Don’t buy VimTag

Security@Georgeliu.me

Sometimes people make mistakes. Sometimes they make very expensive mistakes.

I made a mistake last year, when I was busy trying to secure my home. Apparently, some guys broke into a girl’s apartment nearby and stole a lot of money.

So I bought a VimTag camera. But hey, at least it wasn’t a Porche, right?

Here’s why VimTag cameras are mistakes:

1. Weak security.

There are guys out there talking about how they can telnet in with no password required.

The telnet protocol is usually run on port 23, but this device is running it on port 8600 as a ‘security’ measure. He’s saying all you have to run to get root access is: telnet target-ip-address 8600

From Reddit

People on Amazon are claiming their networks were hacked after installing a VimTag.

I called tried to change my wifi password and someone had already done so. They also changed my device access code for the router. I factory reset and within minute it had been changed again. Now my net is disconnected, pending replacement of my router for security reasons.

Why Amazon sells a product with known security risks speaks volumes about their priorities to me. I thought people were being paranoid, but turns out exactly what they warned about happened to me within a day. DO NOT USE THIS PRODUCT. So shady… I now have the pleasure of resetting all my passwords and info and not having access to the net for several days while I clean up this mess. I only hope there are no other precautions I’m missing that will pop up later… Ugh..

From Amazon

2. Iffy security.

I monitored some of the data from the camera. It was going to servers in Turkey as well as in China. I understand China, but why Turkey?

17.253.54.253
ISP Apple Inc.
Usage Type Commercial
Hostname defra1-ntp-002.aaplimg.com
Domain Name apple.com

54.153.82.107
ISP Amazon Technologies Inc.
Usage Type Data Center/Web Hosting/Transit
Hostname ec2-54-153-82-107.us-west-1.compute.amazonaws.com
Domain Name amazon.com

46.45.138.218
ISP Radore Veri Merkezi Hizmetleri A.S.
Usage Type Data Center/Web Hosting/Transit
Domain Name turkrdns.com

210.72.145.44
ISP China Science and Technology Network
Usage Type Fixed Line ISP
Domain Name cstnet.net.cn

From AbuseIPDB

3. No security.

After further testing, I found that most of the communication between the app and the back-end occurred in cleartext (no HTTPS). Actions that used unencrypted communications included registering a camera to my account, adjusting settings, formatting the SD card, accessing stored audio or video, and initiating the recording of audio or video. When I went to view the network settings, their backend server sent to my device a list of SSIDs for all the wireless networks in the camera’s proximity. A team of researchers found that using only SSID, they could locate a device within 13-to-40 meters. The server also sent the WPA2 key for the network to which it was connected meaning that not only is the key visible to any attacker, it’s stored on the server and easily recoverable.

From NowSecure

4. They are insecure liars.

I left it connected and there were multiple connections going to and from the camera. I also noticed that it was scanning the network with PING requests. I have attached a WireShark Packet capture from start to finish of the setup of the camera. The 172.16.74.0/24 network is my private LAN and the 192.168.137.0/24 is the AP that I was running off my laptop, .1 being the laptop/GW.

I will also add that if you try to run a port scan on the camera it renders it completely DOA and will not restart. I did this using Zenmap on my PC and the camera is now DOA. The paranoid part of me suspects this is to prevent seeing what it’s doing and has open. The other part of me just chalks this up to poor firmware/software on the device.

That being said I just wanted to put a quick post out there in case someone else was thinking about getting these cameras. They also do NOT work with any standard IP cam applications or DVR software, this means no RTSP or ONVIF support.

From TimothyHogland

5. They are really liars.

Their website states:

Network specs

Wireless Network
WiFi (IEEE802.11b/g/n)

Ethernet
10/100Mbps RJ-45 interface

Protocols
TCP/IP, UDP/IP, HTTP, DCHP, RTSP, RTMP, MUTP

IP address
Static IP address and dynamic IP address

From VimTagUSA

In actuality? If you pay them money, you can connect to their private cloud. There is no RTSP or RTMP support, which is necessary for 3rd party apps to connect to your camera. Nothing else works. You pay for their stuff, or it doesn’t work. Not to mention it’s incredibly slow.

6. Their customer support is worse than bad.

After I wrote a bad Amazon review with all the information contained here, they sent me this reply:

Vimtag server is all over the world. What you said is just your own opinion and it’s Incorrect.
You don’t know exactly how the camera work.
We will contact you via email.
Maybe you hate Chinese goods,right? Our maker not only in China, the United States,United Kingdom,and Italy also have Vimtag Company.
Best Regards
Vimtag Team

If I hated Chinese goods, why did I buy one? Well, OK, I seriously have a much lower opinion of Chinese goods after this mistake. And they didn’t email me in the end.

Well, OK. Maybe I’m just hating on them so much because the camera was expensive, but it was slow, not useful, and really not good. And…

7.They are liars, again.

Fakespot Review Grade: F

Our analysis detected 80.0% low quality reviews

From FakeSpot

Future Steps

Seriously, don’t buy this thing. I bought one and it was a huge mistake, not to mention a security risk.

After that, I bought an Amcrest camera, which emails snapshots to me and takes video, no cloud subscription required, for the same price. Even has notification zones. I wanted to buy stuff with facial recognition and the like, from good brands like Ring or Orbi or whatever, but those are expensive and almost require a cloud subscription. My Amcrest connects to my NAS and can send me snapshots when there’s movement. Although it has a lot of bugs that require resetting the device at times, which was a pain, too. Cheap Chinese goods, eh?

But I have the VimTag, so I’m looking to hack into it through telnet and have it send any images it takes to a cloud server. More info here: JumpESPJump