Dahua IPC-T5442T-ZE camera hacked / dead

[d5775927]

I've bought IPC-T5442T-ZE from Andy, less than a year ago.
The camera is connected to a Dahua NVR, the Dahua NVR is connected to a wireless router.
To prevent incoming connections, there are no port forwards or DMZ.
Also, the DNS config are wrong in the NVR/IPCs (to avoid outbound access).
Yesterday, I've noticed IPC-T5442T-ZE went offline in mid day (I have other camera monitoring the area, no one was around), no physical damage to camera or cable.
When I looked on the NVR logs saw this:

23
Time:    2022-05-13 14:02:07
Type:    Remote Info
Contents:
Channel: 2

IP Address:10.1.1.66
Type:User logged out.
Serial No.: [IPC-serial-number]

24
Time:    2022-05-13 14:02:06
Type:    Remote Info
Contents:
Channel: 2
IP Address:10.1.1.66
Type:User logged in.
Serial No.:[IPC-serial-number]

25
Time:    2022-05-13 14:02:06
Type:    Remote Info
Contents:
Channel: 2
IP Address:10.1.1.66
Type:Network Disconnected
Serial No.:

26
Time:    2022-05-13 14:01:11
Type:    Save
Contents:
Save <Monitor> config!
IP:Login Local
Username:
Group Name:
Channel:2
Enable :Yes-->No.

27
Time:    2022-05-13 14:01:05
Type:    Save
Contents:
Save <Monitor> config!
IP:Login Local
Username:default
Group Name:user
Channel:2
Enable :No.-->Yes

28
Time:    2022-05-13 14:00:08
Type:    User logged out.
Contents:
IP Address: 192.168.100.134
Username: viewer


29
Time:    2022-05-13 14:00:03
Type:    User logged out.
Contents:
IP Address: 192.168.100.134
Username: viewer


30
Time:    2022-05-13 13:57:34
Type:    Remote Info
Contents:
Channel: 2
IP Address:10.1.1.66
Type:User logged out.
Serial No.:

31
Time:    2022-05-13 13:56:26
Type:    Save
Contents:
Save <Monitor> config!
IP:Login Local
Username:
Group Name:

Channel:2
Enable :Yes-->No.

The firmware which was installed:

System Version V2.820.15OG001.0.R, Build Date: 2021-07-06
WEB Version V3.2.1.1042333
ONVIF Version 20.06(V2.9.0.979397)
S/N XXXXXXXXX
Algorithm Version 1.0.3
Security Baseline Version V2.1
Copyright 2021 EmpireTech, all rights reserved.

Notes:
1. I've never updated the NVR or IPC firmware
2. I didn't configure username 'default'
3. Now the NVR is not able to find the IPC, even when using other port in the NVR.

What should I do next?
Does it mean Andy's firmware contains a backdoor that somehow allowed the IPC to connect to the NVR and disable the camera?

 

[iTuneDVR]

Notes:
1. I've never updated the NVR or IPC firmware
2. I didn't configure username 'default'
3. Now the NVR is not able to find the IPC, even when using other port in the NVR.

What should I do next?
Does it mean Andy's firmware contains a backdoor that somehow allowed the IPC to connect to the NVR and disable the camera?

1. Shit is happends
2. It's build in user from group user with non administrator right
3. Shit is happends

You alway can restore defaults to nvr & ipc & setup all again.
Make backup from nvr & ipc 1st.

 

[d5775927]

1. Shit is happends
2. It's build in user from group user with non administrator right
3. Shit is happends

You alway can restore defaults to nvr & ipc & setup all again.
Make backup from nvr & ipc 1st.

The NVR cannot find the IPC, even after reset to the NVR.

 

[iTuneDVR]

Show NVR & IPC network setting.

 

[looney2ns]

Have you confirmed the cable to the camera is good?
Take the camera down and test it with a known good factory short ethernet patch cable attached to the NVR.

Was the outdoor connection to the camera properly water proofed at time of install? WaterProofing Connections

Did you use solid copper ethernet cable of at least awg24 gauge and NOT copper platted aluminum?

 

[bigredfish]

Is the camera plugged into the NVR built in PoE port?

what is device192.168.100.134 ?

 

[d5775927]

Have you confirmed the cable to the camera is good?
Take the camera down and test it with a known good factory short ethernet patch cable attached to the NVR.

Was the outdoor connection to the camera properly water proofed at time of install? WaterProofing Connections

Did you use solid copper ethernet cable of at least awg24 gauge and NOT copper platted aluminum?

This solved the issue.
I've connected the IPC with a short cable to a computer and it detected it with the Dahua utility, after that the NVR detected it as well.
Guessing the IPC was in zombie mode until the Dahua utility got it out of it.

 

[d5775927]

Is the camera plugged into the NVR built in PoE port?

Yes.

what is device192.168.100.134 ?

Raspberry Pi that is responsible of:
1) NTP server for the NVR
2) Runs day/night utility to turn on/off IR
3) Listens to Camera events and sends me the image on Telegram (only if human presence is detected) - IPC-T5442T-ZE reports if it seems a human/vehicle on IVS rules.

It seems that feeding the IPC with wrong DNS/gateway config is not enough.
Must use VLANs or other means of preventing inbound/outbound traffic (in this case, it was outbound access from the IPCs to the NVR and from there to the rest of the network).

