DAHUA RECORDERS HACKED

bigredfish · Sep 25, 2017

At the risk of feeling @fenderman 's well deserved wrath

Let me admit to having Mom's older Eyeserv (Dahua) Omega LiteX-8 DVR compromised from this attack this past weekend. I had a feeling when I couldnt reach the DVR, and the Comcast Xfinity router couldnt see it, that something had changed the static IP. When I logged in at the machine it was obvious. Yes her's was port forwarded as I failed to enable VPN on her network when I hurriedly set things back up after the storm. :banghead:

So here's my question. While I know VPN is the way to go, and I have my own setup, something I wonder about is with the Netgear 7000 router (I have a spare sitting around) Access Control feature which you can set to ONLY allow known Mac addresses and BLOCK all others.

Block all new devices from connecting. With this setting, if you buy a new device, before it can access your network, you must enter its MAC address for an Ethernet connection and its MAC address for a WiFi connection in the allowed list.

With port forwarding enabled, would this suffice to deny access to the LAN/DVR?

dexterash · Sep 25, 2017

"Only known MACs" will not work over Internet. So that's not a good way to go - it's good/valid only for local LAN/WiFi devices.

One solution, to avoid VPNs and exposing devices, is to use SSH tunnels - they should work pretty well in your case.

bigredfish · Sep 25, 2017

I see, so it would not block unknown devices connecting via the internet from entering the LAN?
There are only 3 devices on the planet I want to access her LAN remotely or from inside her network for that matter. Her Laptop, my laptop, and my iPhone.

I will go back to the VPN method then, just wasnt sure if the Access Control would do what I thought.

Thank you

Mike A. · Sep 25, 2017

bigredfish said:
I see, so it would not block unknown devices connecting via the internet from entering the LAN?
There are only 3 devices on the planet I want to access her LAN remotely or from inside her network for that matter. Her Laptop, my laptop, and my iPhone.

I will go back to the VPN method then, just wasnt sure if the Access Control would do what I thought.

Thank you

VPN really isn't that difficult. Actually easier and cleaner once you understand it vs having a bunch of ports open that you have to deal with and track through to individual resources. Connect on the VPN and *boom* you're on your network and can access anything as you could if you were there connected locally. No specific ports or tunnels and all of the rest to have to set up and manage.

Arjun · Sep 25, 2017

I use the VPN on the R7000 as well, I'll need to reconfigure it though as I've separated the networks based on their intended purpose

dexterash · Sep 25, 2017

Mike A. said:
VPN really isn't that difficult. Actually easier and cleaner once you understand it vs having a bunch of ports open that you have to deal with and track through to individual resources. Connect on the VPN and *boom* you're on your network and can access anything as you could if you were there connected locally. No specific ports or tunnels and all of the rest to have to set up and manage.

If you understand it... if not, *boom* others are on your own network too. VPNs are also vulnerable, if not configured properly... or if devices are left with vulnerabilities unpatched. Or if [...things...].

Mike A. · Sep 25, 2017

dexterash said:
If you understand it... if not, *boom* others are on your own network too. VPNs are also vulnerable, if not configured properly... or if devices are left with vulnerabilities unpatched. Or if [...things...].

True. Everything is subject to exploits and misconfig. Overall not as many ways to go wrong though and still have it work, much less likely when set up right, and exploits tend to get a lot of visibility and patched relatively quickly and as a single point-source vs a clusterfuck of multiple exposed ports with multiple exposed sketchy devices running multiple versions of multiple firmware/OS' from multiple vendors all over your net as these cam systems typically are set up. That's near impossible to maintain with any reasonable assurance.

TVT73 · Sep 26, 2017

fenderman said:
Stop being an idiot..Really...the hikvision hack has been PROVEN...as stated by others, it does not care what your password is, the password can remotely reset...what is worse, snapshots can be taken without changing the password so you would not know that you were even hacked...
This dahua is extremely serious as well...and allows remote access...stop advocating port forwarding and changing ports, its been proven to be useless..

