- Jun 19, 2016
- 92
- 42
Dahua Backdoor Uncovered
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.
Upgrade Immediately
A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.
Firmware updates are available for the first 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware.
[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]
Severe
This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.
Dahua Says Error
Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.
Upgrade Immediately
A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.
Firmware updates are available for the first 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware.
[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]
Severe
This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.
Dahua Says Error
Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.