Rock on – what could possibly go wrong with cheapest-possible piece of equipment that is designed to capture both sound and video, is made in China and costs about 25 USD, and comes with real internet connectivity – you know: cloud backends and all.
So, I went off to dig some more blood from my nose. I bought one – no, I bought three Xiaomi Xiaoyi Ants web cameras, and went to see what’s inside and how (in)secure they are.
These little beasts provide 720p picture, night vision, cloud connectivity – they got it all and great picture quality too. (Now please do not expect GoPro Hero 4 black -level; more like Hero 2, with this 25 dollar price point I feel that is way more than adequate.)
Based on few months’ experience I can say they do work nicely – at least when 2.5GHz Wifi isn’t too crowded. As expected iOS, Android apps work – language is to some extent Chinese, and English (partially) is available too, no probs with that. And Xiaomi does upgrade their firmware, couple times during past 3 months or so, great!
Now, this will not be a real analysis as I am not carrying out traffic analysis. Also, I will be using older firmware. As it happens, this piece of hardware has more or less serious open source community to hack together more functionality; so I downgraded to older firmware and added some scripting support to SD-card to get services like ftp,telnet,rtsp running – and voila I am in:
(none) login: root
Welcome to HiLinux.
None of nfsroot found in cmdline.
# uname -a
Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux
It is Linux, running on ArmV5, so expecting limited command set. The version is old; as said I downgraded it. Now that I am in, with the extra insight I have, I am ok running it – for now. (In real life this is not ok: as time passes there will be a vulnerable component that I will fail to recognise and update.)
How badly does it leak?
In other words: what are the active data connections it makes?
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:38888 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ftp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:18554 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.126:48620 220.127.116.11:www ESTABLISHED
tcp 0 0 192.168.1.126:43438 18.104.22.168:28622 ESTABLISHED
tcp 0 0 192.168.1.126:554 192.168.1.133:65352 ESTABLISHED
tcp 0 0 :::www :::* LISTEN
tcp 0 0 :::telnet :::* LISTEN
tcp 0 0 ::ffff:192.168.1.126:telnet ::ffff:192.168.1.133:65248 ESTABLISHED
udp 0 0 0.0.0.0:6994 0.0.0.0:*
udp 0 0 0.0.0.0:6996 0.0.0.0:*
udp 0 0 0.0.0.0:37519 0.0.0.0:*
udp 0 0 0.0.0.0:60845 0.0.0.0:*
udp 0 0 0.0.0.0:51397 0.0.0.0:*
udp 0 0 0.0.0.0:1500 0.0.0.0:*
raw 0 0 :::58 :::* 58
Open connections to same subnet are to my computer with telnet there, and 554 for rtsp (my primary reason to get this version in) Then one 22.214.171.124:www, probably for phoning home – (here I would need that wireshark to see the inside of the traffic), and one connection to amazon aws, likely for the app connector.
And yes, there are plenty of open TCP & UDP ports too, which I do not care yet here as my firewall blocks them. So, to me it looks that the leaking isn’t overly bad.
After quickly going through the file system, I have to say the inits and contents look solid too.
How about introducing the camera to WiFi?
I got a bit bad feeling after bashing Xiaomi’s Air Purifier – it is great product, if you connect it to your WiFi in radio shielded room – and without cloud connectivity it still is great product.
Now for this product, no problems there: As this is camera, it scans a QR code from smartphone screen via APP. IMHO this is about the only use case where QR code is best solution. Screen blinking, modem sound would have worked too – but this looks much more like 21st century technology.
Also a handy hint: As this camera is quite light weight and comes with it’s own stand and lengthy USB cable, I am planning to hook them up to wall with 3M command velcro strips, those should strong enough to keep them there and allow periodic removal and tool-free maintenance.
++One correction: I miscalculated the price of the webcam, it is closer to 25 than 20 USD, thanks Tommi!
++ Fun reading on crappy IoT: Cheapo LED lightbulbs the “single worst device I’ve ever bought”