My Synology router has been reporting that it blocked outgoing connections to several IP addresses which do not have names, do not have legitimate country codes (ZZ is a “stub,” whatever that means), do not have have contact info, do not have full whois records, and are allocated to APNIC. The router says these connections are “malicious,” based on Google Safe Browsing and its Threat Intelligence database. All this suggests the connections are going to the “dark web.”
Using Wireshark and IP Scanner, I have traced these connections back to the originating device by its MAC address: it is a WyzeCam Outdoor base. Why would a Wyze device connect to 103.81.231.127, 103.81.230.127, and 103.81.231.3, which are all unnamed IP addresses? Does this mean the base is compromised?
Wyze cams are extremely chatty over the Internet and do make excessive connections but that’s how Wyze manages their cloud ecosystem.
I only put what Wyze cams I have left (working) in outside or in barn locations as I don’t trust Wyze’s level of security.
And my Wyze cams are now a secondary supplemental camera system as most have been replaced with Reolink’s which is not a cloud based system and doesn’t flood the outbound Internet resources like Wyze.
These are not to AWS. There are plenty of legitimate reasons to make outgoing connections (e.g. Cam Plus), but are these legitimate? They’ve never happened before, and now there are 80 of them, most from Wyze devices but some also from my laptop.
What evidence do you have to support this accusation?
When I’ve sniffed the ports and traffic in the past, the various small hosting companies they use are doing the video stream (on certain models of cams) or they provide the integration services for Alexa, Google, Apple, etc. There is 0 evidence of the cams harvesting data and sending it directly to a 3rd party. That is a very serious accusation so if you have some proof, please post it.
The wyze app may (or may not, not sure) send usage data back to Wyze which they can then potentially sell, that would be spelled out in the user agreement if so. Though there isn’t really much data of value, I doubt anyone wants it other than Wyze themselves.
AWS bandwidth is expensive, it is not surprising to see some of the streaming offloaded to lower cost providers when the capacity is available.
Wow, that’s more info than I was able to dig up, thanks! Bottom line: it’s illegitimate, and I’m glad my Synology router/Google Safe Browsing/Threat Intelligence database blocked it. Bad Wyze!
There are things to criticize Wyze about, but this is not one of them. There has been zero evidence provided that these false positives constitute anything improper. People who make accusations bear the burden of proving their accusations.
No, bottom line is hosting companies get used by malicious people to do malicious things and their IP ranges from time to time end up on blacklists. Until the legitimate customers complain and the hosting company works to get them removed, at which point your router will stop flagging them.
The smaller/less expensive hosting companies are the most prone to this, and they are also the ones that many IOT companies use due to the low cost. AWS is huge, scalable, and reliable, but NOT cost effective for streaming video. Though oddly the OG cams do use AWS for video streaming, where all the other models use the other hosting companies, and the OG was designed to be the cheapest cam (but it was also designed to draw in a lot of new subscribers, and subscriber video needs to go via AWS, so sort of makes sense).
There is no evidence provided in this thread of any sort of data collection or nefarious stuff going on. Just a promoter for one of the competitor brands making an unfounded accusation.
Please do a whois for 103.81.231.3 and tell me that it’s a legitimate domain (it isn’t!). I have never before experienced blocked outgoing connections, and today there were more than 80 of them. The fact is that the camera is originating connections to this, and several similar, IP addresses. I maintain that the connections are illegitimate.
Already did a whois, how do you think I know it is a hosting company?
How are you determining that? There is no reverse DNS for that IP (thus no way to find out specifically what domain is associated, unless you sniff the DNS packets from the cameras). The company that owns the subnet is perfectly legit.
Probably the same false positive 80 times. Your home based router is far from a highly reliable security appliance. It just uses general freely available blacklists for its definitions. Next update this IP range will probably be gone from it.
Of course it is, these cams initiate all connections, that’s how they work through NAT without you having to forward ports or use uPNP.
Again, what evidence do you have to support that? Your router blocking it is not any sort of proof that it is malicious traffic.
Your WAN port probably drops tens of thousands of inbound attempts every day. Do you think every single one of those is someone trying to hack you?
Jun 9, 2025 at 10:17:04 AM
/usr/bin/whois 103.81.231.3
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.apnic.net
inetnum: 103.0.0.0 - 103.255.255.255
organisation: APNIC
status: ALLOCATED
whois: whois.apnic.net
changed: 2011-02
source: IANA
# whois.apnic.net
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '103.81.230.0 - 103.81.231.255'
% Abuse contact for '103.81.230.0 - 103.81.231.255' is 'no-email@apnic.net'
inetnum: 103.81.230.0 - 103.81.231.255
netname: STUB-103-81-230SLASH23
descr: Transferred to the ARIN region on 2023-11-16T09:33:32Z.
country: ZZ
admin-c: STUB-AP
tech-c: STUB-AP
abuse-c: AS2444-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-STUB
mnt-irt: IRT-STUB-AP
last-modified: 2023-11-15T23:46:39Z
source: APNIC
irt: IRT-STUB-AP
address: N/A
e-mail: no-email@apnic.net
abuse-mailbox: no-email@apnic.net
admin-c: STUB-AP
tech-c: STUB-AP
auth: # Filtered
remarks: IRT for stub records.
