Dahua Backdoor Uncovered

Zeddy

Getting the hang of it
Joined
Jun 19, 2016
Messages
92
Reaction score
42
Dahua Backdoor Uncovered


A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.

Upgrade Immediately

A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.

Firmware updates are available for the first 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware.

[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]

Severe

This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.

Dahua Says Error

Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.
 

bug99

Pulling my weight
Joined
Dec 27, 2016
Messages
397
Reaction score
154
Thank you for posting this. One more reason to use VPN / local only communication and block outbound communication from your camera to the web, thus making this sort of weakness basically a non-issue. the researchers quote is telling

"quote"
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.

Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
"/end quote"
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,401
Reaction score
980
Location
North Florida
And outbound connections don't matter unless the camera is already hacked. Don't be stupid and forward ports directly to your cameras and you won't have a problem.

Sent from my Nexus 6P using Tapatalk
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
Don't be stupid and forward ports directly to your cameras and you won't have a problem.
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,401
Reaction score
980
Location
North Florida
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.
yeah, I turn all that upnp noise off lol.
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,401
Reaction score
980
Location
North Florida
I'd be interested, has anyone looked at the traffic? Are they making encrypted connections out to the internet? Or just sending stupid usage stats back to dahua?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
If you mean the Dahua 'backdoor' -
What's been revealed is an ability to extract with an unauthenticated web command the plaintext file that holds the device configuration.
This file holds amongst many things lightly encoded user accounts, which can then be used to gain full access.
Or additional accounts could be added and the file dropped back, to give a future foothold as it's known in the trade.
 

Zeddy

Getting the hang of it
Joined
Jun 19, 2016
Messages
92
Reaction score
42
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.

And a lot of the apps out there don't support VPN/Stunnel natively in the app nor do they demand dial the a VPN configured in the OS itself, hell I'd settle for SSH connection with Cert Auth and port tunneling. I haven't tried all the apps in the app store but the ones I have tried don't support much more than HTTPS. I sent a request to the developer of the BI app asking for that feature. Port forwarding is a bad idea but the apps don't offer any simple alternative especially for people who like the convenience of tap and view on their phones.
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,399
Reaction score
321
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?
Same question, I read a lot on how to set it up but never seem to find enough info video to exactly see how to do it. Still learning on my free time.
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,401
Reaction score
980
Location
North Florida
Same question, I read a lot on how to set it up but never seem to find enough info video to exactly see how to do it. Still learning on my free time.
you're getting into more advanced network stuff there, you'd need a sniffer program and then you get in to having to run it on your firewall, or use a hub or something to get all of the traffic set to the sniffer, there should be no need for the average camera user to do this in my humble opinion, just try to set things up securely and you should be good.
 

Camit

Pulling my weight
Joined
Feb 7, 2017
Messages
412
Reaction score
122
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?
Little program called wire shark there are many more like it.. it's easy to see in coming and out going
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,401
Reaction score
980
Location
North Florida
Little program called wire shark there are many more like it.. it's easy to see in coming and out going
No offense to him but he doesn't sound like someone who is going to have any clue what he is looking at in wireshark.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
Little program called wire shark there are many more like it.. it's easy to see in coming and out going
From the PC, sure.
But you won't be able to see regular (ie non-broadcast) traffic between a camera and router as the switch fabric keeps that traffic private between those endpoints.
To sniff traffic on other endpoints you need a port mirroring capability - usually a feature on a 'smart' or managed switch as opposed to a normal unmanaged switch.
 

bug99

Pulling my weight
Joined
Dec 27, 2016
Messages
397
Reaction score
154
" Little program called wire shark there are many more like it.. it's easy to see in coming and out going"
From the PC, sure. But you won't be able to see regular (ie non-broadcast) traffic between a camera and router as the switch fabric keeps that traffic private between those endpoints.
To sniff traffic on other endpoints you need a port mirroring capability - usually a feature on a 'smart' or managed switch as opposed to a normal unmanaged switch.
Correct. a pain in the ass for low end un-managed gear, especially with PoE added in. Just do best and easy. don't sacrifice easy for better, but the techniques described here can be easy and good, so follow them.
 
Top