Malicious Activity from Somfy Security Camera

Comments

9 comments

  • Avatar
    Firewalla

    The first two screenshots are likely people trying to access your camera from outside ...  

    The third one is fairly interesting, it says your camera been streaming out (upload) to the internet.  You need to verify if the streams are valid or not.  to do that, you will need to look netflows like your fourth screenshot and look at the upload section and see what IP is the camera sending stuff to. 

    Also, if the camera is to be used for remote access, you may want to think about using firewalla VPN to access it, it adds another layer of protection

    0
    Comment actions Permalink
  • Avatar
    Benjamin Bellamy

    Thank you for your answer.

    This camera is supposed to be available with the Somfy app from outside without UPnP nor port forwarding so a VPN will not help.

    All ports are closed from the outside so it looks like the camera was infected and is connecting to malicious site on its own…

    Is there a way to "record" all supicious traffic the same way Wireshark would do with Firewalla blue?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You can see the traffic of any device for 24 hours, tap on devices->find your camera->tap on network flows-> you can tap on the graph on the top to move around the hours.

     

    0
    Comment actions Permalink
  • Avatar
    Benjamin Bellamy

    Thank you for your answer.

    I already had found that, I was wondering if there is a way to get the complete frames (or at least a few of them) as Wireshark provides. A feature the would allow to add a "Sniffer Rule" on one device an then download the IP frames from firewalla for instance… (That would be awesome!)

    0
    Comment actions Permalink
  • Avatar
    Benjamin Bellamy

    This is exactly what I was doing! ;-)

    Thanx!

     

    With Ubuntu 18.04 running tshark as pi user:

    $ unalias apt-get
    $ sudo apt-get update
    $ sudo apt-get install tshark
    $ sudo chmod +x /usr/bin/dumpcap

    And then:

    $ tshark -i eth0 -f "host 192.168.58.21"

     

     

    0
    Comment actions Permalink
  • Avatar
    Benjamin Bellamy

    In order to have tshark run all the time, to keep 5 files of 1MB each, I run on Firewalla:

    $ nohup tshark -i eth0 -f "ether host xx:xx:xx:xx:xx:xx" -b filesize:1024 -b files:5 -w /home/pi/myfilename &

    Then I fetch the files with SFTP from my computer and open them in Wireshark.

    0
    Comment actions Permalink
  • Avatar
    networker5

    Would be great if there were a built-in feature to capture tshark / pcapng data from the UI and send to a file system on the desktop to further analyze.  Honestly, without the data, it's very hard to know what is happening from the firewalla app. So the feature would be on various objects (e.g. device, group, domain, etc.) to send future data to the wireshark log file. It is cumbersome to use the command line and would be powerful to enable log relay from the app.  

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Have you tried the web interface?  https://help.firewalla.com/hc/en-us/articles/360052779253-The-Firewalla-Web-Interface

    This one is fit for looking at larger sets of data.

    0
    Comment actions Permalink

Please sign in to leave a comment.