You totally misunderstood me. Sorry for my English, with

The internet has every day shocking "news", I am not as paranoid because otherwise I could take a rope for myself, thats the only secure way LOL (joke)

my LOL and joke was meant only for take a rope for myself.
Not for I laughed about the rest. It was meant ironically. I should have note it more specific.
Sorry.

RafflesNH · Sep 26, 2017

bashis said:
There is three aspects with the Dahua backdoor worth considering.

1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)

Simple.

If I try to change the password on the 888888 account it won't let me, throwing the error message "You cannot modify the reserved user".

c hris527 · Sep 26, 2017

That Is a good thing, That means you can not change it remotely. You must log on locally. The newer NVR's have this with the updated firmware. The older firmware would let you change this remotely.

bashis · Sep 26, 2017

c hris527 said:
That Is a good thing, That means you can not change it remotely. You must log on locally. The newer NVR's have this with the updated firmware. The older firmware would let you change this remotely.

If not, you are permanently pwned

adamg · Sep 26, 2017

Since it sounds like you guys are inside the code, could you take a quick look for an HTTP API query that allows control of PTZ Auto-Tracking? Detailed in this thread:
Auto-tracking - HTTP API control

Sammy2 · Sep 28, 2017

So you are saying to set up a VPN tunnel for IP cams?

happf · Sep 28, 2017

So how does one tell if they are hacked?

Would reapplying the firmware image undo it?

bigredfish · Sep 28, 2017

On moms, it changed the IP to a static unreachable address and replaced all of the camera names with Hacked1, Hacked2, etc.. Everything else seems to be untouched.

dexterash · Sep 28, 2017

Yes, of course, there are other manufacturers [and resellers] like Xiongmai, Kguard (?!) & many others that appear and dissappear quickly and that push shitty products into the market ("cheap" as hell, no security, copyright infrigement, no laws respected etc etc). But that's how the business goes (and client's demands, right?).

In this business model the user is the one that needs to be sure that their devices are protected against global attacks ('cause the Internet is global, as I do remember). If not... well, he'll become a victim, a superstar on the Internet, one spied 24/7 by various kids or by some adults with mental problems from across the globe, one having his devices hacked and used for hacking others etc etc. Because no one cares - nor the Chinese manufacturer that doesn't have to obey US/CA/AU/Europe's laws, nor the buyer.

Probably, in the near future, clients will become more aware and secure their devices and networks. At least those that do care about their privacy, rights & co...

john-ipvm · Sep 29, 2017

Btw, Dahua (sort of) has issued a press release about the hacks - Dahua USA Launches Latest Cybersecurity Initiatives Paragraph 3 mentions the hacks.

alastairstevenson · Sep 29, 2017

It's good that they are being a bit up front about the vulnerabilities in the products, and the steps to mitigate them.
Though arguably it's stretching a point to suggest that removing built-in default accounts is a cybersecurity initiative, rather it's fixing a problem that should not have been there to begin with.

For example, one initiative focuses on authentication for administrative access. As a result, default accounts are no longer included in new devices, with changes implemented in the installation, admin access, and ongoing management processes.

mik · Oct 3, 2017

OK, so I'm hacked as well. So do i toss these units and start over or is there some time of protocol to go through. I'm not an IT kinda guy but not an idiot so if there are good directions i can get it done.

Also, sounds like we need our own type of cyber security on this NVR?

fenderman · Oct 3, 2017

mik said:
OK, so I'm hacked as well. So do i toss these units and start over or is there some time of protocol to go through. I'm not an IT kinda guy but not an idiot so if there are good directions i can get it done.

Also, sounds like we need our own type of cyber security on this NVR?

VPN Primer for Noobs

Search

Search

DAHUA RECORDERS HACKED

bigredfish

Known around here

dexterash

Young grasshopper

bigredfish

Known around here

Mike A.

Known around here

Arjun

Known around here

dexterash

Young grasshopper

Mike A.

Known around here

TVT73

Pulling my weight

RafflesNH

Young grasshopper

c hris527

Known around here

bashis

adamg

Pulling my weight

Sammy2

Getting the hang of it

happf

Getting the hang of it

bigredfish

Known around here

dexterash

Young grasshopper

john-ipvm

Known around here

alastairstevenson

mik

Getting the hang of it

fenderman