New massive security whole in many dahua devices (ip-cam,vdp,...)!

BI does not include any encryption that I am aware of. It allows outside access through port 81 which is an easy target for hackers running bot nets. You can access BI UI3 through your VPN just as if you are on your local network. There is no reason to use external access in the web server of BI.
 
I am using BI remotely via their encryption at or at least I assumed (maybe incorrectly) that there was some level of encryption/security on the end of BI. I do have a VPN that I use for other tasks, I guess I could not let BI speak to the outside world and just turn on my VPN then open the BI app.
I don't believe there is any kind of encryption directly embedded within BI. There IS an automated process to create port-forwarding. It sounds like your BI machine is wide open to the internet. From what you posted earlier, it seems that your cameras are also wide open to the internet. Most here do not let the cams "phone home" -- and there are those here who have logged the attempts by the cams to connect to different IP's out in the Wild Wild Web....

Up until a few years ago-- I also had everything "open". After reading how easily hacks can happen, and seeing some suspicious things in my own router logs, I closed off all internet access to my cams using router rules. Lately I began using ZeroTier--- which is an end-to-end encrypted connection service (free). It is not as good as a true VPN-- it's more of a sooped-up P2P connection, but data does not go through a third party and it's all encrypted. You can search for zerotier on the forum here and see the pros and cons of it.
 
For five bucks a month I'll turn the VPN on myself. I'm CHEAP!!!!!!
 
Hmmm, I don't see that mentioned here, at least for Android, it just lists a one time payment of $3.49.

Yeah I saw that too, then tapped on more information and found out that one is a business management tool not "tasker" as in starting multiple programs automagically. Look again, on your phone, and you'll see it's free for a month, then 4.99/month after that.
 
  • Haha
Reactions: user8963
Yeah I saw that too, then tapped on more information and found out that one is a business management tool not "tasker" as in starting multiple programs automagically. Look again, on your phone, and you'll see it's free for a month, then 4.99/month after that.

with wireguard on android you dont need tasker..

on ios it seems that you cannot only use one app via wireguard, but it should doesnt matter.. if you add local ip it should go online on connect
 
Nice tool.

Back in around 2015 it was reported to Dahua that their hidden password reset tool for the cameras was a little bit insecure - and not well hidden.
Much like the known DVR/NVR tool, it needed the MAC, serial and date.
Only problem was that unlike the DVR/NVR tool where you entered the generated password locally, the cam tool meant entering it via the browser, so via IP.

Main problem with that was that if you had the IP of a cam, then without any auth you could ask it for the date, the serial and its' MAC.
So he who had the cam tool had access to every camera via IP.
Dahua took it out mid 2015.

Just amusing as this vulnerability/tool does much the same thing.

NetKeyboard is just a giant sucky implementation. When you connect the NKB1000 (or others) to a recorder, it never used to do any authentication.
You could control the on screen views without login, change cams and so on all as the local user. This was also reported to Dahua.
I did wonder about the login.local authentication as it looked very suspect and likely to be something ripe for fiddling with.
Fair play to Bahis as ever.

The big problem Dahua have is they are a very inwardly paranoid company.
So whilst they were busy fixing the one problem with the keyboard, no one was looking in other places - in other teams - for where else the sucky implementations might be.
They dont share information as readily internally as a western company does. They just fix the immediate problem and move on.

When these guys first came on the scene with a NVR it was http and plain text passwords.
Regardless of how much cyber security has taken place, this legacy code base in still there, just with sticking plasters on it.
What Dahua should do is bring people like Bahis on board and instead of being so secretive with the private protocol, they need to sign them up to an NDA and let them rip it to shreds.
It's a sticking plaster upon plaster and older code needs removing - not just sidelined.