Thanks Andy, more info can be found here, it looks like HikVision is also affected (not acknowledged by HikVision):
Dahua, Hikvision IoT Devices Under Siege — Krebs on Security
Thanks TommyR that's a great article on the subject, everyone here should take a look at it.
Wow...
"On March 5, a security researcher named
Bashis posted to
the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.
That server requires the user to enter a username and password, but Bashis found he could force all affected devices to cough up their usernames and a simple hashed value of the password. Armed with this information, he could effectively “pass the hash” and the corresponding username right back to the Web server and be admitted access to the device settings page. From there, he could add users and install or modify the device’s software. From Full Disclosure:
“This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices
“This is like a damn Hollywood hack, click on one button and you are in…” "
note mention of IPCAMTALK later in the article:
"In addition, a programmer who has long written and distributed custom firmware for Hikvision devices claims he’s found a backdoor in “many popular Hikvision products that makes it possible to gain full admin access to the device,”
wrote the user “Montecrypto” on the IoT forum
IPcamtalk on Mar. 5. “Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.”
ouch