How to Sniff Packet Data from Your Home Security CamerasBy - 05/16/2018
Co-Writer Timothy Erwine
Recently, I tested and wrote about four inexpensive security cameras. Typically, I feel comfortable testing cameras. Of course, I know that adding any connected device to my network comes with risks, but most of the cameras I test come from reputable companies like Amazon, Netgear, Logitech, and Google. Still, that doesn’t guarantee that your cameras aren’t sending data to places they shouldn’t. Let’s not forget the audio data leak Ring battled last year and ongoing issues with Hikvision and even Cannon made security cameras. So with my interest piqued by the cheap cameras, and my more expensive cameras not impervious to risk, I set off to find a definitive answer.
Unfortunately, I’m not tech savvy enough to find the answer on my own, so I asked Timothy Erwine, a U.S. Based Consulting Engineer, to help me capture packet data and interpret the results.
To me, the results were not surprising as most of the cameras use AWS (Amazon Web Services). But it’s important to point out that Amazon has multiple server locations around the world, just because a company uses AWS doesn’t mean that your data will stay here in the states. Arlo, for example, also sends data to Amazon’s servers in Ireland.
According to Amazon,
AWS data centers are built in clusters in various AWS Regions around the globe. As a customer, you choose the AWS Region(s) in which your customer content is stored, allowing you to deploy AWS services in the location(s) of your choice, in accordance with your specific geographic requirements. For example, if an AWS customer in Australia wants to ensure their data is located only in Australia, they can choose to deploy their AWS services exclusively in the Asia Pacific (Sydney) AWS Region.
Ultimately, where the data resides is up to the camera maker. The camera maker chooses which AWS region it uses, which explains why companies like YI and iSmart both use AWS but allow them to send data to data centers abroad while Blink, also an AWS customer, stores data on servers in the U.S.
When shopping for security cameras, it’s also important to point out that a company may use different service providers for different services. WyzeCam, for example, uses AWS for cloud storage but they use ThroughTek for IoT services.
One way to understand where in the world cameras are making connections is to observe the data’s destination IP address. For those who may not know, an IP address is akin to a phone number, but instead of connecting telephones to one another, they connect computers to the Internet.
Each public IP address must be registered with an Internet Registry, sort of like a telephone company for computers. These Internet Registries keep records on which company or data center is publishing services with the public IP address. The Internet Registry in North America is ARIN (The American Registry for Internet Numbers), and the Internet Registry for Asia Pacific is APNIC (Asia Pacific Network Information Centre).
Using information obtained from ARIN and APNIC, with the help of some additional services, geographic location information can be obtained based on a Public IP address. To make this process easier, we used infobyip.com.
Of the nine cameras we tested, only three of them reached out to servers overseas including Arlo (Ireland), YI (China and Singapore), and iSmartAlarm’s SPOT (Singapore). We also found that cameras that perform tasks locally (like Reolink) transmitted only tiny bits of data to outside servers.
The table below is a report on every data connection made by the IP cameras.
