Malware in EmpireTech IPC-Color4K-T webplugin.exe

Thanks a lot for @pc1 great work on this topic, i submit the cocerns to dahua pepole. But i also need to make some explain.


The plugin mainly for some smart function working out, if the camera come without any plugin, some function's settings on webpage will not work, so camera comes with build in plugin, because most people setting cams via IP address, dahua has some cheap wifi ones not have webpage, but got lots of bad feedback, like the IMOU one. So that is why the wifi camera some people like, because plugin and play, but these cams not. Currently webpage setting can't undertake too much job if no plugin


Plugin is an old thing, but currently really can't find good way to replace, only way is to set up it via NVR, HDMI connection to the monitor directly. Any place need webpage will still need plugin for the sophisticated settings.
Another way is to use the Smartpss Lite desksoftware to make the settings, most settings can be done on it.


But i think lastly they will upgrade to a real none plugin webpage settings.Plugin is annoying :confused:

We get some report before the plugin issue about the security, and Macfee also deleted some files say high risk, but we send the file to McAfee get the report from Macfee for the false delete.
IPVM watch a lot on the Chinese big cctv producer if this kind of risk is a real one, they already published tons of.

1713863437577.jpeg
 
Last edited:
  • Like
Reactions: rusty rocker, JDreaming, looney2ns and 2 others
Peeper said:
I am no network expert, but it seems something is missing from your suggested defenses against potential malware. Maybe you can help me understand?

Suppose my brand-new camera is added to my network. I isolate it to its own vlan. And that "camera vlan" has no internet access. I understand that part, and so far, so good.

But now I need to "configure" the camera. When I try to configure it, the plug-in gets involved, seeking permission to install and operate on my PC that is configuring the camera. My impression is that once (or if) I grant access to that plug-in, I have bypassed the protections to isolate the camera and surrendered any effort toward security except blind belief the plug-in is hopefully safe. Once I allow it to operate by clicking "allow", the plug-in obtains access to my PC which does have network access and which does have internet access. And I have no knowledge of what the plug-in does, or does not do, thereafter. So, once the plug-in is enabled, the potential for a security compromise is complete. At least if there is any malware load in the plug-in.

Can you help? What is missing from my knowledge about whether I properly understand what happens after you click "allow" to the plug in? Thanks!
Click to expand...
Your are missing nothing. That is 1 scenario on how its done.
 
  • Like
Reactions: EMPIRETECANDY
Thanks EMPIRETECANDY for confirming that the plugin is built-in (i.e. a firmware update will have no effect on it), and that the functionality of the camera's "sophisticated settings" are dependent on installing the plugin. Regarding your McAfee comment, it does not appear to relate to the plugin that's the topic of this discussion, and your screenshot provides no indicators as to what it refers to. On Virustotal (reanalyzed just now), McAfee still flags the plugin with "Artemis!F34EECF0C5B1". Please submit your plugin for IPC-Color4K-T which has sha256 hash 469705fb3df80c89c67927f4d07e0b3a22ce19811272e86789c18e26e35a8add to McAfee and let us know their reply. Please also let us know Dahua engineering's replies on the topic.


EMPIRETECANDY said:
Thanks a lot for @pc1 great work on this topic, i submit the cocerns to dahua pepole. But i also need to make some explain.
...
Click to expand...
 
  • Like
Reactions: rusty rocker and EMPIRETECANDY
Ok, I will contact their cybersecurity team, need some time.
 
Having read this entire thread and the comments that followed.

I’m left with some obvious shock and amazement that anyone who is serious about security would not be using a separate, isolated, and sandboxed computer system?!?

Meaning, there is only (1) computer system in place to onboard, setup, configure the video security system.

In the worst case scenario where the camera / NVR had some kind of malware embedded into the hardware.

Absolutely nothing could happen because it’s literally and physically not connected to any other network in the facility or infrastructure!

The rules, policies, and best practices are well established in the industry . . .

