Beware the dodgy webcams

Okay, so before I start, I kind of already knew that these were dodgy - I can't claim that I was expecting anything different, after all, that is the reason why I don't have a RING doorbell, or anything Amazon / Google voice / Alexa / Home orientated in the house.  Not that I have anything to hide, I just don't like the idea of providing these corporations with vast quantities of "free" data that they then make Trillions of $$$'s with and then charge us more money for goods / products - it's a baffling system this capitalist society concept, the sooner it implodes the better.  However, this is more about "dodgy webcams".

My problem statement is explained in the image below:

basically, I need to fit 2 webcams to the rear of my motorhome so that I can reverse out of my driveway and not smash into oncoming traffic / pedestrians or cyclists!

I purchased a couple of cheap webcams that appeared to be capable for the task in hand - they were USB powered, they connected to a WiFi router or direct to my Android phone.  I was thinking that if they can connect to the WiFi router that I could then connect two of them and then show the two cameras side-by-side left-and-right on one screen and that would help me with the reversing.

I confess these cameras were about £13 each, so I was not expecting much.  They arrived and I was pleasantly surprised, they were well packaged / boxed and they seemed quite sturdy - I could even attach magnets to the back of them so I can put them on/off the motorhome - as I only need the cameras really for reversing and not for full time usage.

The cameras initially allow you to connect to their local Access Point (AP) - but you have to download the specific app from the Play Store (this is when I started to get a little suspicious), all seemed okay, I ran the app, I connected to the AP WiFi, I picked up the camera, all was good - I started to get a stream of the camera feed.  Brilliant.

(As you read on, you'll find out that this diagram is not technically correct! however, it is what I and probably most other people "ass-u-me" is what is going on)

I then set about changing the config of the app, so that it connected to my home WiFi router, that way I can connect both cameras up at the same time.

(Again, this diagram is how I "ass-u-me'd" the connectivity was working)

I then connected up the second camera, exactly the same and was pretty chuffed with myself that I might be onto a cheap winner here.  And, that is where I got the smack in the face with a wet-fish.

I thought I could somehow get the app to show both cameras at once on the same screen - I could not.  The best I could do is get a list of the cameras and then click on one to then get a "live" stream of that camera - this will be a right royal pain in the backside if I wanted to use this in the motorhome.

Hmmmm..... this then got me to thinking.  I wonder if I could code this myself, make my own screen that shows me the two camera streams side by side.

Never one to lose my skills, I dug out my old hacking tools... cough cough cough.... a short while later, I remembered that lot was on a different laptop that was long dead.  However, the concepts were still the same.  Get the app.apk file.  Use the apktool app to decompile it to a first stage extraction - ah, I wasn't going to bother with that, there must be someplace online that does this now (and takes a nice copy of your app source-code for their own needs, no doubt) and looksie-here, there is one:

After digging around the source-code, looking at what libraries were being used and having a few head-scratching moments I started to ponder something.... this code doesn't access the camera to get the video stream.  How the hell is it working then?

So just like Alice I went off down the rabbit hole..... and my, what a hole it was:

I thought I would double-check myself and perform a network scan to pick up the network IPs of the cameras, yep, there they were 192.168.0.80 / 81.  All I need to do now is to figure out what port they are using and the connection credentials and I'd be sorted.

An interesting port scan of the IPs revealed that they were not listening on any ports...

...and an install of ContaCam to connect to IP cameras proved ineffective (yes, I tried EVERY protocol / port and set of credentials, including the factory default of pwd: 6666)

Still no dice.  "'Curiouser and curiouser', said Alice"....

I then decided to install a Network Connections app onto my Android phone.  Wonderful little app.  it basically shows you what apps are connecting out onto the network, what IP addresses they are using and what ports:

This will get me the data I need - I'm now looking for when the app accesses the 192.168.0.80 IP address and then what port it is using...  Well, bugger me, that was not what I was expecting!

