My Dahua NVR5432 was hacked last week!

M

MakeItRain

Pulling my weight
Aug 7, 2017
418
224
It finally happened but I'm not sure how it happened because I consider myself somewhat a bit savvy with networking. It took 5 years before a breach occurred. The intruder had four admin accounts created:
"hackedBy", so and so. They also deleted all my 'user' accounts with basic privilege. They left the admin account. The password is strong on that. All cameras are working fine and they did not blank them. I am running V4.00 Build 2019-08-09 firmware.

I always use OpenVPN when I'm outside (hotels, coffee shops) to connect back home.

1. Google Fiber (Google Wifi router/puck)
- No port forwarding enabled other than port 1194 - to a Raspberry Pi for OpenVPN.

2. OpenVPN server (running on Raspberry Pi).
Raspberry Pi requires a SSH private key to login (Otherwise, all login rejected).

3. NVR dual-NIC. One subnet on NIC1 is connected to the same subnet as the Raspberry Pi and the rest of the home network. NIC2 is for the cameras. I specifically forced the NVR's gateway to point the Raspberry Pi. That way all traffic gets routed to the Rasberry Pi instead of the Google Wifi Gatway. But I think that is not safe, as I come to realize.

4. Yes, UPNP is disabled in Google Wifi Router. P2P also disabled in the NVR.

5. The Raspberry Pi then has IP Tables set up like this to drop ALL packets:
sudo iptables -A FORWARD -s 192.168.0.10 -p tcp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -p udp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -o eth0 -j DROP

So my only guess as to how they got in are the following:

1. Another IoT device connected as the same subnet allowed them to get into the NVR. So maybe my Alexa's are compromised.
2. There is malicious firmware in the NVR that disregards what the gateway IP is set at and regardless attempts to try all ranges within that subnet. When it finds one, it phones home with P2p re-opened.

Another thing I am observing now is my NVR firmware is probably compromised. When I reboot the system, it recalls the old static IP address from which I set it to, and the old gateway, and get this! It enables P2P!! Why???
 
You might also ask how did I discover this?

Well one night my NVR was rebooting 4 times. So they were trying to reboot it.

Then also they set max user connections from 128 to 0. So effectively, all my user level accounts were locked out (only admin account could get in). That’s when I knew something was fishy as I checked the logs to confirm these events.
 
steve1225 said:
key logger / trojan / malware on any computer (especially Windows)..

Milions people don't even know that theirs computers are infected..
Click to expand...
I’m not going to dispute that. I run Windows 11 with BitLocker by default. malware is certainly a possibility but windows scan didn’t detect anything. I’ll try a stronger scanner.

steve1225 said:
what version of NVR?
what firmware it had?
Click to expand...
They very early version or V4.0. Build 08/09/2019. Perhaps they used the login bypass hack? Sure.

NVR is Hardware 1.0
 
steve1225 said:
Man, this is 5 years old firmware..
It can have teens of bugs usable to break-in which were fixed in more recent firmware’s
Click to expand...
Yeah. But what happened to the ipcamtalk philosophy of “Don’t update fw if you don’t have to or it’ll brick it?”
Lol
 
MakeItRain said:
Yeah. But what happened to the ipcamtalk philosophy of “Don’t update fw if you don’t have to or it’ll brick it?”
Lol
Click to expand...

That is for devices that don't have access to the internet.

Somehow yours is.

I am guessing in your attempt to add complexity to isolate it, it left a gapping hole to the internet that gave the NVR access to a backdoor exploit.
 
MakeItRain said:
Yeah. But what happened to the ipcamtalk philosophy of “Don’t update fw if you don’t have to or it’ll brick it?”
Lol
Click to expand...


it's wrong philosophy..
the implications of a hack/data theft are greater than the mega rare implications of a firmware/software upgrade bricking the device or causing a regression.

of course in Your case, when you have 5 years old firmware on device, this can be more serious.
but this problem is created by Your negligence.
 
  • Like
Reactions: MTL4 and looktall
ps. openvpn (and openssl on which it is based) have long history of serious bugs, which can be used to break-in into server..
And You have open port to it...

I recommend migrating to wireguard.
Due to the simplicity of implementation (less than 10k lines of very clean and fresh source code with all used algorithms vs 500k+70k in openssl + openvpn case with 20+ years in code history) it has a much lower chance of finding holes that can be exploited for hacking..

it has also a much better VPN performance, which can be good for rasp-pi.. and nicer clients...
 
  • Like
Reactions: bp2008, redfive and bigredfish
I'll be switching to WireGuard the next time around.

By the way, I'm switching to a Ubiquiti NVR. Ubiquiti has finally opened up their ecosystem to support ONVIF.

For sh** and giggles, I'm going to flash the latest firmware to the NVR and if it bricks.. so be it.
 
MakeItRain said:
I'm going to flash the latest firmware to the NVR and if it bricks.. so be it.
Click to expand...
That might be too large a leap to do in one hit.

