DAHUA RECORDERS HACKED

cyberwolf_uk

Getting comfortable
Joined
Sep 27, 2014
Messages
409
Reaction score
252
If only we could get the message out to more users (not only on this site) but everywhere the dangers of port forwarding cameras and NVR's. People are always to quick to blame Dahua for this problem when the blame is down to the end users and the installer! I've come across so many cameras & NVR that are port forwarded so you end user can remote view.

When you explain or try and impalement any VPN solution you are faced with "That's too much hassle!" and "My friend who is an IT expert configured it and he's amazing!" More lazy I say.
And when you show them case studies of hacked devices they don't see the dangers!

:smash:
 

biscuit

Young grasshopper
Joined
Jul 8, 2017
Messages
95
Reaction score
18
That a reason why i always use my own ports when forwarding.. and No, i don’t use or ganna use a VPN because our customers want to check everywhere their cameras and don’t like if we change something in their phone, laptop, pc, etc...


Verzonden vanaf mijn iPhone met Tapatalk
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
10,010
Reaction score
9,449
Location
Evansville, In. USA
That a reason why i always use my own ports when forwarding.. and No, i don’t use or ganna use a VPN because our customers want to check everywhere their cameras and don’t like if we change something in their phone, laptop, pc, etc...


Verzonden vanaf mijn iPhone met Tapatalk
Not a solution.
 

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
323
Reaction score
524
We believe the cause / vulnerability being exploited is in the 8888888 'local only' account:

Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.

We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.

These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:
 

biscuit

Young grasshopper
Joined
Jul 8, 2017
Messages
95
Reaction score
18
Our dealer tells it for dvr and nvr 2010 and older....


Verzonden vanaf mijn iPhone met Tapatalk
 

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
323
Reaction score
524
We have numerous reports of much newer equipment, even units bought earlier this year. Part of the challenge is that Dahua is so poor at communicating and distributing firmware, it is not even clear what firmware versions have a 'fix'. We are still awaiting their response or official public notice.
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
107
Location
Germany
Security by obscurity.
It just takes the automated scanner a little longer when the ports are not on the defaults - it doesn't eliminate the risk.
That´s right, but automated scans normally first try default ports. To scan all possible ports last to long.

By the way, many other hacks are possible, and not only Dahua is affected. Some examples for hickvision:
Hikvision Defaulted Devices Getting Hacked
Hikvision Backdoor Exploit

It´s always the same, default passwords, port forwarding, old firmware releases, wrong password account blocking not active and so on.

We have numerous reports of much newer equipment, even units bought earlier this year. Part of the challenge is that Dahua is so poor at communicating and distributing firmware, it is not even clear what firmware versions have a 'fix'. We are still awaiting their response or official public notice.
This is a normal behaviour for all IT manufacturers. In detail they won´t say it for security and customer reputation.
 

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
323
Reaction score
524
It´s always the same, default passwords
But the Hikvision backdoor and the current Dahua hacks are not based on default admin passwords that are simply not changed. It is based on 'errors' in either (1) Dahua (not) validating local vs remote access and (2) Hikvision putting in a magic string that bypasses authentication.
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
107
Location
Germany
And Dahua and Hikvision is similar. I will wait to see when I can read the news without closed user access. The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke).
If we see an trustful open information :secret:, I am welcome to shock my distributor :wow: :smash:
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
33,783
Reaction score
13,417
And Dahua and Hikvision is similar. I will wait to see when I can read the news without closed user access. The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke).
If we see an trustful open information :secret:, I am welcome to shock my distributor :wow: :smash:
Stop being an idiot..Really...the hikvision hack has been PROVEN...as stated by others, it does not care what your password is, the password can remotely reset...what is worse, snapshots can be taken without changing the password so you would not know that you were even hacked...
This dahua is extremely serious as well...and allows remote access...stop advocating port forwarding and changing ports, its been proven to be useless..
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
44
Reaction score
61
Stop being an idiot..Really...the hikvision hack has been PROVEN...as stated by others, it does not care what your password is, the password can remotely reset...what is worse, snapshots can be taken without changing the password so you would not know that you were even hacked...
This dahua is extremely serious as well...and allows remote access...stop advocating port forwarding and changing ports, its been proven to be useless..
Totally agree, forget all your "strong" passwords, non-standard ports... whatever

montecrypto's PoC is worse as it can get by default (I have verified this one too), and if you take my PoC (and figure out my intended missing details), coding a small plugin for your favourite browser that doing the same thing, you have another one.
 

dexterash

Young grasshopper
Joined
Aug 6, 2016
Messages
44
Reaction score
9
That´s right, but automated scans normally first try default ports. To scan all possible ports last to long.
Too long, you say? When you have devices that are online with the same configuration, for years(!), would you think that's enough to fingerprint them? Or, again, it's too long?

Please keep in mind some things:
1. almost 2/3 of Internet traffic is done by automated "stuff" (discovery software, bots, scanners etc)
2. existence of shodan and others like it
3. there are tools that, with the right setup /rig and Internet connection, can scan the whole IPv4 range in about one hour for one port; what happens when you have 10 setups like that? or 1000? or a botnet of scanners?
4. "bad actors" will usually exchange information and lists / scans
5. to have a "view" about all of those above: try to setup a server with a known port open (for example, 22 - SSH); how much time do you think it takes until you see first login attempts? usually it happens within one hour after setup and you'll get around one attempt every 5-10 minutes - and this is in a pool of around 4 294 967 296 IPs (- some special ones); please don't say "yes, but I will not be the *scanned* one - only the other 4 billions"
6. bad actors can always scale up scanners using already infected devices (embedded, mobiles, PCs etc)... and, with the widespread of opensource and "tutorials", these can happen easily
7. we're living in an era were we have Gbps home connections - it's not the dialup 90s anymore
8. we also have cheap VPSs (sometimes free / trial) and easily-to-deploy/automate Operating Systems, making scanning, again, a no-fuss job

These are common-sense things that anyone connecting any device to Internet and opening access to it should know.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
44
Reaction score
61
I will now repost two post I've made for IPVM, since I strongly believe you need also to know.

--

Dahua Snapshot (07/10/2016): How to Create a More Secure Security System (v1)

19. Use 888888 and 666666 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Snapshot (12/3/2017): How to Create a More Secure Security System (v2)

17. Use 888888 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Nowdays: How to Create a More Secure Security System (v3)

17. [Not Existing]

--

Below was a stupid responce from Dahua after I reported this issue;

When they released a small "script patch" to transform this

"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "[obscured]",
"Reserved" : true,
"Sharable" : true
},

to this

"Group" : "admin",
"Id" : 2,
"Reserved" : true,
"Sharable" : true
},

That had this effect

Dahua Backdoor Patch Creates A New User "Null"
 

dexterash

Young grasshopper
Joined
Aug 6, 2016
Messages
44
Reaction score
9
The conversion script(s) in some firmware version(s) had a few... "glitches", so to speak. And, yes, the "null" user couldn't be deleted via web interface, via proprietary API (data/37777) using the SDK, nor via HTTP-SDK/"CGI".
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
44
Reaction score
61
The conversion script(s) in some firmware version(s) had a few... "glitches", so to speak. And, yes, the "null" user couldn't be deleted via web interface, via proprietary API (data/37777) using the SDK, nor via HTTP-SDK/"CGI".
no shit...
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
44
Reaction score
61
It´s always the same, default passwords, port forwarding, old firmware releases, wrong password account blocking not active and so on.
There is three aspects with the Dahua backdoor worth considering.

1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)

Simple.
 
Last edited:
Top