Security Analysis of Dahua/EmpireTech NVR Web Plugin

H. Swanson

H. Swanson

Pulling my weight
Nov 3, 2023
165
123
Tennessee
When I bought into the EmpireTech/Dahua NVR and camera system, I knew I would have to isolate the devices and I'd be protected from security threat. However, I didn't realize that I would need the NVR's web plugin running on my PC's browser. I can't isolate my main PC and I don't want to buy a separate PC only to interact with my NVR.

So, I ran the NVR's web plugin file through a security analysis via hybrid-analysis.com, which puts it through a variety of engines for static, ML and sandbox analysis using Crowdstrike. The results are concerning--see below.

Now I'm feeling like I need to ditch using the NVR and get my own Blue Iris PC. Any thoughts on this? Am I overthinking it?

Here is the detailed report:

Summary below
1700930100116.png
 
There is maybe a risk, but it is less than a risk of using P2P or port-forwarding.

It is how the "unknown Publisher" or "potential virus" or "compromised" messages are generated (just called virus moving forward in the rest of this post for simplicity).

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus. Some programs look at the total number of users and below a certain number, it is flagged. These specialty type files/programs get false positives all the time.

As you saw with MetaDefender and with VirusTotal , an antivirus website owned by Google that runs it thru a lot of different antivirus algorithms, that it is generally safe.

Do you need to access the NVR all the time from the computer? Can you use the HDMI and a monitor or SmartPSS instead? Can you set it all up and then delete the .exe?

The best we can do is lock things down the best we can and try to delete stuff when we are not actively using it.


Keep in mind that if you decide to go the BI route, if you run the Blue Iris executable file thru this same analysis you will get similar results. We also have threads here from the NOOB with BI that gets it is a virus warning. In fact, the BI help file says to exclude BI from the antivirus software.

Question

I have been getting a warning messages from MalwareBytes. I attached one but erased the IP address and the Port. The port it is trying is correct, the IP address is never the same. It references Blue Iris specifically. Can anyone tell me what is going on? MalwareBytes is apparently doing...
ipcamtalk.com ipcamtalk.com

just got home starting my computer and clicked on Blue Iris icon and got this

Any ideas as to why?
ipcamtalk.com ipcamtalk.com
 
Last edited:
wittaj said:
Do you need to access the NVR all the time from the computer? Can you use the HDMI and a monitor or SmartPSS instead? Can you set it all up and then delete the .exe?
Click to expand...
My NVR is in a closet so I can’t VGA or HDMI. I was hoping to have access to the NVR UI all the time to see what events happened during the night. Isn’t SmartPSS a Dahua app I’d have to install which means I’d have the same risk?
 
Yeah in that case it is just an accepted/calculated risk.

The alternative is no cameras or completely isolate it.

Fact of the matter is there are hundreds of services running on a Windows machine and we truly don't know if any are bad actors. What about all the bloatware apps on a phone that can't be deleted?

I occasionally go thru my computer and shut down services running and see if it impacts the computer. Most of the time it doesn't, but sometimes it is a whoops LOL.
 
  • Like
Reactions: H. Swanson
H. Swanson said:
My NVR is in a closet so I can’t VGA or HDMI. I was hoping to have access to the NVR UI all the time to see what events happened during the night. Isn’t SmartPSS a Dahua app I’d have to install which means I’d have the same risk?
Click to expand...

An option would be an HDMI extender. Only the receiver at the NVR needs power. Signal is transmitted on a cat cable up to 165 feet. This model only supports up to 1080p but I'm sure there's 4K versions if you require it.

Also allows for a USB mouse and keyboard to be connected so you can seamlessly control your NVR from your television with ease.

 
As an Amazon Associate IPCamTalk earns from qualifying purchases.
  • Like
Reactions: H. Swanson and looney2ns
If you need the web plugin, consider running it in a sandboxed vm.

Looking at your report in more detail, I'm not that worried about it.
 
Last edited:
  • Like
Reactions: H. Swanson
tangent said:
If you need the web plugin, consider running it in a sandboxed vm.

Looking at your report in more detail, I'm not that worried about it.
Click to expand...
The vm idea is good. I'll try that and I'll isolate it on a separate VLAN with the NVR. I'll be curious if this plugin needs Internet access because it does have a web socket executable per the malware analysis report.
 
H. Swanson said:
The vm idea is good. I'll try that and I'll isolate it on a separate VLAN with the NVR. I'll be curious if this plugin needs Internet access because it does have a web socket executable per the malware analysis report.
Click to expand...

The laptop I use has ZERO internet access - doesn't even have wifi LOL, and it works just fine.
 
H. Swanson said:
Cool but I’m referring to the NVR specifically, which I don’t believe you use, correct?
Click to expand...

I started with an NVR before migrating to BI. Still running LOL. Not same model as yours, but don't see why it wouldn't work.

Simply disconnect your internet for a moment and see if you can see the NVR!
 
tangent said:
You could probably restrict things so the plugin can only communicate with the NVR/Cameras if so motivated
Click to expand...
I would love that. Any advice on how to do that? Block the port and protocols it reaches out to from my PC?

It spawns WebSocketServer.exe as a process.
 
Last edited:
H. Swanson said:
I would love that. Any advice on how to do that? Block the port and protocols it reaches out to from my PC?

It spawns WebSocketServer.exe as a process.
Click to expand...

How would you find what ports it is using and are they common ports that would prevent something else from working?
 
wittaj said:
How would you find what ports it is using and are they common ports that would prevent something else from working?
Click to expand...
I have ESET Premium and it has a feature that shows what IPs each node on my LAN is reaching out to. When I’m home, I’ll give it a try and we’ll see where this socket is sending me. I also have new Omada networking equipment that must have a way to track that, but I’m still figuring it all out.
 
I have a second router, not connected to internet but have an NVR and the Blue iris camaera NIC connected into it.
My laptop which I do everyting from has an added USB NIC. With this setup I can log into everything with no changes.
 
  • Like
Reactions: c hris527
My issue isn’t segmenting the network and restricting Internet access, it’s this browser plugin that I need to use the NVR UI
 
So, here is what network action WebSocketServer.exe is producing on my PC while I'm using the plugin to browse the NVR's UI: .100 is my PC and .102 is my NVR

Looks like it's not calling out, but that doesn't mean it can't be triggered to do that at some point. I just added two host firewall rules where the first is allowing this service access from my PC to the NVR, and the second blocks all communication in or out with this service. I also added a full block on the WebActiveX executable in the Torch folder with any activity notifying me.

1701009593879.png
 
Last edited:
  • Like
Reactions: Mike A.
You must log in or register to reply here.
Top Bottom