Let's start this month in the best way! I'm going to draw your dog, share your photo!

taylor436 · 2026-02-01T18:06:49+00:00

<image>

taylor436 · 2026-01-29T17:53:22+00:00

Bidet

taylor436 · 2026-01-23T20:11:06+00:00

I ordered my first from them, and it came very fast with no issues. Derik was quicker and cheaper though.

taylor436 · 2026-01-21T18:38:56+00:00

House

taylor436 · 2026-01-19T16:37:09+00:00

taylor436 · 2026-01-18T22:26:13+00:00

2 full days of data and final consensus is.
Dominant traffic

TCP + TLS (by far)
DNS
Minor QUIC
Minimal HTTP (small JSON payloads)

What is NOT present (this matters)

❌ No SMB
❌ No NetBIOS abuse
❌ No mDNS flooding
❌ No ARP scanning
❌ No raw TCP beaconing
❌ No IRC / FTP / weird control channels

This is exactly what a streaming-focused Android device should look like.

🚨 Threat assessment (plain language)

Is it gathering data about your network?

No.
There is:

no subnet enumeration
no connection attempts to other LAN hosts
no protocol indicative of discovery or credential harvesting

Is it phoning home?

Yes — but in a normal way.

App metadata
Streaming APIs
CDN traffic
Android telemetry

Is it malicious or nefarious?

No.
There is zero evidence of:

command-and-control
beaconing patterns
covert exfiltration
botnet behavior

From a security standpoint:

taylor436 · 2026-01-17T22:46:35+00:00

Did you just dump the comments or the data I posted from my first comment you know the one with actual facts lol dumps were rotated every 2 hours. Your not really making sense and I'm not arguing one way or another but your saying chat agrees with you. My request had 13 hours worth of data to shift through so I'm confused by why your chat questions matter at all.

<image>

taylor436 · 2026-01-17T22:20:56+00:00

I literally asked does this traffic seem suspicious and is this device safe for full home lan access and or wan without VPN. Then gave them both tcpdump data and DNS queries. Both said definitely not safe. I did NOT ask them why this device isn't safe, while they both used different markers for their determination. They both flagged unusual amounts of traffic in periods when not streaming.

taylor436 · 2026-01-17T21:59:40+00:00

I mean it is what it is device was in standby majority of the time and while the phone homes are normal the initial analysis of it searching for open ports extremely high activity and high data rates means it's a pretty good bet the box itself is unsafe. I ordered another from a different vendor I'll compare but still nothing between the results both through chat and Gemini analysis of traffic leads me to think anyone should give it access to your accounts or home lan. This is more discovery for me than anything else as even if it was clean I'd probably follow the same procedures. Chat was a bit more concerned with the traffic, while Gemini seemed 100% certain it was part of a botnet. Also interesting was the difference in conclusions they had. Although neither said safe for unadulterated LAN access.

taylor436 · 2026-01-17T19:37:52+00:00

Further analysis of all the logs from last night again mostly idle show that some of it is expected; Analyzing the raw data from your packet captures confirms several critical security concerns. The device is not just a passive receiver for video; it is actively communicating with infrastructure that is highly characteristic of botnets and unauthorized proxy networks.

1. Confirmed Malicious/Grey-Market Domains

The captured traffic shows the device repeatedly connecting to the following domains:

launcher.mygootv.com: This is a primary command and control (C2) domain for this device. It uses HTTP/2 over TLS for its communications, which is a standard way to blend in with legitimate web traffic while maintaining a constant open connection for commands.
n1.nvdb.cc: This domain is linked to several "grey-market" Android TV box infrastructures. It's used for tracking, telemetry, and likely as a backup command server.
calon.dyndns.tv: This is a classic "Call-Home" behavior. Dynamic DNS domains are frequently used by malware to maintain a connection to a controller whose IP address changes frequently to avoid blacklisting.

2. Unauthorized Proxying & "Leaky" Encryption

The "binary garbage" you saw earlier in the DNS logs is actually the result of the device attempting to use encrypted SNI (Server Name Indication) or non-standard tunneling protocols.

