Dahua Backdoor Uncovered

nayr said:
im using a Ubiquiti Edgerouter, yes you want to do it on your router.
Click to expand...

Ok, using arris router - what area on this router would I need to go to block this.
 
RTFM?
 
nayr said:
RTFM?
Click to expand...
:) figured.
I do not have access to the actual router, it is all done through ISP website.
Where is the general area to block the traffic to this device?

I would love to have actual access to the router settings but from what I can guess from reading what my ISP allows it seems so they want to control everything on their end to avoid any PoD/DoS and they block all common ports that are normally vulnerable to hackers. They allow some settings like port forwarding to setup a VPN and DMZ Host.

thanks
 
Last edited:
then slap your own router/firewall up inbetween it and your LAN and configure it to be a DMZ host
 
  • Like
Reactions: TL1096r and hmjgriffon
That's why I purchased the managed as well, I'll know which one to return now :D
My setup is going to include a Netgear 8-Port Web-managed Switch and a Zyxel 8-Port PoE+ Managed Switch

TL1096r said:
Same here, would be best to be able to troubleshoot a problem for ourselves. :)

Same with VPN, they do a great job explaining but you have to use google/youtube to find a lot of information.

When I installed my Reolink it was sending information to China it seemed, I turned off some settings and I have not seen the IP popup any longer.

I wonder if Dahua has a backdoor how many others have it but not yet discovered? I feel reolink would have this issue.

I know nayr is all protected from one of his post but wondering if he can look into his models and if he can find out any issues.
Click to expand...
fenderman said:
You wont be able to with your unmanaged switches...
Click to expand...
 
nayr said:
then slap your own router/firewall up inbetween it and your LAN and configure it to be a DMZ host
Click to expand...

yes but there are newbies who won't do this, I am still uncertain how to block the camera, if I block with firewall we are unable to use the software that comes with it to view camera on the computer, must look, it was a long shot but thought someone who be able to point me in the right direction. thanks
 
  • Like
Reactions: Arjun
IMHO, if you dont have a router capable of running a VPN Server then you have no business using Video Surveillance or any IoT devices remotely.. either get suitable router/firewall/vpn server or get hacked and end up being a weapon on the internet.. its really that simple

Read the VPN Primer for Noobs

Understanding basic network security is a mandatory requirement with this technology; either educate your self or you'll be safer without it.
 
  • Like
Reactions: hmjgriffon and Arjun
We all are getting a refresher course here, I'm sure it's been a long time for some :D
 
  • Like
Reactions: TL1096r
You can buy a router that is pretty simple to use where you just click a few things and you're off to the races. If you spend hundreds of dollars on cameras but can't spend $100 give or take on a good router with vpn built in, you got problems.
 
@nayr and @hmjgriffon....

Just so everyone is clear regarding VPN....if you have a VPN set up on your router and no ports forwarded and nothing in the individual camera settings (like UPnP, P2P, whatever that company wants to use) are you pretty much safe from the camera being able to communicate to the outside world or do you still need to VLAN it off or set up FW rules to block ALL outbound traffic? For example, I know in most cameras under network config there are places for IP address, Default gateway, and DNS addresses....I know it's a must to have the IP address set up and the default gateway but can you leave the DNS stuff blank or maybe it won't let you not sure...just thinking of ways the cam could get outside your network.
 
Roman said:
@nayr and @hmjgriffon....

Just so everyone is clear regarding VPN....if you have a VPN set up on your router and no ports forwarded and nothing in the individual camera settings (like UPnP, P2P, whatever that company wants to use) are you pretty much safe from the camera being able to communicate to the outside world or do you still need to VLAN it off or set up FW rules to block ALL outbound traffic? For example, I know in most cameras under network config there are places for IP address, Default gateway, and DNS addresses....I know it's a must to have the IP address set up and the default gateway but can you leave the DNS stuff blank or maybe it won't let you not sure...just thinking of ways the cam could get outside your network.
Click to expand...

if its connected to an NVR, its already on its own vlan and I don't think cameras themselves can talk to anything else, you don't have to have a seperate vlan, if your firewall will let you block individual IPs, if not then you need a vlan and to block it. there's lots of ways to do it.
 
hmjgriffon said:
if its connected to an NVR, its already on its own vlan and I don't think cameras themselves can talk to anything else, you don't have to have a seperate vlan, if your firewall will let you block individual IPs, if not then you need a vlan and to block it. there's lots of ways to do it.
Click to expand...

