I feel that is way more than adequate.)

Based on few months’ experience I can say they do work nicely – at least when 2.5GHz Wifi isn’t too crowded. As expected iOS, Android apps work – language is to some extent Chinese, and English (partially) is available too, no probs with that. And Xiaomi does upgrade their firmware, couple times during past 3 months or so, great!

Now, this will not be a real analysis as I am not carrying out traffic analysis. Also, I will be using older firmware. As it happens, this piece of hardware has more or less serious open source community to hack together more functionality; so I downgraded to older firmware and added some scripting support to SD-card to get services like ftp,telnet,rtsp running – and voila I am in:

(none) login: root
Password: 
Welcome to HiLinux.
None of nfsroot found in cmdline.
# uname -a
Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux

It is Linux, running on ArmV5, so expecting limited command set. The version is old; as said I downgraded it. Now that I am in, with the extra insight I have, I am ok running it – for now. (In real life this is not ok: as time passes there will be a vulnerable component that I will fail to recognise and update.)

How badly does it leak?

In other words: what are the active data connections it makes?

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:38888           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8554            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:554             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ftp             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:18554           0.0.0.0:*               LISTEN      
tcp        0      0 192.168.1.126:48620     120.134.33.107:www      ESTABLISHED 
tcp        0      0 192.168.1.126:43438     52.76.22.225:28622      ESTABLISHED 
tcp        0      0 192.168.1.126:554       192.168.1.133:65352     ESTABLISHED 
tcp        0      0 :::www                  :::*                    LISTEN      
tcp        0      0 :::telnet               :::*                    LISTEN      
tcp        0      0 ::ffff:192.168.1.126:telnet ::ffff:192.168.1.133:65248 ESTABLISHED 
udp        0      0 0.0.0.0:6994            0.0.0.0:*                           
udp        0      0 0.0.0.0:6996            0.0.0.0:*                           
udp        0      0 0.0.0.0:37519           0.0.0.0:*                           
udp        0      0 0.0.0.0:60845           0.0.0.0:*                           
udp        0      0 0.0.0.0:51397           0.0.0.0:*                           
udp        0      0 0.0.0.0:1500            0.0.0.0:*                           
raw        0      0 :::58                   :::*                    58

Open connections to same subnet are to my computer with telnet there, and 554 for rtsp (my primary reason to get this version in) Then one 120.134.33.107:www, probably for phoning home – (here I would need that wireshark to see the inside of the traffic), and one connection to amazon aws, likely for the app connector.

GeoIP statistics

As nslookup didn’t provide much information, and traceroute wasn’t too helpful either, I checked with Maxmind demo to get some insight on addresses.

And yes, there are plenty of open TCP & UDP ports too, which I do not care yet here as my firewall blocks them. So, to me it looks that the leaking isn’t overly bad.

After quickly going through the file system, I have to say the inits and contents look solid too.

How about introducing the camera to WiFi?

I got a bit bad feeling after bashing Xiaomi’s Air Purifier – it is great product, if you connect it to your WiFi in radio shielded room – and without cloud connectivity it still is great product.

Now for this product, no problems there: As this is camera, it scans a QR code from smartphone screen via APP.  IMHO this is about the only use case where QR code is best solution. Screen blinking, modem sound would have worked too – but this looks much more like 21st century technology.

Conclusion

To me this looks surprisingly solid product here, but don’t take my word for it: I am not the first to run article on Xiaomi web cam: here is another, and second one from the same author.

Also a handy hint: As this camera is quite light weight and comes with it’s own stand and lengthy USB cable, I am planning to hook them up to wall with 3M command velcro strips, those should strong enough to keep them there and allow periodic removal and tool-free maintenance.

++One correction: I miscalculated the price of the webcam, it is closer to 25 than 20 USD, thanks Tommi!

++ Fun reading on crappy IoT: Cheapo LED lightbulbs the “single worst device I’ve ever bought”