Popular A9 mini Wi-Fi camera & the HA challenge

After some further examination, this device is indeed sending some data out to a “cloud”.
It looks like there’s an UDP tunnel created, and communicates with HTTP calls inside that.

While it’s not sending the stream out as is, but it clearly has the capability to do so.

Short traffic dump:

.566746 ethertype IPv4, IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.566746 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.568836 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.569849 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.405371 ethertype IPv4, IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.405371 IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.405371 IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.408891 IP 192.168.0.1.28607 > 120.77.151.67.32100: UDP, length 48
.410559 ethertype IPv4, IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410559 IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410567 ethertype IPv4, IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.410567 IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.410559 IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.416339 IP 192.168.0.1.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410567 IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.418974 IP 192.168.0.1.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.462972 ethertype IPv4, IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.462972 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.465071 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.466088 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.596576 ethertype IPv4, IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.596576 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.598665 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.599681 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12

The app connects p2p indeed, and runs this sequence:

• Am I a valid user?
• Are you alive camera?
• Give me stream.

Also, ran into this research: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html#cloud - while not a full match (given like 4 years passed since), what I’m seeing is very similar.