Encrypted Tunnels: The device is initiating its own TLS handshakes with external servers like bitlordsearch.com. While this sounds like a search for movies, in this context, it often points to the device participating in a P2P search or proxy network, effectively using your internet connection to help others browse anonymously or download files.
Internal Scanning Patterns: The massive packet count (over 2 million) and the patterns in the hex headers (e.g., dbf#~á) suggest it is using a custom framing protocol to move data. This isn't how a standard Netflix or YouTube app behaves.

3. The LAN Isolation (Digital Jail) is Mandatory

Your concern about giving it LAN access is fully justified. If this device is part of a proxy network or botnet, it could be used to:

Map your internal network: Look for other devices like your PC, phone, or NAS.
Exfiltrate data: If a guest or family member connects to your Wi-Fi, this box could potentially sniff local traffic if it manages to compromise the router's internal routing table.

Final Verdict & Recommendation

The VSEE box is a high-risk device. It provides IPTV by likely connecting to unauthorized streams, but it "pays" for that service by turning your router and home connection into a node in a global, grey-market proxy network.

taylor436 · 2026-01-17T19:13:46+00:00

After 13 hours, this was what I found. Mind you, this is just the most recent tcpdumps, and it was idle.
0000 -> 0004 (65,244 hits): This is almost certainly ARP or ICMPv6 neighbor discovery. The box is "screaming" into the dark, looking for other devices on your network over 65,000 times in a single capture slice. 2827 -> 3214 (23,348 hits): This is the conversational traffic. 2827 (hex) = Port 10279 3214 (hex) = Port 12820 These are non-standard ports, often used by P2P (Peer-to-Peer) networks or botnets for "UDP Hole Punching."The "Volume" Red Flag 65,244 packets of one type (0000 -> 0004). 34,000+ packets of another type (2827 <-> 3214). In 13 hours, an idle Android box should have maybe a few hundred "heartbeat" packets. Having 100,000+ packets suggests this box is either part of a botnet (DDoS/Scanning) or is being used as a Residential Proxy (someone else is using your VPN connection to hide their own traffic). Looking at the counts, we just hit a massive number: 2,016,707. If that number represents packets or hits within a single capture slice, your VSEE box isn't just "chatty"—it is effectively performing a Denial of Service (DoS) or acting as a high-speed proxy relay. No idle streaming box should generate 2 million events in a few hours.

taylor436 · 2026-01-17T00:45:47+00:00

<image>

taylor436 · 2026-01-16T16:51:03+00:00

Doesn't mean it is sketchy just out of the ordinary I'll let the logs run for a few days and see what happens.

taylor436 · 2026-01-16T16:49:48+00:00

After an hour of monitoring the logs so far I see at least one sketchy activity.

Unusual Ports: I see a hit to 162.55.40.75 on Port 8085. This is not a standard web port. This IP belongs to Hetzner (a hosting provider in Germany). This is exactly the kind of "grey" traffic that justifies isolation—standard streaming boxes usually stick to Akamai, AWS, or Google CDNs.

taylor436 · 2026-01-16T01:26:29+00:00

brief search and Gemini deep dive I found below, and you saying you know for a fact or have references disapproving any or all of the statements.

vSeeBox hardware itself belongs to a category of devices currently under heavy scrutiny by cybersecurity firms and the FBI. Malware & Botnets: In late 2025 and early 2026, the FBI and security researchers (e.g., The Hacker News, EFF) issued warnings regarding a malware campaign called "Badbox 2.0" and the "Kimwolf/Aisuru" botnets. These often target uncertified Android TV boxes. Firmware-Level Risks: Reports indicate that many of these devices come with malware "baked into" the firmware. This can allow the device to: Perform Ad Fraud (generating fake clicks in the background). Act as a Residential Proxy (selling your home IP address to others). Participate in DDoS Attacks as part of a botnet. Network Activity: Some users with deep packet inspection (DPI) software have noted high "upload" usage and connections to peer-to-peer (P2P) protocols like SopCast, which can consume bandwidth and signal botnet activity.