Okay, so the app did not show ANY connectivity directly to the cameras on IP addresses 192.168.0.80 or .81.... it DID however show that 3 different IP addresses were accessed on different ports.

The first one pings off to Microsoft - probably a nice red-herring, or it might not be - it could be doing something interesting but still, that's not the "interesting part".

This is where it gets interesting.  The app calls out to AWS (Amazon) in Frankfurt Germany, so there is probably a Cloud based app hosted within AWS in Germany where the app connects to..

Now, the connection back to China is possibly just a health-check / ping-home call, as like the Microsoft one, it's on port 80.  Interestingly, the US IP address returns a 404 error, the AWS one does the same, the China one however returns the following:

So, it is doing something / expecting some content to be passed to it.

My best guess at what is actually going on is the following.

The camera connects to the WiFi router, that allows it to connect to the internet.  It uses this to then upload the camera data to an AWS hosted app that stores the data.  Possibly, it might connect to the Chinese servers, but I suspect, as I say, that is just a "call home" connection to let the developers/product owners of the usage of the software/hardware.  The app running on the phone, connects to the WiFi, then then connects to the AWS hosted app.  Now, when you setup the cameras it gets the MAC address and deviceID, this can be used as a correlation key to bind the two sides together.  A lookup is performed to then get you the video image data and that is then streamed down to the phone for you to view it.

There are quire a few indicators that this is the behaviour, such as the ability to "record" the camera, but you cannot do it directly from the app/phone, the way it works is indicative of the software pulling the data as a stream from a server.

End result = I cannot have two camera feeds shown on a single screen - because that's not how it works and I could probably not get it to work, even if I coded it myself and hacked it together myself. sigh.

So, sitting back for a moment, this does actually show quite clearly that as an "average Joe" end-user who would have assumed that their phone was connecting directly to the camera 9as the performance is pretty good!), you wouldn't think twice about this.  However, (I've used that word a lot today!), these cameras are marketed as child monitors... yes....really:

Now, that's a bit creepy....  well, in todays online society, we shouldn't expect anything different and people should expect that this is how things are.  But, still...

You may ask the question, "but, what about if the camera is just in local AP mode?".  Good question.  So I tested that too.  Same behaviour! except it uses your mobile phones network connection (4G or WiFi) to do the same thing as the home router.  If you turn the phone into "Airplane mode" you see the camera stops working.

You may also ask, "why?".  again, another great question.  "I don't really know, but I can make some guesses".  One logical guess would be DATA.  As we know Machine Learning (ML) algorithms are taking over the world, everything has to have "AI" in it somewhere, this means you need TRAINING DATA and a LOT of it.  Where do you get this from?  Well... I think you know the answer now.

Now, if I cared about exactly what specific data was actually being transmitted to each of the IP addresses and really want to prove myself correct, I could install and setup WireShark and do packet-sniffing to get to that low-level data, it would be simple enough, however, I'm content with the analysis that I've done and don't feel the need to dig any deeper - I'm "probably" right with my assumptions.

CONCLUSION:

It looks like I'll have to look at drilling holes into my motorhome and fit this "proper" kit that I purchased a few months ago, but was cautious about fitting due to having to drill holes and wire it up to the 12v system of the motorhome.  I reckon that I'm ready to do this now and will post an update showing it all working over the weekend!

And yes, I've tested this setup locally and the cameras only transmit to the head unit that shows the cameras (can show up to 4!), doesn't go anywhere near the internet.  :-D

Yes, this kit was around the £200 region, so a far stretch from the 2x£13 (£26) I paid for the cheap cameras.  Will I "bin" the cheapo ones?  maybe, maybe not.  I might just rig them up in the garden to view the solar panel batteries and/or the sky so I can cross reference the logged solar / battery data with visual imagery.  For instance, it has been raining / overcast all day today, but I've still been getting 14.4v and 1amp from the solar panels and my batteries are at 13.1volts - but the weather is crappy.  Who would have guessed?