Menu
What's new

Dahua Audio Wiretapping vulnerability

fresnoboy

fresnoboy

Young grasshopper
Joined
Nov 4, 2018
Messages
62
Reaction score
17
Location
United States
See here: Dahua Wiretapping Vulnerability

I'm not a member, so I can't read it past the first few sentences. I assume this is not something that is an issue if the cameras are on a separate vlan and cut off from any internet connectivity and access to non-NVR computers? Can someone with a subscription verify that/

I can imagine malware that might be able to exploit it if cameras were on the same network as computers/phones etc... that could be a problem.

Mike
 
fenderman

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,902
Reaction score
21,274
fresnoboy said:
See here: Dahua Wiretapping Vulnerability

I'm not a member, so I can't read it past the first few sentences. I assume this is not something that is an issue if the cameras are on a separate vlan and cut off from any internet connectivity and access to non-NVR computers? Can someone with a subscription verify that/

I can imagine malware that might be able to exploit it if cameras were on the same network as computers/phones etc... that could be a problem.

Mike
Click to expand...
I posted this seconds ago. Security Advisory - VideoTalk function of some Dahua products have security risks
You dont need a subscription to know that the cameras are not vulnerable unless you port forwarded or exposed them to the net in another manner. But yes I read the article and can confirm it.
If there is malware on your pc you have bigger problems then it exposing your dahua cameras. That pc is likely the same pc you log into the cameras with, so they have your actual passwords. Dahua new about this for 3 months. They will never learn.
 
fresnoboy

fresnoboy

Young grasshopper
Joined
Nov 4, 2018
Messages
62
Reaction score
17
Location
United States
Well, if you have kids computers and phones on the same LAN that can talk to cameras, that can be an issue. Generally there are lots of computers/devices in houses today. Kids often download things they shouldn't. I have my kids gear managed and no admin privs on their accounts, but that's not normally the case. That's why limiting access to the cameras from a few IP addresses is a good idea I think.

It looks like from your note that Dahua fixed the problem back in 2018?

thank you
mike
 
fenderman

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,902
Reaction score
21,274
fresnoboy said:
Well, if you have kids computers and phones on the same LAN that can talk to cameras, that can be an issue. Generally there are lots of computers/devices in houses today. Kids often download things they shouldn't. I have my kids gear managed and no admin privs on their accounts, but that's not normally the case. That's why limiting access to the cameras from a few IP addresses is a good idea I think.

It looks like from your note that Dahua fixed the problem back in 2018?

thank you
mike
Click to expand...
If you are paranoid that one of your kids pc's will get infected by a virus and the hackers will then listen to your audio your concern is misplaced. You should be more concerned that they now have full control of your network from your kids device. This is not the first dahua or china cam exploit. This is one of the lease severe. There others allowed full control of the cameras. You cannot rely on any camera manufacture for security. Consider this, the hacker does not need to exploit your dahua camera, they can listen in on the hacked devices, view though its camera and read everything your kid types. Who cares if they fixed it in 2018, there are likely much worse exploits in the wild.
 
A

Arizona23

n3wb
Joined
Dec 7, 2018
Messages
13
Reaction score
5
Location
Arizona
Private network, possibly on a dedicated PoE switch, with a PC running BI connected on one of a pair of NICs on that PC. Hardwired and isolated from the world. YMMV
 
thendawg

thendawg

Getting the hang of it
Joined
Dec 17, 2018
Messages
37
Reaction score
29
Location
OKC, OK
You seem very security conscious, use vlans with different subnets to isolate everything then route only what you want between them. Cameras should be on their own with NVR (and maybe a management box if your NVR isnt useable for the task), and Id also recommend putting your kids, IoT, and other non-techy people's stuff on its own vlan. Thats what I do at least. Its worked quite well, although I cant say Ive had an attack that tried to exploit it. I also run pihole for DNS (which helps blocks said non-techy users from malicious sites) and IDS to *hopefully* catch any attempts, so far in a couple years of playing with IDS at home though I just catch Russians (well and IPs originating from other random countries) port scanning me all the time lol.
 
J

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
420
Reaction score
675
Btw, Dahua recommended, both on the advisory and in a message to us, to use their 'cloud upgrade' service, i.e., one's Dahua devices phone home to Dahua over the Internet and Dahua pushes down new firmware. Would you be more likely to trust or use that?
 
thendawg

thendawg

Getting the hang of it
Joined
Dec 17, 2018
Messages
37
Reaction score
29
Location
OKC, OK
Personally, no, but Im paranoid. If I WAS going to do that, id just add an interface to pfsense for that vlan and only allow it routing to the internet specifically when I want to execute an upgrade. But still who knows how much identifiable data its sending back during the upgrade itself. I personally prefer manual fw updates, but Im a sw engineer with OCD :/
 
You must log in or register to reply here.
Top