I have noticed come of my cameras routing traffic to something called Omegle… The only hit I got was Omegle.com which states on it’s homepage: “Preditors have been known to use Omegle, so please be careful!”. These are cameras that often capture my kids playing in what should be the safety of they own garden and bedroom. Has anyone else seen this or know the hell Wyze would be using this service? I need an explanation pretty swiftly before I consult the authorities as I am terrified it is in fact what it appears to be.
Are you certain it’s a cam reaching out to Omegle, and not some other device?
How are you capturing the data packets? Wireshark?
I see nothing there to indicate the camera is the source? Is your camera also communicating with Netflix?
They are all packets to and from the camera mac address only.
I don’t follow unless you are saying everything on that screen is from the camera?
Everything on that list is to and from the camera only.
Hey @travega, I hope you’re wrong, and I certainly get why you’re startled and concerned, I would be, too.
I’m intrigued by your high fidelity home network capacity for deep packet inspection and hope the wider forum can learn something about addressing this kind of situation.
I’m confident the phone UI app is not reporting correctly.
Wyze would certainly not communicate to YouTube and Netflix. That looks like a data stream at the modem endpoint.
Just to be clear, DPI has been around a long time, mostly found on enterprise equipment, via a dedicated UI, But it can be found in software packages.
Ah, that does not seem right at all. Either your software is not reporting what you think it is or something else is wrong but Wyze cameras don’t talk to Netflix or YouTube as far as I know.
Read the documentation for that particular phone app, which seems to provide an interface to the modem / router.
There is one extreme and remote possibility - someone has maliciously accessed a cam and is routing traffic to many different servers.
The other possibility is that the packets are being “mislabeled” as belonging to XXX device. (because of the Netflix and Youtube packets).
HOWEVER … I would still be concerned about those packets if they were being routed around my network. Might check any Windows machines that are on the network … or kids’ game consoles
I would use a network tap before the router, connected to a known good packet analyzer. It amazes me how many people run an app on their phone or desktop or whatever and think that actually works.
I use Omnipeek a lot, but tcpdump works well as does Fiddler. Wireshark is okay but it’s dated.
To be honest though most of the packages you can pull down to run on your phone are useless. Hire someone or sweet talk your network admin from the office into swinging by.
I am primarily a programmer but in the 90’s and early 2000’s I worked as a network analyst. Enough to know that when I really want to know what’s going on I hire a reputable tech.
Thanks, guys. Quite helpful.
How urgent would you say this situation is?
- Time enough for non-expert self-help
- Seek expert outside assistance immediately.
I know this is ultimately a judgment call only @travega can make - and for which he must accept responsibility - but I thought I’d ask, anyway.
(I expect a Moderator, Staff, or Expensive Suit to swoop in and rescue you guys from that question momentarily )
Swoop. None of those but it do think that this could bear some higher attention. @moderators?
I have an enterprise grade Ubiquiti network setup. The deep packet inspection is the same as most corporate office environments. The screen grab is from the official Ubiquiti client. @moderators please respond
I have the cams isolated on a separated vnet that no other devices connect to. So MITM, hijacked OTA update?? I live in a suburb with no technical neighbours in range of my WiFi. I have strong passwords (but we know there are plenty of ways around that). Very unlikely it’s a WiFi breach. I have alerts set for any new devices registered on any of my vnets and nothing has ever been triggered. It can’t be an opportunistic attack as WyzeCams are still pretty rare and it would be so specific.
Could this be related to the huge breach late last year?