remarks: We do not operate the referring network and
remarks: are unable to investigate complaints of network abuse.
remarks: For information about IRT, see www.apnic.net/irt
mnt-by: APNIC-HM
last-modified: 2024-01-24T04:04:44Z
source: APNIC
role: ABUSE STUBAP
address: N/A
country: ZZ
phone: +000000000
e-mail: no-email@apnic.net
admin-c: STUB-AP
tech-c: STUB-AP
nic-hdl: AS2444-AP
remarks: Generated from irt object IRT-STUB-AP
abuse-mailbox: no-email@apnic.net
mnt-by: APNIC-ABUSE
last-modified: 2024-01-24T04:05:14Z
source: APNIC
person: STUB PERSON
address: N/A
country: ZZ
phone: +00 0000 0000
e-mail: no-email@apnic.net
nic-hdl: STUB-AP
remarks: No contact information for stub records.
mnt-by: APNIC-HM
last-modified: 2019-09-23T04:53:33Z
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.34 (WHOIS-US2)
Jun 9, 2025 at 9:23:52 PM
/usr/bin/whois -h whois.arin.net 103.81.231.3
NetRange: 103.0.0.0 - 103.255.255.255
CIDR: 103.0.0.0/8
NetName: APNIC-103
NetHandle: NET-103-0-0-0-1
Parent: ()
NetType: Allocated to APNIC
OriginAS:
Organization: Asia Pacific Network Information Centre (APNIC)
RegDate: 2011-01-09
Updated: 2011-02-10
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
Ref: https://rdap.arin.net/registry/ip/103.0.0.0
ResourceLink: https://apps.db.ripe.net/db-web-ui/query
ResourceLink: whois.apnic.net
OrgName: Asia Pacific Network Information Centre
OrgId: APNIC
Address: PO Box 3646
City: South Brisbane
StateProv: QLD
PostalCode: 4101
Country: AU
RegDate:
Updated: 2012-01-24
Ref: https://rdap.arin.net/registry/entity/APNIC
ReferralServer: whois://whois.apnic.net
ResourceLink: https://apps.db.ripe.net/db-web-ui/query
OrgAbuseHandle: AWC12-ARIN
OrgAbuseName: APNIC Whois Contact
OrgAbusePhone: +61 7 3858 3188
OrgAbuseEmail: search-apnic-not-arin@apnic.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/AWC12-ARIN
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
OrgTechRef: https://rdap.arin.net/registry/entity/AWC12-ARIN
Elapsed(sec): 0.137
Sorry more accurately RIPE (which ARIN will give you a response for if you do a detailed query)
Kind
Org
Full Name
HostRoyale Technologies Pvt Ltd
Handle ORG-HTPL1-RIPE
Telephone
+91-9767686075
Address
Office Number 11A, City Mall, Ganeshkhind Road 411007 Pune INDIA
Roles
Registrant
Toss a sniffer on and capture the DNS lookups, should give you the domain that the camera is contacting. The ones I’ve caught off mine are all wyze domains or domains for 3rd parties that provide the bridge into Alexa, Google Home, etc so they’ll work with other ecosystems. They all come back to either AWS IPs or a handful of smaller cheaper hosting companies.
But like I said, a cheap hosting company out of india is probably used for malicious purposes (heck, even AWS and Azure aren’t immune) which results in an entire IP range getting blocked (or even just a few of their IPs that get dynamically reassigned between customers).
I’ve witnessed an Xfinity router blocking access to Xfinity email servers. The protection mechanisms in these routers are blunt tools.
That being said, none of my cams are in private areas, and they are on an isolated, dedicated IOT network. No internet connected device is immune from hacking, backdoors, hidden code, etc.
Accusations in this thread continue to be lodged without any proof. It bears repeating that if someone is going to allege something nefarious the burden is on them to provide evidence. Actual evidence, not false positives from a home router or misinterpreting an IP lookup.
Reviewing the discussion, I don’t think I ever made any accusations. I asked, “Does this mean the base is compromised?” In fact, I stated that some o/g connections were from my laptop too. I did opine that the connections were illegitimate by virtue of the fact that they do not have domain names, and I still do think so, but that’s not an accusation against Wyze.
How do you know that? Until you use a sniffer to capture the traffic, you can’t possibly know. Just because an IP doesn’t have a PTR record, doesn’t mean it doesn’t have a domain name associated with it. Even if it doesn’t, there is no requirement to have an A record in order to be considered “legitimate”.
The constant threads of people who are pretending to be network admins astounds me…
1 hit on your firewall and you are ready to declare hacking and malicious software.
As @PanCamJeff has said several times… People love to “opine”, “insinuate”, “ponder”; that something looks fishy. But offer NO proof. Just stuff they don’t understand and then argue with people who explain it to them.
In this case… @8db8880d - you have a misunderstanding of DNS and how names/domains are registered on the internet. Listen to the others. They are educating you on what this really is.
@dave27 - Exactly. If people saw what was coming at them, they would lose their minds that nothing is secure. Meanwhile, they carry a phone around in their pocket with COUNTLESS apps having access to your location, mic, browsing history, phone number, etc… Nothing to worry about there.
No reason at all to check the logs of those apps, reporting back on you at all times, everything is all good. ## end sarcasm ##