 

[d5775927]

Update, moved the two IPC and NVR to a vlan without internet access.
It happened again, the IPC deleted itself from the NVR and now the NVR cannot see it, logs from NVR:

186
Time:    2022-06-17 10:45:05
Type:    Remote Info
Contents:
Channel: 2

IP Address:10.1.1.66

Type:User logged out.

Serial No.:

187
Time:    2022-06-17 10:44:16
Type:    Save
Contents:
Save <Monitor> config!

IP:Login Local
Username:default
Group Name:user

Channel:2

Enable :Yes-->No.

In order to fix this, I need to connect the camera to a PC (which will take me a few hours, this issue happened month ago again).
The camera was bought from Andy, quite disappointed from the quality of the software of the NVR and IPC of Dahua/Andy.
Guessing this is one of the reasons the US decided to ban Dahua and Hikivision..

If you also have similar issues of camera disappearing, check the log in the NVR in the preceding 24 hours, to know, if the IPCs are shipped with malware/virus.

 

[wittaj]

Wait a minute....you started down there is a virus route to start this thread....and then it was determined you had a bad cable and using a short cable it started working again....and now we are back to you think the NVR or camera has a virus again?

Are you sure it isn't something on the Pi? Are you sure you don't have something configured wrong and it does still see outside access?

Or maybe the POE port is going out?

Something isn't adding up as nobody else is seeing this, and we have some smart dudes here that run intensive sniffers looking for this kinda stuff....

This is not the reason for the ban...

 

[sebastiantombs]

The "ban" here in the US only effects government agencies, not the public or private entities. When it comes to "backdoors" on cameras every major manufacturer has had similar problems so in reality the "ban" is nothing more than a useless action to say "look we did something even if it's useless".

 

[d5775927]

Wait a minute....you started down there is a virus route to start this thread....and then it was determined you had a bad cable and using a short cable it started working again....and now we are back to you think the NVR or camera has a virus again?

In the previous time, I had to connect the IPC to a computer in order to find it with the Dahua discovery tool.
After I reset the IPC with a computer the NVR could see the camera again. I did not replace any cables.
In the previous time, I assumed I was hacked somehow.
As a result I harden my setup and used Vlans.

Are you sure it isn't something on the Pi? Are you sure you don't have something configured wrong and it does still see outside access?

Yes, i'm sure, I've connected a laptop to the port that the NVR uses and I didn't have internet access, i'm using openWRT and got help from a forum member that review my config.

Something isn't adding up as nobody else is seeing this, and we have some smart dudes here that run intensive sniffers looking for this kinda stuff....

Guessing this may be related to a combination of IPC (IPC-T5442T-ZE) and NVR (DHI-NVR4108-8P-4KS2).

 

[bigredfish]

Ive personally installed about 100-125 Dahua IP cams on various setups and have yet to see this.

The only time I’ve seen a camera “disconnect” from the NVR was due to
A- bad cable
B- lightning strike that fried 2
C- one that got waterlogged from bad storm. That one was installed almost 5 years before the water intrusion

 

[bigredfish]

I HAVE had NVR PoE ports go bad….. intermittent then finally dead

 

[d5775927]

Ive personally installed about 100-125 Dahua IP cams on various setups and have yet to see this.

The only time I’ve seen a camera “disconnect” from the NVR was due to
A- bad cable
B- lightning strike that fried 2
C- one that got waterlogged from bad storm. That one was installed almost 5 years before the water intrusion

I attached the relevant logs from the NVR which says a user called 'default' logged in using the internal IP of camera from channel 2 (I don't think that bad cable can do that).
Guessing the best way to solve this issue is to try to upgrade the NVR version, which may solve the magical 'default' user.

 

[bigredfish]

I believe that is the NVR talking to the camera …. Let me check some logs

 

[looney2ns]

This is most likely all user error.

 

[d5775927]

I HAVE had NVR PoE ports go bad….. intermittent then finally dead

I tried to change a POE port in the NVR and it worked.
My only guess (after hearing feedback from you) for the weird log entry is that when the NVR detects a disconnection from a certain POE port, it logs the removal of that IPC from the device list.
It uses the username 'default', as the user who performed the action of removing the IPC from IPC list.
I know that changing an NVR port is the basic thing to do before assuming the IPC is malicious, but in the previous time, changing a POE port did not help.
I've just ordered a POE injector, so next time it will be easier to diagnose such issues.

 

[bigredfish]

Sorry this is moving week so a lot of stuff is in a box somewhere, and things are a bit hectic. Fortunately I found the box with the Kuerig and bourbon so at least I have the essentials.

Another possibility, still related to the PoE ports is that the camera is set to static IP. Let’s say 10.1.1.66

The PoE ports seem to be issued static IPs as well. So port 1 might be .66 for example whereas port 2 is assigned .67 by the internal switch. Obviously this could present a conflict, usually solved by setting the camera back to dhcp , unplug, and rebooting NVR, then plugging camera back in. It can take 1-as much as 30 minutes for the camera to auto register with the NVR, especially older model cameras.

Also the PoE ports seem to be organized in groups of 4, so on the two NVRs I’ve seen ports quit working, an entire bank of 4 ports usually shit the bed at the same time.