Physical cable isolation, separate isolated network, different subnet, VLAN, 802.1X authentication, Port Isolation, MAC Restrictions, IPS / IDS Firewall Policies, Antivirus, Terminal Restrictions related to USB, Drive, and File / OS access / Read Only.

When the highest level of security is required with zero networking and video is required it comes directly from a HDMI capable security camera.

This method is literally Camera -> HDMI Cable -> Monitor . . .

The above method is zero possibility of a network breach as there is no network and only a hard connection.

Lastly, on a related tangent this is also why Analog video security systems simply won’t die and go away!

Why they are still being made and used because the video feed is 99% live with nearly zero percent lag.
 
Teken said:
Having read this entire thread and the comments that followed.

I’m left with some obvious shock and amazement that anyone who is serious about security would not be using a separate, isolated, and sandboxed computer system?!?

Meaning, there is only (1) computer system in place to onboard, setup, configure the video security system.

In the worst case scenario where the camera / NVR had some kind of malware embedded into the hardware.

Absolutely nothing could happen because it’s literally and physically not connected to any other network in the facility or infrastructure!

The rules, policies, and best practices are well established in the industry . . .

Physical cable isolation, separate isolated network, different subnet, VLAN, 802.1X authentication, Port Isolation, MAC Restrictions, IPS / IDS Firewall Policies, Antivirus, Terminal Restrictions related to USB, Drive, and File / OS access / Read Only.

When the highest level of security is required with zero networking and video is required it comes directly from a HDMI capable security camera.

This method is literally Camera -> HDMI Cable -> Monitor . . .

The above method is zero possibility of a network breach as there is no network and only a hard connection.

Lastly, on a related tangent this is also why Analog video security systems simply won’t die and go away!

Why they are still being made and used because the video feed is 99% live with nearly zero percent lag.
Click to expand...
I would say MOST people are just happy with getting Their IP cams and NVR properly configured on their network and security is usually a afterthought. Out Of sight is out of mind ya Know. The average(DYI) homeowner or small business is not going to set up their NVR or DVR on a V-Lan or mostly likely does not know what that even is. I see that all over the place. If I'm working on their networks I usually point it out, usually falls of deaf ears. Analog system are just as vulnerable if plugged into a network, I think one reason they are popular still is the price point. I have lost job quotes because I got beat because the Installer was bidding analog and I was bidding digital. When people are talking to me about security systems, one of the first thing they ask me is If they can view on
their phones, Installers are very quick to oblige and do not care about security. How many times on this form do people pop in after the fact? And chances are they are not secure or been hacked.
Total isolation is the ideal scenario but the truth is that is most likely is not happening in most cases, Most people want to remote in some way. Not many people have a dedicated Computer just for the cameras either.
Hopefully most people who have been part of this form for any amount of time ARE serious about their security, I'm not a scorched earth guy with My personal camera system but I do sleep well at night with a properly configured sonic wall.
We Can only hope people read up first, because bot (DOS) attacks effect us all, This has been a great thread bringing awareness
 
  • Like
Reactions: JDreaming, looney2ns and bigredfish
c hris527 said:
I would say MOST people are just happy with getting Their IP cams and NVR properly configured on their network and security is usually a afterthought. Out Of sight is out of mind ya Know. The average(DYI) homeowner or small business is not going to set up their NVR or DVR on a V-Lan or mostly likely does not know what that even is. I see that all over the place. If I'm working on their networks I usually point it out, usually falls of deaf ears. Analog system are just as vulnerable if plugged into a network, I think one reason they are popular still is the price point. I have lost job quotes because I got beat because the Installer was bidding analog and I was bidding digital. When people are talking to me about security systems, one of the first thing they ask me is If they can view on
their phones, Installers are very quick to oblige and do not care about security. How many times on this form do people pop in after the fact? And chances are they are not secure or been hacked.
Total isolation is the ideal scenario but the truth is that is most likely is not happening in most cases, Most people want to remote in some way. Not many people have a dedicated Computer just for the cameras either.
Hopefully most people who have been part of this form for any amount of time ARE serious about their security, I'm not a scorched earth guy with My personal camera system but I do sleep well at night with a properly configured sonic wall.
We Can only hope people read up first, because bot (DOS) attacks effect us all, This has been a great thread bringing awareness
Click to expand...