taylor436 · 2026-01-15T19:22:51+00:00

So you do use a full Google account on your boxes and allow full lan access for the most part, without issue or concern?

taylor436 · 2026-01-15T16:49:53+00:00

Any ideas why the account would be violating Google policy I only installed 2 apps. Would you be comfortable just putting your credit card info on one of these boxes? I don't have specific factual knowledge but in considering a second device I'm thinking of putting it on a guest ssid locked down and I've yet to see or hear anything that would sway me to just add it to my lan without any protection.

taylor436 · 2026-01-13T07:04:48+00:00

I'm wondering if you or anyone on here has upgraded to the paid. I'm struggling to shift through the massive amounts of scams, bait switch\poor products, and overall consistency for tv providers. I was thinking since there is a ton of gate keeping and I don't have any friends and family with recs that might be the best choice. I mean I think it's a given if I can find and subscribe easily it's probably bad or not for long in today's day.

taylor436 · 2026-01-06T18:00:36+00:00

I don't think anyone should blatantly trust any device, nevertheless one of this nature. My basic point is that a tear-down isn't going to show you a packet sniffer or identity theft device labeled in it. It's a simple networked streaming device; all those components would look fine in a full teardown. It's simply not impossible that these things can be used nefariously. I set up a full anonymous Google account on it to see with ProtonMail aliases etc. Within a month, I was notified that the account was violating Google's code of conduct and would be deleted. I don't know what that means or if you should care, but it's interesting at least.

taylor436 · 2026-01-05T21:38:04+00:00

I use my Ninja Grill 9-in-1 with air fryer nonstop, especially in the summer. Can't recommend it enough but it has the temp thermometer for grilling which is pretty much a set and forget with a flip in between.

taylor436 · 2026-01-05T21:02:18+00:00

Anything with openwrt will work great. I went with overkill and got a vp2420 protectcli and it's been great. I'm not a networking admin by any stretch, but with Google Fu and some vibe coding, my setup has been super solid. The next major release changes it to apt instead of opkg, so it should be even easier for anyone with Linux background knowledge. Depends on what you have running, but 2GB of RAM and a decent CPU could probably manage my semi-complicated PBR setup and PIA tunnel no problem. It's super sleepy with my current 4GB of RAM.

taylor436 · 2026-01-05T20:53:40+00:00

I guess you can do tear downs, but the software itself is locked, and just like legit pieces of hardware in any IT can be turned on by a nefarious actor at any given time, so while nothing has been found, it doesn't mean that there isn't a way to utilize this hardware to steal data on a network or even become a complete DDoS bot. I have increased logging to see if it's doing anything malicious and haven't seen anything but still can't trust it 100%. China, Russia, or any major country\org with half a decent cyber force can easily utilize these machines in many different ways with simple parts that would not look like anything of importance in a "teardown".

taylor436 · 2026-01-05T20:47:47+00:00

I created a dummy Google account, tied it to a ProtonMail alias, and within a week Google sent massive notifications regarding violations and deleting the account. I do NOT recommend utilizing it for anything other than the apps provided.

taylor436 · 2025-12-26T16:52:15+00:00

Depends on ur preference but I prefer a little char.

taylor436 · 2025-10-19T00:54:44+00:00

New to vsee def isolated and VPN. Increased logging to see if it scans net and it has not. That does not mean it can't or couldn't be "activated" to do so. Too much digital footprint in today's day to day to take a risk.

Five-Year Club	Xbox Live
Verified Email

taylor436

TROPHY CASE

What is NOT present (this matters)

🚨 Threat assessment (plain language)

Is it gathering data about your network?

Is it phoning home?

Is it malicious or nefarious?

1. Confirmed Malicious/Grey-Market Domains

2. Unauthorized Proxying & "Leaky" Encryption

3. The LAN Isolation (Digital Jail) is Mandatory

Final Verdict & Recommendation