Dahua Backdoor Uncovered

Zeddy

Getting the hang of it
Jun 19, 2016
92
42
Dahua Backdoor Uncovered


A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.

Upgrade Immediately

A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.

Firmware updates are available for the first 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware.

[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]

Severe

This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.

Dahua Says Error

Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.
 
  • Like
Reactions: Xicaque and bug99
Thank you for posting this. One more reason to use VPN / local only communication and block outbound communication from your camera to the web, thus making this sort of weakness basically a non-issue. the researchers quote is telling

"quote"
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.

Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
"/end quote"
 
And outbound connections don't matter unless the camera is already hacked. Don't be stupid and forward ports directly to your cameras and you won't have a problem.

Sent from my Nexus 6P using Tapatalk
 
Don't be stupid and forward ports directly to your cameras and you won't have a problem.
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.
 
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.

yeah, I turn all that upnp noise off lol.
 
Dahua Cameras/NVR's dont come with uPNP enabled out of the box, thankfully.. someone has to be stupid enough to click that box
 
I'd be interested, has anyone looked at the traffic? Are they making encrypted connections out to the internet? Or just sending stupid usage stats back to dahua?
 
If you mean the Dahua 'backdoor' -
What's been revealed is an ability to extract with an unauthenticated web command the plaintext file that holds the device configuration.
This file holds amongst many things lightly encoded user accounts, which can then be used to gain full access.
Or additional accounts could be added and the file dropped back, to give a future foothold as it's known in the trade.
 
It's not necessarily being stupid - but it could be being ignorant.
In many cases, the user may not know it's being done.

All that's needed is UPnP enabled on the router - often enabled by default - and UPnP enabled on the NVR - is enabled by default (Hikvision).
I have a pretty tech-savvy friend whose Hikvision NVR was one of the many subject to the on-going 'awareness hack' where recently I had to do a password reset to recover access for him.
He was convinced he'd not opened any ports to the internet, as he knew the risks of doing so.
Despite that, ShieldsUp! showed port 8000 open inbound.
And the new 'system' user showed the NVR had been hacked.


And a lot of the apps out there don't support VPN/Stunnel natively in the app nor do they demand dial the a VPN configured in the OS itself, hell I'd settle for SSH connection with Cert Auth and port tunneling. I haven't tried all the apps in the app store but the ones I have tried don't support much more than HTTPS. I sent a request to the developer of the BI app asking for that feature. Port forwarding is a bad idea but the apps don't offer any simple alternative especially for people who like the convenience of tap and view on their phones.
 
Seem to me, if you treat every camera as vulnerable and take the steps to stop that, you won't have problems from the get go.
 
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?
 
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?

Same question, I read a lot on how to set it up but never seem to find enough info video to exactly see how to do it. Still learning on my free time.
 
Same question, I read a lot on how to set it up but never seem to find enough info video to exactly see how to do it. Still learning on my free time.

you're getting into more advanced network stuff there, you'd need a sniffer program and then you get in to having to run it on your firewall, or use a hub or something to get all of the traffic set to the sniffer, there should be no need for the average camera user to do this in my humble opinion, just try to set things up securely and you should be good.
 
  • Like
Reactions: alastairstevenson
From a guy who has still not yet figured out how to set up VPN, how do I "look at my traffic"? (I have a mac and windows computer on the network...the windows used for the BI server.)
And when I do look at it...how do I know what I'm seeing or what to look for in it?

Little program called wire shark there are many more like it.. it's easy to see in coming and out going
 
Little program called wire shark there are many more like it.. it's easy to see in coming and out going
From the PC, sure.
But you won't be able to see regular (ie non-broadcast) traffic between a camera and router as the switch fabric keeps that traffic private between those endpoints.
To sniff traffic on other endpoints you need a port mirroring capability - usually a feature on a 'smart' or managed switch as opposed to a normal unmanaged switch.
 
" Little program called wire shark there are many more like it.. it's easy to see in coming and out going"
From the PC, sure. But you won't be able to see regular (ie non-broadcast) traffic between a camera and router as the switch fabric keeps that traffic private between those endpoints.
To sniff traffic on other endpoints you need a port mirroring capability - usually a feature on a 'smart' or managed switch as opposed to a normal unmanaged switch.
Correct. a pain in the ass for low end un-managed gear, especially with PoE added in. Just do best and easy. don't sacrifice easy for better, but the techniques described here can be easy and good, so follow them.