Here we go again, another dahua exploit.

[fenderman]

Dahua Hard-Coded Credentials Vulnerability

 

[aristobrat]

Thanks for the heads-up!

 

[c hris527]

Its only going to get worse as time go on and researchers are peeling back the onion and finding these exploits. I can only wonder what they will find in all the smart appliances like refrigerators.

 

[EMPIRETECANDY]

Dahua Hard-Coded Credentials Vulnerability

@fenderman thanks for your sharing here, for the using of dahua devices, do you have any idea for protecting the system not been hacked? Dahua right now has a team for this part, so they can release a new firmware to upgrade. So i ask dahua to make a firmware lists for the old models, if any guys want to update, i can do some support no matter where they buy, but Chinese hacked ones, i can't help~

 

[EMPIRETECANDY]

Its only going to get worse as time go on and researchers are peeling back the onion and finding these exploits. I can only wonder what they will find in all the smart appliances like refrigerators.

so maybe the cheap models on amazon will be more dangerous???

 

[c hris527]

so maybe the cheap models on amazon will be more dangerous???

Not sure what you mean but I have never bought a refrigerator on Amazon.

 

[Q™]

 

[alastairstevenson]

From the ipvm.com report:

Dahua Response Improving

Dahua's response to this vulnerability report has been handled better than similar vulnerabilities in the past. They have been responsive to questions from IPVM for details, and have updated their Security Notification as they have progressed through evaluating the vulnerability. To their credit, this also happened fairly quickly after the vulnerability was published, as ReFirm only notified Dahua 2 days in advance of their release, unlike some disclosures where vendors are given 30-45 days advance notice of publication to prepare a response.

That's encouraging, and oddly will enhance their reputation.
Hikvision please note.

 

[EMPIRETECANDY]

From the ipvm.com report:

That's encouraging, and oddly will enhance their reputation.
Hikvision please note.

Dahua is not Chinese state company, a private guy is the boss, Hikvision is belong to the Chinese Gov, we called State company. They are little hard to communicate, lol .

 

[Kawboy12R]

A bit douchebaggy to give Dahua just 2 days notice...

 

[looney2ns]

It's obvious, Dahua needs to step it up big time doing Quality Control on firmware, period.
Don't break things, when fixing others for example.

 

[Mike A.]

It's obvious, Dahua needs to step it up big time doing Quality Control on firmware, period.
Don't break things, when fixing others for example.

Realistically, never gonna happen to any reliable degree. Nature of the beast. The only practical response is to lock them all down to the extent that you can and not trust anything about any of these and other similar devices. Between most having a near full OS and lots of potential connectivity, they're inherently vulnerable. Just a matter of time before there's another and that just becomes more likely as things become more complex and connected.

 

[cor35vet]

upgraded isn't even running on any of the newer cameras / firmware.
Has to be manually started through telnet and that is also not available on newer cams / firmware ¯\_(ツ)_/¯
I'm happy for them to fix these issues but they've made the cameras less interesting for me since they added firmware signing where you have to flash them through the bootloader ...

 

[beingaware]

Not a surprise really considering how much they like to call home.

Placing the cameras on a another subnet/vlan, blocking that subnet from all Internet access and most other devices on the LAN is the only sure fire way to keep them secure.

VPN for remote access.

IOT have no good reason being forwarded to the Internet...