All great and valid points which do apply to the larger (general) population. I should have qualified that my comments were targeted at the Enterprise / Government clientele.

Regardless, lots of people with first hand experience and knowledge have chimed in. As such the information to reduce and limit the impact of a rogue application causing undue harm on the network are known.
 
  • Like
Reactions: JDreaming and c hris527
More to the point I was trying to make about asking why is someone paranoid about the plug-in but not the actual firmware itself, the Config Tool was brought up in this thread about initializing a camera.

If they developed a config tool that can see and manage IP cameras across different subnets, who is to say the actual camera firmware itself can't be setup to do the same thing for nefarious reasons....

And gets back to my point if someone is paranoid about the plug-in, but then blindly accepts the firmware is safe and allows it access to their network, they are doing their network a disservice.

Just because the camera doesn't need a plug-in doesn't make the camera safe on your network.

How do we know that by typing in your username and password and hitting the "login" button that you are not behind the scenes granting that firmware access to an exploited vulnerability of the web browser or blindly allowing it to bypass anti-virus software and infect your computer, similar to mistakenly hitting a malware link on a legit website that infects your computer. Hitting that login or Save or Refresh button could be the same as clicking on an ad on a porno site that infects your computer.

Or the save button, or any button really that has our computer implement a change on that camera.

I still believe accessing a camera via browser and logging in to camera and said browser and start clicking buttons to make changes and save stuff is potentially more dangerous than simply browsing to an infected website but just viewing and not clicking on anything.

It is why we do our best to isolate the cameras from our system.
 
  • Like
Reactions: JDreaming and bigredfish
wittaj said:
More to the point I was trying to make about asking why is someone paranoid about the plug-in but not the actual firmware itself, the Config Tool was brought up in this thread about initializing a camera.

If they developed a config tool that can see and manage IP cameras across different subnets, who is to say the actual camera firmware itself can't be setup to do the same thing for nefarious reasons....

And gets back to my point if someone is paranoid about the plug-in, but then blindly accepts the firmware is safe and allows it access to their network, they are doing their network a disservice.

Just because the camera doesn't need a plug-in doesn't make the camera safe on your network.

How do we know that by typing in your username and password and hitting the "login" button that you are not behind the scenes granting that firmware access to an exploited vulnerability of the web browser or blindly allowing it to bypass anti-virus software and infect your computer, similar to mistakenly hitting a malware link on a legit website that infects your computer. Hitting that login or Save or Refresh button could be the same as clicking on an ad on a porno site that infects your computer.

Or the save button, or any button really that has our computer implement a change on that camera.

I still believe accessing a camera via browser and logging in to camera and said browser and start clicking buttons to make changes and save stuff is potentially more dangerous than simply browsing to an infected website but just viewing and not clicking on anything.

It is why we do our best to isolate the cameras from our system.
Click to expand...

Absolutely, as it relates to tools that can scan, see, and access different subnets. This is why my initial reply stated all of the industry best practices.

Because when software is the only separation measure in place you’re doomed to failure!

This applies to VPN, VLAN, etc . . .

When everything is in place as it relates to authentication it drastically reduces the attack surface.

I have yet to see first hand any video security system breached when all of the above (software authentication) was in place.

You’ll read novel stories about people cloning MAC addresses to gain access.

How would cloning the MAC address circumvent 802.1X Radias authentication? How would cloning the MAC addresses circumvent the self signed CA?

When physical isolation is in place along with all the software authentication it leaves only the 1% possibly of a breach.

That can only happen from inside!

Than you have bigger issues to worry about!
 
