Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices
Researchers discovered a new vulnerability (CVE-2022-30563) in Dahua IP cameras that can be exploited by remote attackers to compromise the cameras.
and THIS is why you do NOT let your Cameras on the internet.
- Thread starter sdkid
- Start date
Killhippie
Getting the hang of it
Better keep you routers off the net too they have loads of vulnerabilities and Intel/AMD recently had another issue as older AMD and Intel chips are vulnerable to yet another Spectre-based speculative-execution attack that exposes secrets within kernel memory despite defences already in place. and this was in July this year. Nothing online is safe tbh.
IAmATeaf
Known around here
What a shit article, no mention of when or how a previously unencrypted ONVIF interaction would occur!
DanDenver
Getting comfortable
So first you have to expose your camera to the internet and perform an unencrypted login. Then leave the camera exposed to the internet in this “encrypted” fashion so that someone can then “replay” the authentication info to the encrypted camera. Sounds like the thief would have to work with an inside person to make this work.
Curiously, while it is in this “unencrypted” state, why wouldn’t the thief just log in at that time? So you recorded this unencrypted transaction, but you sit around and wait for the user to turn encryption back on?
Does anyone know where this encrypted/unencrypted setting is in the Dahua menu?
Agree with the OP that placing your video security on the Internet is really a bad idea. If people step back for just a moment and consider how society is today its near impossible to put the genie back into the bottle. Everyone likes easy and when you add in convenience into the mix you get the so called Cloud First.
Who here can't appreciate the shock and awe of simply taking a phone and scanning a bar code to get up and running?
No network skills and knowledge, no port forwarding, no firewall rules, nothing . . .
The problem lies in the fact since the dawn of man people just like to fuck with other people and take advantage of that ease of use and access.
So, lets ignore the cloud power and everything that's wrong with that whole idea. Now you have people with enough knowledge to open ports and mimic the same WAN access.
Other more crafty people who learn just enough about security and best practices avoid the whole QR Code, Port Forwarding, and move straight to VPN?!?!
Yes, lots of folks reading this reply are going to get really upset as to what I say next!
It doesn't matter what you use to access your network from the outside. This is simply another hole in the network that can be breached and has been done millions of times. If that wasn't the case nobody that has to do with VPN / Encryption would have changed and updated the same!
Everyday I see and walk into a room full of so called network professionals.
These poor bastards fall into several categories from out right stupid, to full on hands tied behind their backs. The stupid ones literally ignore every best practice known to man or simply know enough to be dangerous. Its the poor bastard that knows better and must comply with the wishes of the owners and senior management.
This is where everything is a compromise . . .
All you're doing is buying time and trying to limit your attack surface and potential threats.
For those who have never worked or been involved in a high security video installation. The following are the advanced to basics employed to secure the installation.
- Internet: There is zero access from the outside into the video security room.
- Isolate: The video security system operates on its own dedicated network. So no matter what happens any breach is contained & limited within that isolated network.
- Network: As a measure of fail over, back up, systems are deployed with separate switches, power supplies, VLANS, Subnet, Server racks, etc. Because the system operates on its own network there is zero impact on bandwidth to the main LAN / WAN. All the systems are connected with fiber to insure the highest bandwidth, throughput, while limiting the impact of RFI, EMI, EMF, to the hardware.
All hardware uses a combination of 802.1 X to authenticate to allow a device on the network. Even when this is present video hardware is locked to the MAC address and restricted to a subnet.
- Firewall: As above all network hardware and video security have multiple systems running in parallel. Separate firewall appliances, rules, manage and limit how, where, and when internal traffic is routed.
- Monitoring: Every known Agent & SNMP network monitor is employed to track the state, health, uptime, and tele metrics of this isolated network. Verbose Sys logging captures everything else not possible with traditional monitoring.
- Security: All hardware use complex passwords based on the limitations of the hardware. Passwords are changed every 90 days. Self signed certificates where possible are revoked & regenerated at the 90 day interval. Terminal access is limited to a single internal point within the site. All terminals use the latest biometrics to authenticate, login, and track all activities of the operator.
