So my company has to periodically certify that we don't use Hikvision or Dahua with our government contracts. I am sure this topic has been covered before and my search was getting too many results. So is there really a back door on these cameras? Seems like a lot of this concern is just made up nonsense, but I have never found anything with absolute proof on this.
Dahua - is there a proven security back door on these?
- Thread starter 1dodosn
- Start date
Jessie.slimer
BIT Beta Team
Even if they say there is not, would you really trust anything being controlled by or in possession of the Chinese govt?
Keep the cameras off the internet and there is no chance of them getting into it.
Keep the cameras off the internet and there is no chance of them getting into it.
mat200
IPCT Contributor
- Joined
- Jan 17, 2017
- Messages
- 14,010
- Reaction score
- 23,344
Fyi - a number of security issues have been reported in IP cameras.. as well as other IoT and IP products which are not actively patched...
Backdoors have been found, yes. Whether intentionally created or not, who can say. Tons of other vulnerabilities continue to be found and publicized too. These issues are not isolated to Dahua and Hikvision, but those two brands get a lot of attention because of politics and their relative popularity. ipvm recently compiled a list which includes pretty much every brand.
biggen
Known around here
- Joined
- May 6, 2018
- Messages
- 2,594
- Reaction score
- 2,902
So a "backdoor" and simply ineptitude to build a security competent device may be technically two different things, but they have the same effect. That is the issue. Whether malicious or not it doesn't matter. That do have proven security issues. Plenty of botnets have been spawned because of Chinese IP cameras and their lackadaisical security programming.
I tend to ignore the hysteria about the evil Chinese. As an electrical engineer I want to see the proof, otherwise this is nothing but political bs. Now of course there could be errors and bugs, but my understanding is the so called security issue is embedded in silicon. So where is this proof? Nothing in EEtimes (a popular electrical engineering trade mag).
Excellent list! And I agree its hard to see these vulnerabilities as intentional or some sort of government conspiracy.
Jessie.slimer
BIT Beta Team
There are many examples here of cameras "phoning home" even after disabling the proper settings that should not allow them to do so. Whether it is nefarious or not, it doesn't really matter to me. If a camera tries to circumvent the settings that were turned off, I can't imagine it would be for good reasons. I don't need proof of what they are doing with my data.
mat200
IPCT Contributor
- Joined
- Jan 17, 2017
- Messages
- 14,010
- Reaction score
- 23,344
FYI - just to clarify: iirc none are calling the Chinese people evil.. only the CCCP .. not Chinese people...
In terms of IP cameras and insecurity issues.. THERE are a LOT of documented issues.. if you are not finding it, you're not looking enough...
Example
Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials
https://github.com/mcw0/PoC/blob/master/Dahua-3DES-IMOU-PoC.py @bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials 1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM...
also example on Hikvision.. note these are the published issues
Hikvision : Security vulnerabilities, CVEs
Security vulnerabilities related to Hikvision : List of vulnerabilities affecting any product of this vendor
www.cvedetails.com
herewegoagain
n3wb
The Linux system most of the NVR/DVRs are running on are likely very outdated. A vulnerability doesn't necessarily reflect a deliberate backdoor, though. If I was building a backdoor, I'd want it in the hub not the individual cameras. Also having 100k to 1m dumb iot devices on residential networks of little importance isn't really worth the risk of getting caught. You want to risk getting caught for a valuable reward not some low tier botnet.
What would be an indicator that a camera or nvr is 'phoning home'?
I have my dahua poe nvr locked down in that I only have one port open (port required by for apple notifications) on which it can access the internet. I check my router 'connections' log file from time to time and the only time I see my nvr ip address is when it is communicating with an apple ip address on the port I have open. I take this to mean that nothing untoward is being attempted by the nvr/cameras?
I have my dahua poe nvr locked down in that I only have one port open (port required by for apple notifications) on which it can access the internet. I check my router 'connections' log file from time to time and the only time I see my nvr ip address is when it is communicating with an apple ip address on the port I have open. I take this to mean that nothing untoward is being attempted by the nvr/cameras?
newfoundlandplucky
Getting the hang of it
Limiting my response to personal experience with a couple of Dahua VTOs and one Dahua VTH. I studied the traffic from these recently purchased Dahua devices. No evidence of foul play whatsoever BUT I did notice that they implement proprietary signaling using the ARP protocol. This was unexpected.
These Dahua doorbell cameras encode proprietary source MAC addresses and target IP addresses into a frame that only other Dahua doorbell cameras would be able to handle. It could be that standards include a new behavior that I don't understand. Don't believe so.
This demonstrates that Dahua uses standard ARP queries in a non-standard way. There are lots of legitimate proprietary reasons to do this. We've all experienced how horrible it is sometimes to configure new devices in a network. I don't care, nor will I investigate further. To me this continues to demonstrate that the IP protocol suite is not secure, or course, and that Dahua doorbell cameras ought to be installed into a tightly controlled home network … like every other device.
If enterprise security detects these non-standard ARP conditions it could be a reason to kick these manufacturers off the network.