  • Like
Reactions: bigredfish
FWIW and I'm a network dummy, I have 2 Dahua cameras, one newish 4K-T and one older 5442 S2 plugged into a PoE switch on my LAN for about 6 months now. My Dahua NVR is also plugged into that switch

I have a firewall appliance that sits in front of my router that shows me ALL flows in and out by device. In that time neither camera has made any attempt to contact the Interwebs and the NVR only contacts my mail server. I had the same setup at my previous home for 6? years with same results.

Im far more concerned about my iPhone or laptop, or Sumsung TV or ( if I used them), other IoT devices than I am my Dahua system. Those contact the Internet LOTS and I do my best to monitor and block anything I'm unsure of. I've yet to see a Dahua device reach out with ANY request
 
Last edited:
  • Like
Reactions: samplenhold, looney2ns and JDreaming
bigredfish said:
FWIW and I'm a network dummy, I have 2 Dahua cameras, one newish 4K-T and one older 5442 S2 plugged into a PoE switch on my LAN for about 6 months now. My Dahua NVR is also plugged into that switch

I have a firewall appliance that site in front of my router that shows me ALL flows in and out by device. In that time neither camera has made any attempt to contact the Interwebs and the NVR only contacts my mail server. I had the same setup at my previous home for 6? years with same results.

Im far more concerned about my iPhone or laptop, or Sumsung TV or ( if I used them), other IoT devices than I am my Dahua system. Those contact the Internet LOTS and I do my best to monitor and block anything I'm unsure of. I've yet to see a Dahua device reach out with ANY request
Click to expand...

You’re just being modest as it relates to your network mad skillzzz Yo!

As it relates to Dahua, why would they want to keep watching you fishing in the turtle pool???
 
  • Haha
Reactions: JDreaming and bigredfish
bigredfish said:
FWIW and I'm a network dummy, I have 2 Dahua cameras, one newish 4K-T and one older 5442 S2 plugged into a PoE switch on my LAN for about 6 months now. My Dahua NVR is also plugged into that switch

I have a firewall appliance that sits in front of my router that shows me ALL flows in and out by device. In that time neither camera has made any attempt to contact the Interwebs and the NVR only contacts my mail server. I had the same setup at my previous home for 6? years with same results.

Im far more concerned about my iPhone or laptop, or Sumsung TV or ( if I used them), other IoT devices than I am my Dahua system. Those contact the Internet LOTS and I do my best to monitor and block anything I'm unsure of. I've yet to see a Dahua device reach out with ANY request
Click to expand...

Exactly. As I have said, millions of people port forward or P2P and use default passwords and haven't been hacked.

Heck I was one of them until I found this site LOL.

But tens of thousands have been hacked also.

Like everything, it comes down to risk.

And some of us are paranoid and go overboard, whether it be in camera isolation or stockpiling ammo, or both LOL.

On my isolated NIC, my cameras are streaming non-stop 400Mbps. This is full-on, never stopping to take a breath. Even if someone has a gigabit router, over a 3rd of non-buffering 24/7 data will impact its speed and performance. So even if I wasn't concerned about hacking, I wouldn't want that much of the router capacity tied up in non-buffering video.

So I look at isolation as two-fold - minimize hacking risk and take unnecessary data demands off my main network.

And it was I have said if someone is concerned about the plug-in, I am sure there are apps and other devices on their network that is more of security risk.
 
Last edited:
  • Like
Reactions: JDreaming and bigredfish
bigredfish said:
Um, How much ammo is considered stockpiling? Asking for a friend :rolleyes:
Click to expand...
Years ago when I was a new hire at Exxon I was attending a talk by some guy from Arther Andresen (I think?) and one of the topics was having a money cushion. He stated that you should have two weeks of cash that you can get to within an hour. One month's worth that you can get to in four days.

When I was an expat in Nigeria, we were given guidelines on how much cash to keep in your safe in case you needed to bug out. It was all based on how many people you had living with you, like if you had kids or just your spouse. Basically $15k in USD, an equivalent amount in Euros, and half that equivalent amount in Nira. That per person.