Access is limited to only a few handful of people on site . . .
- Maintenance: Hardware is reviewed daily, monthly, yearly based on the environment. This spans basic cleaning of the lens, dome, base. Fluke based testing is carried out once a year to validate all cable infrastructure is sound and operating within defined thresholds. As with this article vulnerabilities are scanned by each maker and patched where appropriate. Any hardware that can't be patched and is considered a major threat is simply removed and replaced with a more secure model.
All firmware updates are pretested on like kind hardware. Once installed are monitored for no less than 30 days to insure no unforeseen bugs / issues are seen. All feature sets and video quality is compared to a known target image so all is apple to apple.
- Blue / Red Team: The highest secure sites have dedicated blue / red teams that pen test every facet of the network and organization. Whether it be software, hardware, to social engineering to obtain information / data.
- Compliance: Internal & External audits are conducted to validate all of the above is in place and fully operational. When appropriate outside personal are tasked to review (limited) and restricted areas to affirm everything is indeed compliant.
All of the above in a large and secure environment is very time consuming. But once in place its no different than any other office a person would be in. Almost everything listed up above Joe Public can do and replicate to their scale and needs.
Now, start with the most important one and easy thing to do: No Internet - The rest is just gravy . . .
Who here can't appreciate the shock and awe of simply taking a phone and scanning a bar code to get up and running?
No network skills and knowledge, no port forwarding, no firewall rules, nothing . . .
The problem lies in the fact since the dawn of man people just like to fuck with other people and take advantage of that ease of use and access.
So, lets ignore the cloud power and everything that's wrong with that whole idea. Now you have people with enough knowledge to open ports and mimic the same WAN access.Other more crafty people who learn just enough about security and best practices avoid the whole QR Code, Port Forwarding, and move straight to VPN?!?!
Yes, lots of folks reading this reply are going to get really upset as to what I say next!
It doesn't matter what you use to access your network from the outside. This is simply another hole in the network that can be breached and has been done millions of times. If that wasn't the case nobody that has to do with VPN / Encryption would have changed and updated the same!
Everyday I see and walk into a room full of so called network professionals.
These poor bastards fall into several categories from out right stupid, to full on hands tied behind their backs. The stupid ones literally ignore every best practice known to man or simply know enough to be dangerous. Its the poor bastard that knows better and must comply with the wishes of the owners and senior management.This is where everything is a compromise . . .
All you're doing is buying time and trying to limit your attack surface and potential threats.
For those who have never worked or been involved in a high security video installation. The following are the advanced to basics employed to secure the installation.
- Internet: There is zero access from the outside into the video security room.
- Isolate: The video security system operates on its own dedicated network. So no matter what happens any breach is contained & limited within that isolated network.
- Network: As a measure of fail over, back up, systems are deployed with separate switches, power supplies, VLANS, Subnet, Server racks, etc. Because the system operates on its own network there is zero impact on bandwidth to the main LAN / WAN. All the systems are connected with fiber to insure the highest bandwidth, throughput, while limiting the impact of RFI, EMI, EMF, to the hardware.
All hardware uses a combination of 802.1 X to authenticate to allow a device on the network. Even when this is present video hardware is locked to the MAC address and restricted to a subnet.
- Firewall: As above all network hardware and video security have multiple systems running in parallel. Separate firewall appliances, rules, manage and limit how, where, and when internal traffic is routed.
- Monitoring: Every known Agent & SNMP network monitor is employed to track the state, health, uptime, and tele metrics of this isolated network. Verbose Sys logging captures everything else not possible with traditional monitoring.
- Security: All hardware use complex passwords based on the limitations of the hardware. Passwords are changed every 90 days. Self signed certificates where possible are revoked & regenerated at the 90 day interval. Terminal access is limited to a single internal point within the site. All terminals use the latest biometrics to authenticate, login, and track all activities of the operator.
Access is limited to only a few handful of people on site . . .
