I am using Internet Explorer. But I did open this in Edge early on because supposedly that camera could work in other browsers, so I was testing it.
That depends on where the machine accessing the cam is of course. If it is also VLAN’d and firewall controlled (since it’s a known device being used to access your cams, so realistically should be) then your network security would still be solid. Also use of things like dual homed NICs would assist. The DNS filtering is also useful though as you can then lock down any rogue dns requests being made through your own DNS server and as mentioned restrict any other DNS server attempting to be used. Apps like Little Snitch can monitor and then block process based access BUT to your point IF you decide to bypass all of this OR just bypass in terms of stating ‘allow xyz process to run’ then Yes, you are creating a potential hole out and that is NOT goodNot saying that there's any malicious intent in this case but the problem with plug-ins is that it's not running on the cams. It's running on the machine that you're using to access the cam. So all of your network restrictions for the cams themselves are kind of moot. Good to do otherwise but they're not in play as this goes other than as the source for the code. That's why I never liked the ActiveX plug-ins for much of anything. You put all of that time effort into securing your cams and network and then run some sketchy plug-in directly on one of your main computers. ; ) Things are a little better now without but I'm surprised that they can launch a service like that. That's kind of big and, at least potentially, could do a lot. But I guess if you grant it permissions then it can. Just as a matter of general good practice I'd avoid doing that.
Yep I’m with you there. iF you have a browser and platform dependent on a process such as this and have concerns, block, delete and DO NOT ALLOWI like the Delete method as a starting point
Pretty common setup= 2 month old Win 11 HP, Bitdefender, Edge and Pale Moon 32 both get prompted for it.
Im guessing it was installed along with the plugin and most would never notice it being there if they didnt monitor running processes. (Thought the new GUI didnt need a plugin?)
My home network is not accessible from outside without OpenVPN.
That depends on where the machine accessing the cam is of course. If it is also VLAN’d and firewall controlled (since it’s a known device being used to access your cams, so realistically should be) then your network security would still be solid. Also use of things like dual homed NICs would assist. The DNS filtering is also useful though as you can then lock down any rogue dns requests being made through your own DNS server and as mentioned restrict any other DNS server attempting to be used. Apps like Little Snitch can monitor and then block process based access BUT to your point IF you decide to bypass all of this OR just bypass in terms of stating ‘allow xyz process to run’ then Yes, you are creating a potential hole out and that is NOT good
In most cases the machine used to view/control cams won't be on a more restricted portion of the network. It will be a general-use computer and have much greater access to your network and to the outside. Though it usually won't be, a dual-homed machine in that role can hurt more than it helps. While traffic from one side to the other won't hop through on its own (unless set up to do so), something running on that machine does at least potentially have access to both sides. That's a prime target and how things can easily jump from general to secure sides and/or from administrative to process control networks and really shouldn't be permitted in such cases.
DNS restrictions only work where a DNS request is made. Lots of ways that traffic can bypass DNS-based limitations.
There are various process monitoring systems that can be run but most won't won't be or they'll be intrusive or unclear, typically to the point that if broad enough to catch such things they effectively get turned off or ignored. The permission request when the plug-in is installed here is one such system-level restriction and we can see how that works out at a practical level.
What happens as a result doesn't even need an outside connection, If I can install a service to act as a websocket server, then I can install a service to do pretty much anything else. Just as an example, ransomware. Don't need for something like that to establish an outside connection from the compromised machine, That host willl be done and contact will be made in another way. If the compromised machine happens to be dual-homed between open/secure sides, then potentially it jumps that gap.
And again I'm not implying anything about this case in particular or any ill intent on the part of Dahua. Rather, just as a matter of general practice.
Yes that’s what I’m pushing for with them, supposedly no need for plug-in, yet based on platform, requires plug-in that is not universal and while it appears limited to onscreen activities such as E-PTZ & AI Live events, needs further answers and development towards true plug-in free, browser agnostic GUIYes, it all comes together as part of an overall approach and all of the various pieces are good and play a role. The problem with the plug-ins as I said is that you're letting them circumvent some of that. I was happy to see that we'd gotten away from the damn things with the newer cams that worked (mostly, or should at least) without plug-ins but now looks like we're back to that and they're apparently installing Windows services in the background in a nontransparent way. lol I have pretty much a zero-trust relationship with everything no matter who its from and as much as I like Dahua they don't get a pass to do such things. Not a great approach imo.
Can we get some more detailed response from Dahua as far as why this is required and exactly what it's doing? As @bigredfish posted above, doesn't seem to be required to access and manage the cams in the typical way. I can pretty much guarantee that they're going to need to come up with something that explains it when they start rolling out this new interface to larger customers and they see the same behavior. Might need to rethink how that's done.
Is the only way to uninstall the plugin by deleting the folders? I tried finding it through the settings of my browser but to no availIt seems to be hit or miss on whether any features are reduced.
I'd say get the camera going and dial it in and then delete it and hope you don't have to get into the camera again.
Or if you have an old unused laptop sitting around or buy a used one cheap just use it for the cameras. I had an old Win7 computer collecting dust that I hadn't got rid of and I wiped it clean and use it for only my cameras.