Using these examples from my past, I would say that one should have at least two weeks worth of ammo that you can get to in an hour. That is for each caliber you use. Then you should have four weeks worth that you can get to in a couple of days. In case you have to bug out, you should have a shit load of the proper calibers that you would bug out with. That is different for each of us.
 
  • Like
Reactions: bigredfish and JDreaming
I think I'm good, but it all depends on the intensity of the engagement ;)
 
  • Like
Reactions: samplenhold
wittaj said:
if someone is concerned about the plug-in, I am sure there are apps and other devices on their network that is more of security risk.
Click to expand...
I can't dismiss security concerns using that logic. Responsible network security means being prudent about each item on your network. The camera wants to execute an .exe plugin file on my computer, a very high risk action, and I have no idea exactly what is inside that .exe file. So it is prudent to want to learn more before allowing.

Before purchasing, I had no idea an .exe plugin would pop up upon installation. Nor did I know that allowing it would be required to use camera functionality. I began to investigate the plugin and ran into the same reports seen by others that malware has been reported.

To be clear, I am not criticizing anyone's choice to use or allow the plugin. Plenty of people here are doing exactly that. I have read the reports from many others that after they allowed the plugin everything is ... seemingly ... fine. And for all of those, I hope and trust everything is truly fine and your choice was a good one. So my choice, and threshold about security, is just a bit different. That's all.

In the end, I doubt I have the skills needed to properly evaluate the safety of the .exe file, and build confidence needed to allow the plugin. As someone wrote here, Dahua is not going to vouch for its security-- especially since the camera passed through a 3rd party after they manufactured it.

Someone on another forum sent me this report from IPVM. For me, unfortunately, this only added to my uncertainty:

ipvm.com

FCC Explains Why They Plan To Ban Dahua And Hikvision

This 1-minute video recap shows how the FCC explained why they voted unanimously for a plan to ban NDAA-covered companies including Dahua and Hikvision.
ipvm.com ipvm.com
 
Peeper said:
I can't dismiss security concerns using that logic. Responsible network security means being prudent about each item on your network. The camera wants to execute an .exe plugin file on my computer, a very high risk action, and I have no idea exactly what is inside that .exe file. So it is prudent to want to learn more before allowing.

Before purchasing, I had no idea an .exe plugin would pop up upon installation. Nor did I know that allowing it would be required to use camera functionality. I began to investigate the plugin and ran into the same reports seen by others that malware has been reported.

To be clear, I am not criticizing anyone's choice to use or allow the plugin. Plenty of people here are doing exactly that. I have read the reports from many others that after they allowed the plugin everything is ... seemingly ... fine. And for all of those, I hope and trust everything is truly fine and your choice was a good one. So my choice, and threshold about security, is just a bit different. That's all.

In the end, I doubt I have the skills needed to properly evaluate the safety of the .exe file, and build confidence needed to allow the plugin. As someone wrote here, Dahua is not going to vouch for its security-- especially since the camera passed through a 3rd party after they manufactured it.

Someone on another forum sent me this report from IPVM. For me, unfortunately, this only added to my uncertainty:

ipvm.com

FCC Explains Why They Plan To Ban Dahua And Hikvision

This 1-minute video recap shows how the FCC explained why they voted unanimously for a plan to ban NDAA-covered companies including Dahua and Hikvision.
ipvm.com ipvm.com
Click to expand...

And you’re using (how many) of the best security practices called out in this thread now?!?
 
Peeper said:
I can't dismiss security concerns using that logic. Responsible network security means being prudent about each item on your network. The camera wants to execute an .exe plugin file on my computer, a very high risk action, and I have no idea exactly what is inside that .exe file. So it is prudent to want to learn more before allowing.