- Maintenance: Hardware is reviewed daily, monthly, yearly based on the environment. This spans basic cleaning of the lens, dome, base. Fluke based testing is carried out once a year to validate all cable infrastructure is sound and operating within defined thresholds. As with this article vulnerabilities are scanned by each maker and patched where appropriate. Any hardware that can't be patched and is considered a major threat is simply removed and replaced with a more secure model.
All firmware updates are pretested on like kind hardware. Once installed are monitored for no less than 30 days to insure no unforeseen bugs / issues are seen. All feature sets and video quality is compared to a known target image so all is apple to apple.
- Blue / Red Team: The highest secure sites have dedicated blue / red teams that pen test every facet of the network and organization. Whether it be software, hardware, to social engineering to obtain information / data.
- Compliance: Internal & External audits are conducted to validate all of the above is in place and fully operational. When appropriate outside personal are tasked to review (limited) and restricted areas to affirm everything is indeed compliant.
All of the above in a large and secure environment is very time consuming. But once in place its no different than any other office a person would be in. Almost everything listed up above Joe Public can do and replicate to their scale and needs.
Now, start with the most important one and easy thing to do: No Internet - The rest is just gravy . . .
DanDenver
Getting comfortable
So put some aluminum foil around my BI PC and don’t let my wife login?
I believe the industry approved and best practices is to use a Cookie Sheet
It's probably due to the fact its Betty Crocker approved!
DanDenver
Getting comfortable
Crap, I have been using Martha Stewart cookie sheets. Now I gotta get Betty Crocker cookie sheets. Never ending
SpacemanSpiff
Known around here
Personally, I'd use the type of sheet seen below. It's constructed from heavyweight aluminum sheets that surround a layer of air which ultimately provides a true 'air gapped' system
Make note in that article that is says Axis has had similar issues as well, along with Reolink and Annke.
But you do not need to first expose your camera to the internet and perform an unencrypted login.
Not a single camera I am currently using has touched the internet. They are all setup on an old Win7 laptop that is so old it doesn't even have wifi. This computer has zero internet access. I set it up to the IP address range of my camera NIC that does not have internet access before I put it onto my system.
Smilingreen
Known around here
Honestly, yet another awesome reply I’ll have to quote and hang on the wall.Personally, I'd use the type of sheet seen below. It's constructed from heavyweight aluminum sheets that surround a layer of air which ultimately provides a true 'air gapped' system
View attachment 135018
I have to figure if it’s worth printing off the image vs just sticking a mini cookie sheet under your quote.
Smilingreen
Known around here
My BI Machine is still running Win7 Pro.
I had a pair of revotech (Aliexpress) small cameras on the past. After connecting them to my Switch I always look at connections under my OpenWrt Router to see their IP but also to see what connections are made. Bingo, they were not only pinging for "cloud" services , also making connections to another bunch of ips sending like 10mb per minute.
Always isolate your cameras from internet
Always isolate your cameras from internet
tech_junkie
Getting comfortable
The encryption scheme is flawed in camera systems to begin with because of the use of SSL self signed system to begin with. Which is outdated technology that its hacks has been documented for decades. Once a camera manufacturer comes up with some sort of different encryption scheme instead of relying on a flawed web subsystem it will be secure 100% till then, there is no assurances.
alastairstevenson
Staff member
OK, so a self-signed cert lacks assurance, but it doesn't weaken the underlying encryption strength of the SSL implementation.
And a purchased certificate with verifiable assurance can be imported if needed.
tech_junkie
Getting comfortable
chances on a mtm attack on a camera is unlikely, but I find purchasing one per camera is not going to be much better since now it has to be exposed to the internet for one of those certs to work properly. The issue with it is that the cert itself needs to be the ip address of the cam. Which you can't get buy a 3rd party cert with a private ip address. Now if the camera manufacturer had a signing server we could add to the cam network, the system could create its own 3rd party cert and not have to deal with the shortcomings of self signed.
Gargoile
Getting comfortable
It's called an undocumented enhancement. When you log into your camera you are using a web interface. These people are remoting in as they would using something like an SSH connection to see more than an HTML output would show.