- Mar 9, 2014
- 36,892
- 21,407
DAHUA RECORDERS HACKED
- Thread starter fenderman
- Start date
alastairstevenson
Staff member
cyberwolf_uk
Getting comfortable
- Sep 27, 2014
- 631
- 797
If only we could get the message out to more users (not only on this site) but everywhere the dangers of port forwarding cameras and NVR's. People are always to quick to blame Dahua for this problem when the blame is down to the end users and the installer! I've come across so many cameras & NVR that are port forwarded so you end user can remote view.
When you explain or try and impalement any VPN solution you are faced with "That's too much hassle!" and "My friend who is an IT expert configured it and he's amazing!" More lazy I say.
And when you show them case studies of hacked devices they don't see the dangers!
When you explain or try and impalement any VPN solution you are faced with "That's too much hassle!" and "My friend who is an IT expert configured it and he's amazing!" More lazy I say.
And when you show them case studies of hacked devices they don't see the dangers!
That a reason why i always use my own ports when forwarding.. and No, i don’t use or ganna use a VPN because our customers want to check everywhere their cameras and don’t like if we change something in their phone, laptop, pc, etc...
Verzonden vanaf mijn iPhone met Tapatalk
Verzonden vanaf mijn iPhone met Tapatalk
alastairstevenson
Staff member
Security by obscurity.
It just takes the automated scanner a little longer when the ports are not on the defaults - it doesn't eliminate the risk.
looney2ns
IPCT Contributor
We believe the cause / vulnerability being exploited is in the 8888888 'local only' account:
Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.
We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.
These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:
We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.
These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:
We have numerous reports of much newer equipment, even units bought earlier this year. Part of the challenge is that Dahua is so poor at communicating and distributing firmware, it is not even clear what firmware versions have a 'fix'. We are still awaiting their response or official public notice.
That´s right, but automated scans normally first try default ports. To scan all possible ports last to long.
By the way, many other hacks are possible, and not only Dahua is affected. Some examples for hickvision:
Hikvision Defaulted Devices Getting Hacked
Hikvision Backdoor Exploit
It´s always the same, default passwords, port forwarding, old firmware releases, wrong password account blocking not active and so on.
This is a normal behaviour for all IT manufacturers. In detail they won´t say it for security and customer reputation.
But the Hikvision backdoor and the current Dahua hacks are not based on default admin passwords that are simply not changed. It is based on 'errors' in either (1) Dahua (not) validating local vs remote access and (2) Hikvision putting in a magic string that bypasses authentication.
And Dahua and Hikvision is similar. I will wait to see when I can read the news without closed user access. The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke).
If we see an trustful open information
, I am welcome to shock my distributor 
If we see an trustful open information
, I am welcome to shock my distributor
- Mar 9, 2014
- 36,892
- 21,407
Stop being an idiot..Really...the hikvision hack has been PROVEN...as stated by others, it does not care what your password is, the password can remotely reset...what is worse, snapshots can be taken without changing the password so you would not know that you were even hacked...And Dahua and Hikvision is similar. I will wait to see when I can read the news without closed user access. The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke).
If we see an trustful open information
This dahua is extremely serious as well...and allows remote access...stop advocating port forwarding and changing ports, its been proven to be useless..
Totally agree, forget all your "strong" passwords, non-standard ports... whatever
montecrypto's PoC is worse as it can get by default (I have verified this one too), and if you take my PoC (and figure out my intended missing details), coding a small plugin for your favourite browser that doing the same thing, you have another one.
dexterash
Young grasshopper
- Aug 6, 2016
- 44
- 9
Too long, you say? When you have devices that are online with the same configuration, for years(!), would you think that's enough to fingerprint them? Or, again, it's too long?
Please keep in mind some things:
1. almost 2/3 of Internet traffic is done by automated "stuff" (discovery software, bots, scanners etc)
2. existence of shodan and others like it
3. there are tools that, with the right setup /rig and Internet connection, can scan the whole IPv4 range in about one hour for one port; what happens when you have 10 setups like that? or 1000? or a botnet of scanners?
4. "bad actors" will usually exchange information and lists / scans
5. to have a "view" about all of those above: try to setup a server with a known port open (for example, 22 - SSH); how much time do you think it takes until you see first login attempts? usually it happens within one hour after setup and you'll get around one attempt every 5-10 minutes - and this is in a pool of around 4 294 967 296 IPs (- some special ones); please don't say "yes, but I will not be the *scanned* one - only the other 4 billions"
6. bad actors can always scale up scanners using already infected devices (embedded, mobiles, PCs etc)... and, with the widespread of opensource and "tutorials", these can happen easily
7. we're living in an era were we have Gbps home connections - it's not the dialup 90s anymore
8. we also have cheap VPSs (sometimes free / trial) and easily-to-deploy/automate Operating Systems, making scanning, again, a no-fuss job
These are common-sense things that anyone connecting any device to Internet and opening access to it should know.
I will now repost two post I've made for IPVM, since I strongly believe you need also to know.
--
Dahua Snapshot (07/10/2016): How to Create a More Secure Security System (v1)
19. Use 888888 and 666666 Accounts:
● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
Dahua Snapshot (12/3/2017): How to Create a More Secure Security System (v2)
17. Use 888888 Accounts:
● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
Dahua Nowdays: How to Create a More Secure Security System (v3)
17. [Not Existing]
--
Below was a stupid responce from Dahua after I reported this issue;
When they released a small "script patch" to transform this
"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "[obscured]",
"Reserved" : true,
"Sharable" : true
},
to this
"Group" : "admin",
"Id" : 2,
"Reserved" : true,
"Sharable" : true
},
That had this effect
Dahua Backdoor Patch Creates A New User "Null"
--
Dahua Snapshot (07/10/2016): How to Create a More Secure Security System (v1)
19. Use 888888 and 666666 Accounts:
● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
Dahua Snapshot (12/3/2017): How to Create a More Secure Security System (v2)
17. Use 888888 Accounts:
● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
Dahua Nowdays: How to Create a More Secure Security System (v3)
17. [Not Existing]
--
Below was a stupid responce from Dahua after I reported this issue;
When they released a small "script patch" to transform this
"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "[obscured]",
"Reserved" : true,
"Sharable" : true
},
to this
"Group" : "admin",
"Id" : 2,
"Reserved" : true,
"Sharable" : true
},
That had this effect
Dahua Backdoor Patch Creates A New User "Null"
There is three aspects with the Dahua backdoor worth considering.
1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)
Simple.
Last edited:
dexterash
Young grasshopper
- Aug 6, 2016
- 44
- 9