Before purchasing, I had no idea an .exe plugin would pop up upon installation. Nor did I know that allowing it would be required to use camera functionality. I began to investigate the plugin and ran into the same reports seen by others that malware has been reported.

To be clear, I am not criticizing anyone's choice to use or allow the plugin. Plenty of people here are doing exactly that. I have read the reports from many others that after they allowed the plugin everything is ... seemingly ... fine. And for all of those, I hope and trust everything is truly fine and your choice was a good one. So my choice, and threshold about security, is just a bit different. That's all.

In the end, I doubt I have the skills needed to properly evaluate the safety of the .exe file, and build confidence needed to allow the plugin. As someone wrote here, Dahua is not going to vouch for its security-- especially since the camera passed through a 3rd party after they manufactured it.

Someone on another forum sent me this report from IPVM. For me, unfortunately, this only added to my uncertainty:

ipvm.com

FCC Explains Why They Plan To Ban Dahua And Hikvision

This 1-minute video recap shows how the FCC explained why they voted unanimously for a plan to ban NDAA-covered companies including Dahua and Hikvision.
ipvm.com ipvm.com
Click to expand...


Of course anti-virus programs will flag .exe files that are not mainstream program files. Heck many of us here use Blue Iris and it gets flagged by anti-virus programs....

And others in this thread have shown that the actual files in that .exe file pass VirusTotal scans.

There are plenty of ways to extract out those files as shown in this thread and to minimize your risk if you are concerned.

As the example I provided, I have ran the .exe file and set up my cameras on a completely isolated laptop that NEVER touches my network - not via wifi, not via an ethernet cable. ZERO connection. If there is a bad actor in that .exe, it only infects that computer. But for good measure, I reinstall Windows when I am done. But that is all that laptop is used for - initially setting up the cameras or making changes to existing cameras.


Regarding that report someone sent you, you do realize the whole NDAA compliant thing is a joke right?

EVERY camera is a security risk if given internet access. It is why we do not give them internet access. That is the real problem that the government isn't addressing.

You need to decide do you want cameras and mitigate the risk or not have cameras. That is where you are at....no camera system will be completely safe unless it is completely disconnected from the outside world and no other device interacts with it - No USB drives, nothing. But then you cannot access it remotely either.

Instead of the government addressing the real issue (cameras connected to the internet that can get hacked), they have now created a false sense of security and now companies are taking advantage of NDAA compliant cameras to unsuspecting customers and charging premium amounts for lessor quality cameras...

Even high end NDAA compliant Axis got hacked last year.

Block the cams from the internet and go with the best bang for the buck and that will be Dahua and Hik and not 5 times the cost axis lol.

NDAA compliant Verkada was hacked and 150,000 cameras in private companies, along with prisons and public school systems were part of it, which would be government funded..

It is why we recommend DO NOT LET YOUR CAMERAS OR NVR TOUCH THE INTERNET. You isolate them via VLAN or dual NIC.


Here are some threads where that ban is discussed:


FCC to ban sales of some Chinese video products
Just saw this: On Oct. 5, FCC Chairwoman Jessica Rosenworcel circulated a draft order among her fellow commissioners. The order — which still needs to be voted on — would effectively ban new equipment sales in the U.S. from firms that pose a threat to national security, two sources with direct...


US bans approval of new technology from China's Huawei and ZTE for 'national security
US bans approval of new Huawei and ZTE equipment from China Going to have huge issues replacing any faulty Hikvision and Dahua equipment in the US.


US President Signs Bill Into Law Requiring FCC To Ban Further Authorizations of Dahua and Hikvision
See; Bill Signed: H.R. 3919 | The White House and Text - H.R.3919 - 117th Congress (2021-2022): Secure Equipment Act of 2021 H.R. 3919, the “Secure Equipment Act of 2021,” which requires the Federal Communications Commission to adopt rules clarifying that it will no longer review or approve any...


Today's FCC Ruling
This is going to put a lot of companies / people out of work. Very concerned.
 
You must log in or register to reply here.
Top Bottom