|18.104.22.168||United States||OR||Boardman||Amazon.com Inc.|
|22.214.171.124||United States||OR||Boardman||Amazon.com Inc.|
|126.96.36.199||United States||OR||Boardman||Amazon.com Inc.|
|188.8.131.52||United States||OR||Boardman||Amazon.com Inc.|
|184.108.40.206||United States||VA||Ashburn||Amazon.com Inc.|
|220.127.116.11||United States||VA||Ashburn||Amazon.com Inc.|
|18.104.22.168||United States||VA||Ashburn||Amazon.com Inc.|
|22.214.171.124||United States||VA||Ashburn||Amazon.com Inc.|
|126.96.36.199||United States||VA||Ashburn||Amazon.com Inc.|
|188.8.131.52||United States||VA||Ashburn||Amazon.com Inc.|
|184.108.40.206||United States||VA||Ashburn||Amazon.com Inc.|
|220.127.116.11||United States||VA||Ashburn||Amazon.com Inc.|
|18.104.22.168||United States||Google LLC|
|22.214.171.124||United States||VA||Ashburn||Amazon.com Inc.|
|126.96.36.199||United States||VA||Ashburn||Amazon.com Inc.|
|188.8.131.52||United States||VA||Ashburn||Amazon.com Inc.|
|184.108.40.206||United States||VA||Ashburn||Amazon.com Inc.|
|220.127.116.11||United States||VA||Ashburn||Amazon.com Inc.|
|18.104.22.168||United States||VA||Ashburn||Amazon.com Inc.|
|22.214.171.124||United States||VA||Ashburn||Amazon.com Inc.|
|126.96.36.199||United States||OR||Boardman||Amazon.com Inc.|
|188.8.131.52||United States||OR||Boardman||Amazon.com Inc.|
|184.108.40.206||United States||OR||Boardman||Amazon.com Inc.|
|220.127.116.11||United States||VA||Boydton||Microsoft Corporation|
|18.104.22.168||United States||OR||Boardman||Amazon.com Inc.|
|22.214.171.124||United States||Google LLC|
|126.96.36.199||United States||OR||Boardman||Amazon.com Inc.|
|188.8.131.52||United States||IL||Chicago||Cogent Communications|
|184.108.40.206||United States||CA||Los Angeles||Cogent Communications|
|220.127.116.11||United States||CA||San Jose||Amazon.com Inc.|
|18.104.22.168||United States||OR||Boardman||Amazon.com Inc.|
|22.214.171.124||United States||VA||Ashburn||Amazon.com Inc.|
|126.96.36.199||United States||OR||Boardman||Amazon.com Inc.|
How to Run an IP Camera Capture
When I first decided to capture packet data, I downloaded Wireshark to my laptop and ran a capture. Unfortunately, doing it right is not that simple. What I needed to do was create a setup that would capture the data at the point between my cameras and the internet. This became increasingly difficult as several of the cameras I wanted to test were wireless cameras.
Fortunately, Erwine was there to figuratively hold my hand through the process. He created a high-level diagram which became my manuscript for completing the process.
What You Need
There’s more than one way to approach this task, and I assume the process is highly contingent upon the gear you’re using; however, I’ll share with you what worked for me in hopes that you can adjust or even replicate the process.
What you need:
- Security Cameras For Testing
- An Old Router
- A Computer With an Ethernet Port
- A Managed Switch
- A New Internet Router (the one you use day-to-day)
- A Modem
- Ethernet Cables
Step 1: Prepare Equipment
Step 1:1: Download Wireshark
- In order to capture packet data, we decided to use Wireshark, which is a free network protocol analyzer. You can download Wireshark to your laptop here.
- Next, connect your old router to the managed switch. You will connect your old router to port 1 of your switch. I used the Netgear GS908E switch, but any managed switch that allows for port mirroring will do.
- Make sure you choose a numbered port and not the WAN port. On some routers, the WAN port might be labeled as internet. Like this:
- Connect your new router and Wireshark PC to the managed switch. You will connect your Wireshark PC to port 4.
- Connect your new internet router to the managed switch on port 5. Again, use one of the numbered ports on the new router and NOT the WAN port.
- Connect the first wired camera you want to test to port 2. Ideally, you will only test one camera at a time. If you are only testing wireless cameras, we will get to that in a minute.
Step 1:2: Port Mirroring
- The Port Mirroring process varies from switch to switch. Please check your switch’s instruction manual for the exact process that matches your model. Sometimes this feature is called “port spanning.” Once configured, there will be a ‘source’ port and a ‘destination’ port on the switch.
- The source port for the mirror should be port 5, the one that connects to your new router.
- The destination port for the mirror should be port 4, the one that plugs into your Wireshark PC.
Step 1:3: Configure Wireless on your Old Router
- Make sure that your old router is transmitting a different wireless network SSID name than your new router.
- Using the SSID on the new router instead of the old router will break the process and no data will be gathered.
