DAHUA RECORDERS HACKED

bigredfish

Known around here
Joined
Sep 5, 2016
Messages
17,009
Reaction score
47,454
Location
Floriduh
At the risk of feeling @fenderman 's well deserved wrath ;) Let me admit to having Mom's older Eyeserv (Dahua) Omega LiteX-8 DVR compromised from this attack this past weekend. I had a feeling when I couldnt reach the DVR, and the Comcast Xfinity router couldnt see it, that something had changed the static IP. When I logged in at the machine it was obvious. Yes her's was port forwarded as I failed to enable VPN on her network when I hurriedly set things back up after the storm. :banghead:

So here's my question. While I know VPN is the way to go, and I have my own setup, something I wonder about is with the Netgear 7000 router (I have a spare sitting around) Access Control feature which you can set to ONLY allow known Mac addresses and BLOCK all others.
  • Block all new devices from connecting. With this setting, if you buy a new device, before it can access your network, you must enter its MAC address for an Ethernet connection and its MAC address for a WiFi connection in the allowed list.

With port forwarding enabled, would this suffice to deny access to the LAN/DVR?
 

dexterash

Young grasshopper
Joined
Aug 6, 2016
Messages
44
Reaction score
9
"Only known MACs" will not work over Internet. So that's not a good way to go - it's good/valid only for local LAN/WiFi devices.

One solution, to avoid VPNs and exposing devices, is to use SSH tunnels - they should work pretty well in your case.
 

bigredfish

Known around here
Joined
Sep 5, 2016
Messages
17,009
Reaction score
47,454
Location
Floriduh
I see, so it would not block unknown devices connecting via the internet from entering the LAN?
There are only 3 devices on the planet I want to access her LAN remotely or from inside her network for that matter. Her Laptop, my laptop, and my iPhone.

I will go back to the VPN method then, just wasnt sure if the Access Control would do what I thought.

Thank you
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I see, so it would not block unknown devices connecting via the internet from entering the LAN?
There are only 3 devices on the planet I want to access her LAN remotely or from inside her network for that matter. Her Laptop, my laptop, and my iPhone.

I will go back to the VPN method then, just wasnt sure if the Access Control would do what I thought.

Thank you
VPN really isn't that difficult. Actually easier and cleaner once you understand it vs having a bunch of ports open that you have to deal with and track through to individual resources. Connect on the VPN and *boom* you're on your network and can access anything as you could if you were there connected locally. No specific ports or tunnels and all of the rest to have to set up and manage.
 

Arjun

Known around here
Joined
Feb 26, 2017
Messages
9,015
Reaction score
11,032
Location
USA
I use the VPN on the R7000 as well, I'll need to reconfigure it though as I've separated the networks based on their intended purpose
 

dexterash

Young grasshopper
Joined
Aug 6, 2016
Messages
44
Reaction score
9
VPN really isn't that difficult. Actually easier and cleaner once you understand it vs having a bunch of ports open that you have to deal with and track through to individual resources. Connect on the VPN and *boom* you're on your network and can access anything as you could if you were there connected locally. No specific ports or tunnels and all of the rest to have to set up and manage.
If you understand it... if not, *boom* others are on your own network too. VPNs are also vulnerable, if not configured properly... or if devices are left with vulnerabilities unpatched. Or if [...things...].
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
If you understand it... if not, *boom* others are on your own network too. VPNs are also vulnerable, if not configured properly... or if devices are left with vulnerabilities unpatched. Or if [...things...].
True. Everything is subject to exploits and misconfig. Overall not as many ways to go wrong though and still have it work, much less likely when set up right, and exploits tend to get a lot of visibility and patched relatively quickly and as a single point-source vs a clusterfuck of multiple exposed ports with multiple exposed sketchy devices running multiple versions of multiple firmware/OS' from multiple vendors all over your net as these cam systems typically are set up. That's near impossible to maintain with any reasonable assurance.
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
108
Location
Germany
Stop being an idiot..Really...the hikvision hack has been PROVEN...as stated by others, it does not care what your password is, the password can remotely reset...what is worse, snapshots can be taken without changing the password so you would not know that you were even hacked...
This dahua is extremely serious as well...and allows remote access...stop advocating port forwarding and changing ports, its been proven to be useless..
You totally misunderstood me. Sorry for my English, with
The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke)
my LOL and joke was meant only for take a rope for myself.
Not for I laughed about the rest. It was meant ironically. I should have note it more specific.
Sorry.
 
