Um, are you familiar with packet capture products, such as Ethereal for Windows (Open Source, Free)? I'd love to see the packet capture for those IP requests.

Are your DVR's behind the firewall or not connected to the internet? Looking at the site, it looks like the firmware is designed to interact with that site's "Central Management Station," phoning home.

I definately would not like my DVR phoning home to a company the manufactuer's never heard of, nor do I have a central station account with.

NetRange: 210.0.0.0 - 211.255.255.255

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

Not sure why it's checking in with these guys...but this is where the packets are going.

I'm certainly not the best expert on this, but DVRStation seems to be a service for status reports on DVRs (possibly sending data to say, "I'm the DVR and I'm working just fine", or could be telling, "I'm the DVR and I've got a bad sector on my drive"), however, I know nothing of this DVRStation.com service (or whether it's legitimate), and you'd be well-advised to have your dealer/integrator look into this and check to see whether this is permissible or not -- and if it can be disabled if you'd prefer.

If you bought this equipment as a self-install, you may want to contact Weldex directly to find out whether this is normal. Here's a link to their "support' page: http://www.weldex.com/index.cgi?p=support

We have installed several Nuvico DVR's (NVDV4-16000), and are getting many more because we feel they are a good value. However, we discovered one of them "phoning home" (but hitting the firewall), and going to the same website (dvrstation.com) as mentioned above. What is disconcerting is that the verbage on the website almost implies they are a repository for the video as well and not just health information.

Because of this "feature" is not listed in any of their literature, I'm also wondering if these units have back doors into them. Anyone know of a good freeware port scanner?

Contact Jack Gin, [email protected] as soon as possible for reliable information.
Geoff, with whom should he speak besides Jack?
Enjoy the day,
Bill

Bill, I don't think Jack would be the best person to respond since he's not manufacturing these DVRs and I don't think makes any DVRs for that matter (fwiw, they make infrared illuminators and cameras for low-light/no-light surveillance). As I noted before, I would go directly to the manufacturer's tech staff about these backdoor communications. Definitely let the forum members know what they say. I'm curious about this DVRstation website, since it does look like it's not solely for hardware "health checks", but also for live video monitoring.

Stick a box on the network, same subnet, behind the firewall. This box can be running Windows 2000 or Windows XP. Download the program "Wireshark," which used to be called "Ethereal." There is a windows port of this program, use that one. Then download a program called "nmap."

Wireshark is the free and open source packet collector and analyzer. That'll let you watch what the thing is doing, and take captures.

nmap is a very useful free and open source program that can do something as simple as port scan, down to interrogating IPs to detect OS version or service version numbers.

I would be interested in seeing any packet captures (sanitized) that these boxes generate.

This DVRStation thing looks like a "feature" looking for a problem. I don't know what the laws of the country of South Korea are, but they have your data if you let them.

Interesting topic... and here is my “2 cents”...

Before we answer “why” are these DVRs dialing home, lets restrict them to do so in the first place. This was a parameter of DVRs few years ago that each major manufacturer wanted to keep track where their DVRs were installed. Their main explanation was that they could track down DVRs that were “missing” or “misplaced”... Of course that was not the main reason... They all wanted to replicate what Microsoft has been and still is doing by forcing people to pay for additional licenses or restrict usage of their license more than once... But you also know that sometime your computer fails and instead of purchasing a new computer, you can have the old one repaired and then you can reinstall your old operating system... and then you have no choice to contact Microsoft again to explain what happened... There may be nothing wrong with this thought process, but it should be fully explained to the public before implemented.

With much needed push with each and every major CCTV manufacturer, most of them removed this “feature”... and few still keep them..

If you recall, even Intel started doing the same few years ago when they purposely opened the transmission of the serial numbers of their processors via Internet, which they claimed does reduce theft of their products in computers or reducing the theft of the computers.. That did not last long, but even now, you have the option to have their processors to “publicize” their existence or not by making such a adjustment in the BIOS...

Nowadays you can install piece of software with any computer that will identify its location (via IP publication through Internet), but that is and should be anyones choice and not an integrated part of the product...

That brings me back to the problem described above... Any manufacturer that forces this “feature” should stop doing so or their sales will reflect their intent.... I myself is totally against it, as it should be a choice for the user and not someone's corporate agenda... This way if corporations want to track their equipment, they can and they should, but does not mean everyone must follow the same trend...

After all, last time I checked, we still live in U.S...

I emailed Mr. Gin the other day after seeing the above suggestion to do so, but have not heard back yet. Gathering from the CCTV website, he is probably a busy guy. If he responds, great, if not, I understand.

I agree totally. We were fortunate to see this device hitting our firewall, but others may not be aware of this happening or that it can happen. I don't recall seeing any notices in their documentation stating this could/would occur, and it raises a lot of questions as you can guess. It seems possible to me that these devices are manufactured in a region with different social expectations where it may be presumed OK for a "call home", but a company sophisticated enough to make such a product and market it in the USA should be aware of the message this action conveys. Therefore I am suspicious of it.

To their credit, Nuvico is working on a patch for this. If this becomes the default (no call-home) or if this patch has to be applied on a per-DVR on-request basis or otherwise has yet to be seen.

When I was configuring one of the units for the first time, I did notice an IP address (if I recall correctly) of 211.som.eth.ing preconfigured where the box is told to get its time sync information. I thought that was curious, but dismissed it knowing this address would go nowhere on our network anyway, and promptly overwrote it to our NTP server address. I'll have to doublecheck another brand new unit to see if that default IP was the IP given earlier in this thread of 211.55.33.221.

To be clear, the box we had hitting our firewall had its default NTP IP address changed from the default, so it was not NTP requests we were seeing, but the box trying to do something else.

----------------------

As for the packet sniffer Wireshark, I didn't know Ethereal had been renamed. Ethereal has served me well in the past. I'll get Nmap too as suggested. Somehow I'll need to force an internal error to initiate a "heath check call home" to capture packets, but that bridge will be crossed when I get to it. This testing will need to be done to verify any patch that gets applied, and of course I want to see what these things are sending out now anyway. Hopefully this will save everyone involved potential grief in the long run.

Like most open source projects when they get popular (GAIM anyone?), the name had to be changed.

It would be very interesting to see what these packets are. Especially if they're not ssl'ed or an ssh connection. I'm hoping we won't learn much about content due to SSH tunnel, or at least an SSL'ed HTTP session.

If its transmitting plaintext... Oh boy.

You mean like Microsoft Outlook? Even passwords are plaintext.
Back on the subject, I'm as curious as anyone to see what these things are sending out. Maybe I'll get lucky and capture evidence of a backdoor.
It may be a while before I actually have a chance to bench test one of these DVR's, but I'll post any updates.....

To get off the subject, my data is rarely sent plaintext, especially passwords. I use services that explicitly support IMAP and POP3 secure mode, so that my passwords, email, and other data is sent through an SSL tunnel.

Well, that, and I don't use Outlook - Windows has enough security holes without adding more.

On the subject... It almost makes me want to buy one of these DVRs and put it on a line just to see what it does when its booted up.

Updates?

Hi,

I've been following this thread since i joined the forum. I was wondering if there are any update available. I've wanted to get a dvr. But if the dvr is going to "call home", I want to know the necessary steps in preventing it from happening.

Thanks