If you're buying ubiquiti kit why not look at their routers, they have a really good vpn feature called teleport, which i think is built off wireguard.
 
You need to have a separate VLAN for the NVR.
Setting the default gateway so DNS resolving will fail, is not sufficient.
It's possible the NVR has hardcoded IPs or other DNS servers.
 
I had the exact problems several weeks ago. I ended up installing a Firewalla Purple firewall. I thought about purchasing a firewall appliance and install OPNsense which has a learning curve for proper setup. So instead bought the Firewall, It stopped the penetration into my NVR.

I did have several ports open, but I had a very strong password on the system. To this day, I still don't know how they go into the NVR (NVR5208-8p-4S2KE). As for the "known backdoor", it doesn't work on my NVR even with original firmware (V2.800.0000004.0R).
 
  • Like
Reactions: MTL4 and bigredfish
looktall said:
That might be too large a leap to do in one hit.

If you're buying ubiquiti kit why not look at their routers, they have a really good vpn feature called teleport, which i think is built off wireguard.
Click to expand...

d5775927 said:
You need to have a separate VLAN for the NVR.
Setting the default gateway so DNS resolving will fail, is not sufficient.
It's possible the NVR has hardcoded IPs or other DNS servers.
Click to expand...

Gentlemen you are correct. I bought the UDM Pro SE, the Pro Switch Poe w/ Layer 3 support and their UNVR.

Yes I’ll be going full VLAN and device segregation from this point on. IoTs will be on one vlan. PCs on another. TV and Fridge as well.
 
  • Like
Reactions: CanCuba
Nick70068 said:
I had the exact problems several weeks ago. I ended up installing a Firewalla Purple firewall. I thought about purchasing a firewall appliance and install OPNsense which has a learning curve for proper setup. So instead bought the Firewall, It stopped the penetration into my NVR.

I did have several ports open, but I had a very strong password on the system. To this day, I still don't know how they go into the NVR (NVR5208-8p-4S2KE). As for the "known backdoor", it doesn't work on my NVR even with original firmware (V2.800.0000004.0R).
Click to expand...
Definitely a big fan of OPNsense, very customizable and easy to navigate.
 
MTL4 said:
Definitely a big fan of OPNsense, very customizable and easy to navigate.
Click to expand...

So how does OPNSense compare to pfSense and Firewalla Purple?

Is this yet another system that runs on windows Linux that attaches in between the router and your home switch?

I’m actually considering the Firewalla Pirple now from the above recommendation due to its DNS filtration capability.

At this point I’m already nearly $3000 in with my network infrastructure upgrade so I might as well keep going.
 
MakeItRain said:
So how does OPNSense compare to pfSense and Firewalla Purple?

Is this yet another system that runs on windows Linux that attaches in between the router and your home switch?

I’m actually considering the Firewalla Pirple now from the above recommendation due to its DNS filtration capability.

At this point I’m already nearly $3000 in with my network infrastructure upgrade so I might as well keep going.
Click to expand...

I was going to purchase a N100 mini computer and install OPSense (Linux install), but instead I purchase the little Firewalla Purple SE (I don't need wifi) but does have BlueTooth.

I really like the Firewalla Purple SE, it is easy to configure and I love being able to access it from my cellphone from anywhere. It does a great job as a firewall, and has all of the features one needs to protect the NVR or computer systems. I would speculate that OPSense and the more technical PfSense does have some features that Firewalla doesn't have. But I didn't want to sit down, nor do I have the time to learn the more difficult intricacies of setting up all of the firewall settings. If I was running a small enterprise network and had the time, then I would probably select OPNSense and Suricata as our Intrusion Prevention System (IPS)/ Intrusion .
 
  • Like
Reactions: MTL4
So far from what Ive seen and if you really want to dig to compare, I think you might be surprised, how flexible and powerful it is.

I recommend the Purple over the SE, mostly I see features (like gigabit vs 500 Mbps) and updates that are only for Purple or Gold and fewer for SE or Blue
firewalla.com

Firewalla Purple: Gigabit Cyber Security Firewall & Router with WiFi Protecting Your Family and Business (Ships Worldwide)

Powered by The Firewalla Security Stack For a Better Network Smart Traffic Management Easy to Install Simple to Use Sophisticated Security and Networking Features at Your Fingertips Powerful Hardware Gigabit Performance for Now and the Future Short-range and low-power Wi-Fi, perfect for light...
firewalla.com firewalla.com

Apparently based on people smarter than me, its a very good IDS/IPS

Firewalla: Cybersecurity Firewall For Your Family and Business

Firewalla is an all-in-one intelligent Firewall that connects to your router and secures all of your digital things. It can protect your family and business from cyber threats, block ads, control kids' internet usage, and even protects you when you are out on public Wifi. There is no Monthly Fee.
firewalla.com firewalla.com
 
You must log in or register to reply here.
Top Bottom