yes, camera I bought last year has ONVIF of admin/admin, and all the ones before that and I fully expect the brand new model in the mail to have it too... they dont provide firmware updates so how exactly would they have fixed it?
and its not that big of a deal unless your stupid enough to put these things on the internet.. and its not just dahua's ive been programming against the API's of alot of cameras here recently and you'd be amazed what kinda information I can get and commands I can issue without anything ever asking me for a single credential.. most cameras seem to take ANY credentials for many ONVIF commands.. and Ive accidentally stumbled on other ways in through mangled authorization headers.
Any security on any IP Camera is an illuision, they are all designed to be installed by people who dont know about networks or security.. so these are not considered backdoors by the vendors, they are features they put in place so your stupid installer and/or end user dont completely lock him self out of the hardware.. never expose these things to untrusted networks and you'll be perfectly fine..
if you cant be bothered with securing your networks and expect your cameras to provide any level of protection your in for a big surprise.. network security does not operate in such ways, it takes enforcement at the transport layer and that is something IPCameras are not capable of performing.. its the job of your firewall to keep your IPCameras and the rest of your network devices safe from the internet.. so dont poke holes in it blindly without understanding the consequences...
Want to play games on your Xbox? Fine go ahead and forward ports if you have to.. I really doubt your XBox could be used against you in the same manner that your IPCameras could (ie, knowing when to burglarize you along the locations and capabilities of all your security.) Also the thing Xbox has going for it is they actually do implement security, not to keep you safe but to prevent the console from getting hacked open and resulting in massive piracy like the DreamCast.. Ironically your Xbox/PlayStations are 100x more secure than your network cameras.
Use this test for determining if something was designed to have direct internet access: If it was configured with a default password, did the device require you to change the default password before allowing you to do anything else? If the answer was No then nobody was thinking about internet security when they made that thing... if its not secure by default, you must presume its never secure.