No, in my particular case I don't run an NVR...I just have the cameras recording to BI on a Windows pc. I will log into my "consumer grade" router tonight and see if in the FW section it allows you to block certain IP's from communicating to the outside world. If so, then I will just have to list all my cams or range of IP addresses and then maybe try to run some network software to see if that works. Anyway, thanks for the assistance.
 
hmjgriffon said:
if its connected to an NVR, its already on its own vlan and I don't think cameras themselves can talk to anything else,
Click to expand...
Sorry, but that's not a good assumption - the 'Virtual Host' feature on Hikvision NVRs implicitly enables the Linux kernel 'IP_forward' (not to be confused with port forward) facility such that packets can flow across the NVR LAN and PoE interfaces.
So the cameras on NVR PoE ports can easily talk to the outside world.
 
  • Like
Reactions: vasycara and hmjgriffon
alastairstevenson said:
Sorry, but that's not a good assumption - the 'Virtual Host' feature on Hikvision NVRs implicitly enables the Linux kernel 'IP_forward' (not to be confused with port forward) facility such that packets can flow across the NVR LAN and PoE interfaces.
So the cameras on NVR PoE ports can easily talk to the outside world.
Click to expand...
That's why I said I think lol ive never used one of those nvrs
 
Roman said:
Just so everyone is clear regarding VPN....if you have a VPN set up on your router and no ports forwarded and nothing in the individual camera settings (like UPnP, P2P, whatever that company wants to use) are you pretty much safe from the camera being able to communicate to the outside world or do you still need to VLAN it off or set up FW rules to block ALL outbound traffic? For example, I know in most cameras under network config there are places for IP address, Default gateway, and DNS addresses....I know it's a must to have the IP address set up and the default gateway but can you leave the DNS stuff blank or maybe it won't let you not sure...just thinking of ways the cam could get outside your network.
Click to expand...

I'm following all these discussions regarding network security and slowly beginning to understand some strategies. All this networking stuff has my head spinningo_O

I have an Asus router and it has a Network Services Filter option that appears to be a method of denying your ip cams from accessing the Internet. Here's a good discussion on another website - I hope it's OK to link another website. Any input is appreciated :) Thanks.
 
spencnor said:
I'm following all these discussions regarding network security and slowly beginning to understand some strategies. All this networking stuff has my head spinningo_O

I have an Asus router and it has a Network Services Filter option that appears to be a method of denying your ip cams from accessing the Internet. Here's a good discussion on another website - I hope it's OK to link another website. Any input is appreciated :) Thanks.
Click to expand...

I have an Asus router as well so I will take a look at that other discussion link that you posted. Also another question for anyone that might know....is there a specific clear cut way that you can figure out if it's even possible for your current cam to communicate outside your network? Is there some sort of test or other way that you can log onto your camera and see if you can access the net or something?
 
Roman said:
I have an Asus router as well so I will take a look at that other discussion link that you posted. Also another question for anyone that might know....is there a specific clear cut way that you can figure out if it's even possible for your current cam to communicate outside your network? Is there some sort of test or other way that you can log onto your camera and see if you can access the net or something?
Click to expand...

if it has an IP address, it's possible.
 
Well just for giggles I figured I would go home and log onto my router and see if I could find any outbound connections so I viewed my "active connections" log under my WAN section and cam across two of my IP addressed cameras connecting to various outside addresses....not sure what this is all about? Any assistance would be appreciated...

dahua%20cam_zpsh1usj1oe.jpg
 
Roman said:
Well just for giggles I figured I would go home and log onto my router and see if I could find any outbound connections so I viewed my "active connections" log under my WAN section and cam across two of my IP addressed cameras connecting to various outside addresses....not sure what this is all about? Any assistance would be appreciated...

dahua%20cam_zpsh1usj1oe.jpg
Click to expand...

first one is google DNS, second one is an automatic private IP address, 3rd is some place in China.

Selection_006.png
 
  • Like
Reactions: Roman and alastairstevenson
You must log in or register to reply here.
Top Bottom