- Turn off Extra Settings on your old router. It’s important to do this step last as tweaking all of these settings could lock you out of access to the router.
- Login to the management portal on your old router and turn DHCP services off for the LAN (the internal network) or choose to disable them. If your router asks about PPPoE, Static IP, PPTP, or L2TP, ignore those options and disable DHCP. Like this:
- Make sure that your old router is only plugged into the switch, nothing else. As a final tip, Erwine suggests giving your router a restart for good measure.
Finally, if you choose to connect wireless security cameras for testing, you will connect them to the wireless network transmitted by your old router, not your new one. Again, I recommend connecting them one at a time or unplugging the cameras you aren’t currently testing. If your router allows for it, I also suggest that you pause other connected devices to limit network noise as much as possible.
Step 2: Capture Data
Now it’s time to capture data.
Step 2.1: Make Note of Your Camera’s IP Address
The first step is to make a note of your camera’s IP address. When you have everything set up as described above, your new router will provide an IP address through the switch and your old router. In my case, my Google Wifi router made this process a breeze as it includes app access with device specific information. If your router doesn’t provide this data, you might want to check your camera’s app as some of them will provide the assigned IP address.
Step 2.2: Run the Test
Second, run the test. With Wireshark open, click on the blue shark fin.
A readout should appear showing rows of network data. Networks have traffic all the time, so expect to see information even before using an IP camera. Like this:
With the test running, try to trigger your camera as much as possible. I ran a live stream, viewed recorded footage, downloaded recorded footage, changed camera settings, triggered motion events, etc. The results should look like this:
At the bottom of Wireshark, you will see Packet and Displayed data. This shows you how much data has been captured during your test. The longer you run the test, the more data you will capture. According to Erwine, if you have the device powered on, the app running, and you are actively engaging the camera, capturing about 5-15 minutes’ worth of data should be sufficient. When you are done capturing data, click on the red stop button located next to the shark fin.
Step 3: Parse and Analyze the Data
While I did Step 1 and 2 on my own, with Erwine’s guidance, of course, step 3 was 100% him.
According to Erwine, analyzing captured data is a multi-step process.
Step 3.1: Filter Out Laptop Data
As you already silenced most of the devices running on your network and identified your camera’s IP address, there shouldn’t be much noise left, but Erwine still suggests filtering out all of the traffic except that which flows to and from your home security camera.
- With Wireshark open and displaying the captured data you pulled in step 2, you will filter by typing a command into the “apply a display filter” bar of Wireshark. The command is ip.addr == 000.000.000.000. Simply replace with 000.000.0.000 with your camera’s IP address and press enter. Like this:
- Wireshark will show statistics for all of the data, not just the camera, until we export the camera-only data to a new file.
- In Wireshark, click ‘File’ and then ‘Export Specified Packets.’ Make sure that the radial dial for ‘Packet Range’ is marked for ‘Displayed.’
- Give the file a new name and click ‘Save.’
- Close Wireshark and re-open it by double-clicking on the file you just saved. Now only information related to your security camera is loaded into Wireshark.
Step 3.2: Convert Data For Analysis
Next up, you will need to convert the Wireshark data into a format that is usable on the infobyip.com website.
- Navigate to the Statistics tab of Wireshark, clicking IPv4 Statistics, and then “All Addresses.” Save the file as .csv.
- A CSV file can be opened using your favorite spreadsheet tool such as Microsoft Excel or Google Sheets. Finally, we used infobyip.com’s bulk IP lookup tool. You will copy the IP addresses from the spreadsheet and paste the destination IP addresses here and then select lookup.
Congratulations, you’re finished! You will now have a table of information showing provider and geographical information about each IP. Maybe you’ll find something interesting; maybe you won’t.
If you’re concerned about data security, multiple camera brands have been tested by private security firms and fared well including Nest Cam and Canary. If you would rather avoid the cloud altogether, you might want to look into cameras that are not cloud dependent. We keep a list of such devices here.