Last edited:

RafflesNH

Young grasshopper
Joined
Jun 7, 2017
Messages
45
Reaction score
10
Location
London, UK
There is three aspects with the Dahua backdoor worth considering.

1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)

Simple.
If I try to change the password on the 888888 account it won't let me, throwing the error message "You cannot modify the reserved user".

upload_2017-9-26_12-23-48.png
 

c hris527

Known around here
Joined
Oct 12, 2015
Messages
1,782
Reaction score
2,066
Location
NY
That Is a good thing, That means you can not change it remotely. You must log on locally. The newer NVR's have this with the updated firmware. The older firmware would let you change this remotely.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
That Is a good thing, That means you can not change it remotely. You must log on locally. The newer NVR's have this with the updated firmware. The older firmware would let you change this remotely.
If not, you are permanently pwned
 

adamg

Pulling my weight
Joined
Sep 19, 2017
Messages
250
Reaction score
129
Since it sounds like you guys are inside the code, could you take a quick look for an HTTP API query that allows control of PTZ Auto-Tracking? Detailed in this thread:
Auto-tracking - HTTP API control
 

Sammy2

Getting the hang of it
Joined
Feb 21, 2017
Messages
112
Reaction score
5
So you are saying to set up a VPN tunnel for IP cams?
 

happf

Getting the hang of it
Joined
Nov 21, 2016
Messages
84
Reaction score
51
So how does one tell if they are hacked?

Would reapplying the firmware image undo it?
 

bigredfish

Known around here
Joined
Sep 5, 2016
Messages
17,009
Reaction score
47,454
Location
Floriduh
On moms, it changed the IP to a static unreachable address and replaced all of the camera names with Hacked1, Hacked2, etc.. Everything else seems to be untouched.
 

dexterash

Young grasshopper
Joined
Aug 6, 2016
Messages
44
Reaction score
9
Yes, of course, there are other manufacturers [and resellers] like Xiongmai, Kguard (?!) & many others that appear and dissappear quickly and that push shitty products into the market ("cheap" as hell, no security, copyright infrigement, no laws respected etc etc). But that's how the business goes (and client's demands, right?).

In this business model the user is the one that needs to be sure that their devices are protected against global attacks ('cause the Internet is global, as I do remember). If not... well, he'll become a victim, a superstar on the Internet, one spied 24/7 by various kids or by some adults with mental problems from across the globe, one having his devices hacked and used for hacking others etc etc. Because no one cares - nor the Chinese manufacturer that doesn't have to obey US/CA/AU/Europe's laws, nor the buyer.

Probably, in the near future, clients will become more aware and secure their devices and networks. At least those that do care about their privacy, rights & co...
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
It's good that they are being a bit up front about the vulnerabilities in the products, and the steps to mitigate them.
Though arguably it's stretching a point to suggest that removing built-in default accounts is a cybersecurity initiative, rather it's fixing a problem that should not have been there to begin with.
For example, one initiative focuses on authentication for administrative access. As a result, default accounts are no longer included in new devices, with changes implemented in the installation, admin access, and ongoing management processes.
 

mik

Getting the hang of it
Joined
Feb 20, 2015
Messages
103
Reaction score
32
Location
Houston, Tejas
OK, so I'm hacked as well. So do i toss these units and start over or is there some time of protocol to go through. I'm not an IT kinda guy but not an idiot so if there are good directions i can get it done.

Also, sounds like we need our own type of cyber security on this NVR?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
OK, so I'm hacked as well. So do i toss these units and start over or is there some time of protocol to go through. I'm not an IT kinda guy but not an idiot so if there are good directions i can get it done.

Also, sounds like we need our own type of cyber security on this NVR?
VPN Primer for Noobs
 
Top