Dahua WizSense IPC-HFW2441T-ZS ignoring credentials for RTSP

[Perplexer]

So I have a couple of these Dahua WizSense IPC-HFW2441T-ZS bullet cameras and have user accounts set up in them. I use their RTSP streaming feature by connecting to them via VLC using the link in the format of "rtsp:/username:password@camera.ip:554/cam/realmonitor?channel=1&subtype=0" and it works nicely.

However while playing around I mistakenly used a link without any username and password: "rtsp:/camera.ip:554/cam/realmonitor?channel=1&subtype=0" and was horrified that the stream simply started playing anyway. It never asked me with a popup to enter the user/pass.

I do not have the "Anonymous login" enabled in the account settings of the camera. This seems a major security problem since anyone could be watching these camera's streams by simply knowing the IP and port.

Has anyone noticed anything like this on this or any other camera model? Is there a solution (besides the obvious removing camera from network)? Can RTSP in Dahua cameras be disabled?

 

[Revo2Maxx]

Reboot the camera and don't log into the camera and test the stream again.. If it connected without log in then worry. I noticed that I have at times ran some scripts that I was running and tripped out that the password used wasn't' the one for the camera. Reboot the camera and tested again.. Didn't work as expected.. So I rebooted the camera and logged into the camera.. Then ran it again and with the wrong password setup it did infact work because it ignored the password that was in the script and went though because I already was logged in..

Just like if you were to run a CGI command and put in the password and username then run another one without having to put in the data that is because it is still working off the last time you logged in..

Just tested using VLC, I ran your rtsp without the user and pass and it had me log in, so I press stop and I ran it again this time it didn't ask me to log in.. So I stop and started again it worked. I rebooted the recorder and started again and after the reboot it asked me to log in again.. So I am guessing that it was logged in shortly before and didn't require the user info..

 

[Perplexer]

Tried that, same thing. Opens the RTSP stream right away, without any credentials provided, or with any credentials provided.

 

[Perplexer]

I guess it differs between different csmera models, too?

I tried opening a RTSP link to another Dahua bullet camera and that one did pop-up (or VLC did) a window for user & pass. I typed those in and the stream opened. I then clicked the STOP button in VLC and then PLAY again, and the credentials pop-up came up again. So that's good, that's how it's supposed to work.
Or maybe there is also a setting in VLC somewhere that auto-fills the last used credentials until you completely close the program or something, just guessing. Camera remembering credentials isn't a good thing cause what if another user wants to log-in with theirs?

Anyway, looks like IPC-HFW2441T-ZS has a major security problem with this.

 

[Revo2Maxx]

Interesting.. I don't have that model so I can't say why it would act this way. What is the year of the currently installed Firmware? Maybe there was an issue with that release and they have put out an updated one.. I know that all my cameras besides one from 2012 that has not had an update since 2014 all act the same. I mean if I close the app and bring it back up it will ask me to log in again. But if I just hit stop and then go to the network start stream right after I was already logged in and start it again it just loads back up.. Only time it will ask is if I restart VLC or if I reboot the camera. If your camera has the current offered FW I would down grade if there was one and see if it acts the same.. Factory Reset is a must when doing up or down grades as a way to make sure that what ever issue was in the camera isn't' carried over to the next software.

 

[Perplexer]

There was a newer firmware out, I just noticed, but it did not solve the problem. Its "ReadMe" also didn't mention anything about this being fixed. Some other things were. I do indeed need to get into the habit of doing factory resets after firmware upgrades though, I admit.

I opened a support ticket at Dahua for this problem now, to see what they say.

One thing that also bothers me is that there is no option to just disable RTSP like there is for some other camera services like SSH, Multicast, CGI, Onvif, Genetec, Mobile Push, ... The only thing about RTSP that I can change is the port. Maybe setting it to port "0" would disable it, but I haven't tried it yet. There should really just be a setting under System Service.

 

[Perplexer]

Just as a side note, I was trying out these RTSP links with my other Dahua models and it's really interesting that some of them will ask for a user & pass with a RTSP authentication pop-up window in VLC, if I don't provide that inside the URL itself, but for others, VLC will not show any RTSP authentication pop-up and will simply show an error.
I don't know whether that is normal or not.

 

[Revo2Maxx]

The error might be caused by different type format for the RTSP feed maybe? I mean if I don't do user and pass all my Dahua and or OEM Dahua pop up and ask to log in. I have not tried all my cameras but that is because I am guessing newer fw should act the same.. I have a lot of devices so yeah I get lazy sometimes.. I will have to try a few more but doing a scan of my dahua and amcrest cameras and looking at the chipset, my guess is that if they have same processer and updated fw should act the same so I just skipped trying them lol..

 

[Perplexer]

I figured it out!

There is a setting in "Setting -> Network -> Access Platform -> ONVIF" called Authentication, that was set to "Off". That apparently allowed the RTSP stream to be opened without providing any username & password. After I turned that to "On", VLC opened the "RTSP authentication" popup after tried to open an RTSP link without credentials.

I'm not sure what ONVIF has to do with RTSP. I thought those were kind of separate things, controlled separately.

The reason for this confusion is also the fact that I also have another Dahua bullet camera, model IPC-HFW1435S-W-S2, and that one also has this ONVIF authentication setting. However that camera ALWAYS asks for username & password when I try to open a RTSP stream, regardless if that ONVIF Authentication setting is "On" or "Off". So am I to undestand that it is in fact this model that is actually buggy, and not IPC-HFW2441T-ZS ?

The setting for "Anonymous Login" under "Setting -> System -> Account -> Account" does not seem to have any effect on RTSP on either camera. I think that is for something else (maybe web-based login, to allow you to watch a stream without an account).

Anyway, crazy. You solve one thing and then another one doesn't make sense.

 

[Revo2Maxx]

I clicked mine to see if it had same issue you were having but was still requiring after reboot, so thought it wasn't issue, but glad to hear you found out what makes it work correctly at least for most part ..