Thank you for your patience. Loki steered me back here. I’m going to send you a message so we can work on getting an escalated ticket going. The Twitter DMs go to our support center but I understand wanting to move to a different platform.
1 Like
Be forwarned … you may be asked to run software / phone app / capture logs, to capture network packets that may further invade network data …
Just because I am curious when I don’t understand something. Why would you phrase what you just said as if it was a bad thing? By its very nature investigation of a potential breach has to be fairly invasive. The OP has repeatedly stated that they are network and tech savvy so presumably they would be well aware what will be involved. And of course as the potentially “breeched” party one would think they would be motivated to determine by who and how etc.
But your statement makes it seem to me as if you think there is something wrong with Wyze’s approach? If you have reason to make such a statement which seems so unnecessary please do share? Is there something we should all be made aware of? Do we need to be concerned about Wyze’s motivations or methods?
2 Likes
Network security guy here…quick question…how are you getting those domain names?
At this point, most traffic is encrypted (HTTPS) and therefore the requested/returned site/IP cannot be read in-transit, even by your gateway, unless said gateway is configured for forward proxy…
1 Like
Gee, one wonders… 
Haha, yeah, suppose I answered my own question, huh?
1 Like
I think so 
I’m going to blame that one on self-isolation brain.
All my pre-isolation comments, well, I guess interpret them as you may. LOL
Going to run some Wireshark captures myself to see what my cam’s doing…
2 Likes
That’s always a productive use of time! It’s fun and educational as well! My favorite Whisky Tango Foxtrot domain of late has been traffic supposedly going to “thekingisback.us”. This was coming from a Nest hub. Is Elvis in the building?
1 Like
router /client tool.
rwong
Not directed to you in any way - was responding to OP.
Okay cool! If you’re willing, I’d love to learn - can you offer more about the nature of your inspection?
Glad to hear that Wyze is on the issue !
Yeah, these items would cause me to lose sleep:
So not just one rogue defective object.
A few kb of random traffic here and there, meh.
But gigs of data streaming out to unknown sources, and Amazon, hmmm! 
I’m guessing it was headed to Amazon Web Services, but to whose account, and was that possibly compromised? The Wyze Complete Motion Capture free trial didn’t get somehow turned on by any chance? No backing up the cam SD cards to the cloud somehow??
Anyhow, the only sites that my Wyze cams talked to in the past month of April were these two, or at least so says the router:
wyze-general-api.wyzecam.com
dcl-api.wyzecam.com
So I’m with everyone else - quite interested to see how this turns out and what lessons we might take from your experience. Hopefully it will just be a simple glitch someplace!
I assume you meant wrong. If so please elaborate? How is it wrong? Demonstrate please? In general it is an accepted rule of public discourse that when you accuse someone of being wrong you provide verifiable evidence of such.
I am always willing to learn, especially when someone says something so interesting that directly contradicts established cyber security wisdom and thought?
4 Likes
I understand the heightened concern; I’d be furious if I discovered the results being discussed.
My intent - however poorly articulated - was to get info that would allow me to recreate a similar testing environment to see if I could replicate the results.
With that said:
-
I can appreciate that you’re so concerned that you may not be interested in general discourse, and,
-
Wireshark tracing (at least on my network) does not illustrate any untoward connections.
Of course, perhaps I’m simply missing something, hence my interest in your DPI and tooling.
In any case, best wishes. I do hope you follow-up here with the results of the support being provided by Wyze.
4 Likes
Hear hear.
You seem like a really nice guy, mail man. 
3 Likes
Okay …
Couple of follow-ups
a) re-reviewed OP’s screenshot
b) ran a scan on my local network (2 V2, 1 Pan) for 12 hours
For (b), you have ensure 12 second cloud recording is enabled, so you can see all [potential] comms.
Executive Summary:
All traffic, for (b), is “valid” … for my Wyze cams - “valid” meaning, “nothing suspicious”.
I will continue to scan at various hours of the day to confirm. For example, I’ll check for a VPN.
For (a), I am still comfortable with my opinion that the OP’s screenshot is of a modem stream.
Overview
Why?
- The title: “Deep Packet Inspection” with no qualifier. What do I mean by qualifier?
I would hope to read “which device” I’m viewing DPI for … for example
“Deep Packet Inspection - WyzeCam3”
.
.
2) The individual packet entries make no sense in relation to a “single cam”.
They DO make sense in relation to a “home network” (for many devices connected) … let’s go down the line:
- QQ/TM - this is related to the “QQ” IM app, from Tencent. A popular IM with younger folks, mostly in China. < Tencent QQ - Wikipedia >
- Netflix - we all know what that is
- Youtube - again, we all know what that is
- Web File Transfer - yea, we know what that is, and it’s only 264 bytes [yawn]
- 24im - from the days of old: “Enterprise-grade Instant Messaging & Collaboration”
< 24im - CNET Download > (24im originated from the EIM application, Inbit Messenger, developed by Inbit, and is a service providing free group based instant messaging based on that platform. ) - Apple iMessage - we also know what that is
- Caihong - further research required - thanks to @sodcam for research: Caihong is a Chinese VoIP and instant messaging app, allowing video, voice chat and file transfer.
- HTTP - 264 bytes … [ yawn ]
- Omegle - yea, we all know now what that is - 264 bytes again. Anonymous chat system
- Facebook - again, everyone knows that that is
- 2 references to “unknown” - that means Ubiquiti can’t resolve the IP address
So, my guess is
a) it is one device stream and it’s been maliciously attacked
b) this is a modem stream and we’re looking at all traffic from many different devices.
I will say it’s odd the references to QQ and 24im, but maybe QQ and/or Omegle use 24im infrastructure. - who knows … on my network, i see no egregious network activity [yet]. Of course, maybe no one is interested in looking at our horses : )
3 Likes
Very interesting - thanks for the informative post!
A possible explanation of Caihong:
https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=application&threatId=60343289
1 Like
Thanks… i would say with confidence that’s it, based on the other entries … i simply didn’t want to spend too much time on this for the moment : )
DNS
Even my own Asus router with AIProtect enabled can log DNS queries. You can’t see full URLs but you can see every domain query/visit…
1 Like