Dahua Backdoor Uncovered

[handinpalm]

Just to chime in. When I replaced my Apple Airport Extreme router with an Asus RT-AC68U recently I was surprised at the number of UPnP ports my Hikvision cameras had opened. I quickly disabled UPnP on the router and blocked the 6 cameras from accessing the internet - a 2 minute job on the router.

If anyone is looking the Asus is a good little router. A few years old now but rock solid and been through a couple of hardware updates. I was briefly blinded by all the flashy marketing of the newer model routers but stuck with the '68U. I'd recommend it (oh and has VPN server functionality).

Rodger that on the Asus Routers. I have tried many Linksys routers (high end) in the past for VPN w/o any luck. Not even the Linksys engineers could figure it out. Asus make it so easy, I have the AC1900 and very happy. Lock out all cams from internet access.

 

[Chase]

Rodger that on the Asus Routers. I have tried many Linksys routers (high end) in the past for VPN w/o any luck. Not even the Linksys engineers could figure it out. Asus make it so easy, I have the AC1900 and very happy. Lock out all cams from internet access.

How exactly did you lockout all cams from internet access? I have UPNP disabled but I want to be 100% sure my cams can't access the internet.

 

[handinpalm]

Lockout any appliance from Internet connection on Asus Routers. Select the clients first.





Then click the client Enet icon, then turn on "block Internet Access".

 

[Chase]

@handinpalm perfect thank you for that! Until now, my cameras were able to access the internet.

Do you also block your NVR from accessing the internet?

 

[handinpalm]

@handinpalm perfect thank you for that! Until now, my cameras were able to access the internet.

Do you also block your NVR from accessing the internet?

I use Blue Iris on a PC that is firewalled, not an NVR.

 

[Hound Dog 911]

Using a netgear router with vpn. Works awesome. Does what I need.

 

[Chase]

I assume the answer is yes and by how handipalm firewalls his blue iris computer. Is it recommended to remove internet access to the NVR via the router -- the same way we do it for our cameras?

 

[Peetz]

If all cameras and NVR are blocked from Internet access - how does everyone keep their time updated on those devices?

 

[mat200]

If all cameras and NVR are blocked from Internet access - how does everyone keep their time updated on those devices?

Hi Peetz,

You can just set the time on the NVR, and if you use a UPS, it should keep time fairly well.

 

[Peetz]

So, in practice - one would just go into the NVR and update the time from their PC on occasion? Do the cameras update their time from the NVR?

 

[mat200]

So, in practice - one would just go into the NVR and update the time from their PC on occasion? Do the cameras update their time from the NVR?

Hi Peetz,

They should, as I see the correct time stamps in all the videos I am getting.
( note in my case the cameras are all connected to the NVR via the NVR's PoE ports )

 

[Peetz]

Thanks for your comments. I have my cameras on a separate PoE switch, then run into the NVR (just makes it easier to view individual cameras). I'll watch to see if the timestamps between the NVR and individual cameras match over time.

I have no issue logging into the NVR once in awhile to ensure the time is right if it cannot access an outside NTP server to do that. Seems like a small price to pay to keep it sheltered from the outside world.

 

[mat200]

Thanks for your comments. I have my cameras on a separate PoE switch, then run into the NVR (just makes it easier to view individual cameras). I'll watch to see if the timestamps between the NVR and individual cameras match over time.

I have no issue logging into the NVR once in awhile to ensure the time is right if it cannot access an outside NTP server to do that. Seems like a small price to pay to keep it sheltered from the outside world.

Hi Peetz,

Just check that your NVR is acting as an ntp server, and check that the cameras have the IP address of the NVR in the ntp server field. ( note, I did not have to do this, so this is just my general knowledge from other systems )

 

[Peetz]

Thanks. All the cameras are at exactly the same time, so they must be grabbing from the NVR.

Merry Christmas! Only 7 more big sleeps.

 

[cb8]

If all cameras and NVR are blocked from Internet access - how does everyone keep their time updated on those devices?

You can run an NTP server locally, such as NetTime. The machine running NetTime would still need internet access, but your NVR and camera would only need to be able to reach the machine with the NTP server.

 

[looney2ns]

Did they fix this remotely? I am looking for a new system which is why is came across this bug. I have dahua systems at both work and vacation home, although none of the cameras I care if anyone else is watching so I haven't been keeping up to date.

Anyways, neither have been upgraded for years so I expected them to be vulnerable but I'm not sure. I have some programming skills, although none with python, but I wanted to test and see if they are, indeed, vulnerable. I am connecting using smartpss and port 37777 but it seems like the script is checking for port 80, could this be why it's not working? One is giving me this error "Detect of target failed (<urlopen error timed out>)" and the other is handing out "Patched or not Dahua device! (404)"

Thanks

All cameras should be isolated from the internet. You should never forward ports.
Its not a matter if someone is watching with your cameras, it's a matter of something hacking them into a bot and becoming part of a botnet attacking the internet.
VPN Primer for Noobs
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk