Dahua Backdoor Uncovered

I thought the backdoor allowed the camera to call out \ aka phone home...so port FWD would not make a difference for that correct?
Or is the BD issue not what i'm thinking?
Nope - this 'backdoor' isn't some built-in spyware or malware chatting to it's C&C server - it was (is) a high-level access vulnerability.
Ask the device politely, and it will spit out a copy of the configuration file, which is only lightly protected (ie mostly plaintext) and so is exposed the admin passwords amongst other stuff. And even better - it is happy to accept a tweaked configuration file back that has had a foothold carved into it.
In that context - port-forwarding would certainly make a difference.
 
  • Like
Reactions: fenderman
I don't want to get too far off track for this thread vs. asking in the VPN noob thread but in my case my NVR IS my Win 10 computer running Blue Iris....it is primarily used as the BI server NVR but I'd still want to be able to use IE on occassion.
So does that throw a wrench in things?
Is my "VPN server" going ot be something runjing on the computer or would that be what I would run in my router?
 
for what purpose? are you forwarding ports from the internet directly to your cameras? backdoor or not, the standard best practice would make it a non issue.

The victims of this backdoor are people that don't know how to secure their cameras.

I totally agree and that's how I have my network secured and TBH it's a pain in the backside but since this system is used by an elderly couple adding the extra VPN step would be a big ask and a tech support nightmare. Plus I think I would have to change out their router as it doesn't support PPTP dialin VPN.

So If anyone can suggest an app for android that will handle the dialling of the VPN on the users behalf I'd like to know.

It's all well and good preaching VPN! VPN!, but until people like us make this stuff "iphone easy" then people are just going to port forward.
 
I totally agree and that's how I have my network secured and TBH it's a pain in the backside but since this system is used by an elderly couple adding the extra VPN step would be a big ask and a tech support nightmare. Plus I think I would have to change out their router as it doesn't support PPTP dialin VPN.

So If anyone can suggest an app for android that will handle the dialling of the VPN on the users behalf I'd like to know.

It's all well and good preaching VPN! VPN!, but until people like us make this stuff "iphone easy" then people are just going to port forward.

VPN is a function of the router so you're kinda stuck.
 
Zeddy means that the people don't want to use a vpn because on android there is no easy way without starting the tunnel by hand. And it prevents to get push notifacations. For this you need the p2p or port forwarding.

Anyway, first I would say, keep the firmware up to date, and don't use Chinese market firmwares! Dahua is working on these problems, and solved all vulnerability in the past months.

I don't want to mess around another discussion about the benefits of vpn vs p2p, closing everything is nice, but not on every condition possible. I need to think about all the port forwarding for exchange and all the home automatisation stuff... or the bunch of routers with many more security problems.

And preventing the cams to access Internet needs to remove dns entries. This is complicated, you will lose email announcements and maybe some more.

I would say, everyone should decide what security level he needs, and then he can use several ways to achieve his goals. But if he doesn't use vpn it sometimes sounds here like he is a stupid idiot.
For me my security concept is fine, although I use p2p and port forwarding and vpn. I explained my concept at vpn primer for noobs, and the answers are speaking for themselves.
 
Zeddy means that the people don't want to use a vpn because on android there is no easy way without starting the tunnel by hand. And it prevents to get push notifacations. For this you need the p2p or port forwarding.

Anyway, first I would say, keep the firmware up to date, and don't use Chinese market firmwares! Dahua is working on these problems, and solved all vulnerability in the past months.

I don't want to mess around another discussion about the benefits of vpn vs p2p, closing everything is nice, but not on every condition possible. I need to think about all the port forwarding for exchange and all the home automatisation stuff... or the bunch of routers with many more security problems.

And preventing the cams to access Internet needs to remove dns entries. This is complicated, you will lose email announcements and maybe some more.

I would say, everyone should decide what security level he needs, and then he can use several ways to achieve his goals. But if he doesn't use vpn it sometimes sounds here like he is a stupid idiot.
For me my security concept is fine, although I use p2p and port forwarding and vpn. I explained my concept at vpn primer for noobs, and the answers are speaking for themselves.

why the heck would VPN stop push notifications? Internet access is internet access whether it's out the internet connection on the VPN.
 
Did you try it? The cam needs to contact the app. How should it be possible without Internet connection at the moment of alarm activity between app and cam.
 
Did you try it? The cam needs to contact the app. How should it be possible without Internet connection at the moment of alarm activity between app and cam.

works for me, I'm not understanding why the app would not be able to talk to it through the VPN but it can outside of the VPN, it should be able to.
 
Zeddy means that the people don't want to use a vpn because on android there is no easy way without starting the tunnel by hand. And it prevents to get push notifacations. For this you need the p2p or port forwarding.

Anyway, first I would say, keep the firmware up to date, and don't use Chinese market firmwares! Dahua is working on these problems, and solved all vulnerability in the past months.

I don't want to mess around another discussion about the benefits of vpn vs p2p, closing everything is nice, but not on every condition possible. I need to think about all the port forwarding for exchange and all the home automatisation stuff... or the bunch of routers with many more security problems.

And preventing the cams to access Internet needs to remove dns entries. This is complicated, you will lose email announcements and maybe some more.

I would say, everyone should decide what security level he needs, and then he can use several ways to achieve his goals. But if he doesn't use vpn it sometimes sounds here like he is a stupid idiot.
For me my security concept is fine, although I use p2p and port forwarding and vpn. I explained my concept at vpn primer for noobs, and the answers are speaking for themselves.
No, they have "solved" the KNOWN published vulnerabilities..you are very naive. You are a stupid idiot if you port forward these cameras...there is no reason you need to port forward for push or email notifications...
Also you CAN use tasker to automate the vpn on android..this has been discussed many times.
Have Tasker automatically connect/disconnect your VPN connection
 
works for me, I'm not understanding why the app would not be able to talk to it through the VPN but it can outside of the VPN, it should be able to.
Of course it works with an active vpn tunnel, but on mobile devices it's not active all time long. At screen off the tunnel is closed and then you can't receive push notifications.
 
Of course it works with an active vpn tunnel, but on mobile devices it's not active all time long. At screen off the tunnel is closed and then you can't receive push notifications.

still doesn't make sense, outgoing traffic from your network should be allowed from the nvr, unless you are locking it down to the point where you only get push notifications when on vpn and you plan to be on vpn all the time, then your phone dies in a few hours. anyways, hope you figure it out.
 
No, they have "solved" the KNOWN published vulnerabilities..you are very naive. You are a stupid idiot if you port forward these cameras...there is no reason you need to port forward for push or email notifications...
Also you CAN use tasker to automate the vpn on android..this has been discussed many times.
Have Tasker automatically connect/disconnect your VPN connection
I haven't adviced to use port forwarding. Please read carefully.
For push and email the cam needs to have Internet access. For push you need a direct connection with the app.
Normal users are buying these cams and uses the simplest way. They have no skills in doing all this extra work. I am not talking of myself, I know all these possibilities and used most of them.
 
There is no direct connection between the NVR and phone app for push notifications. Android, iOS, Windows Phone, etc all have push notification services as a core part of their platforms. Push notifications are sent through servers hosted by Apple, Google, Microsoft for their respective platforms. When the notification reaches your phone, the application is triggered so it doesn't have to be running in the first place to receive the notification. No need for VPN for this to work, but obviously your NVR or whatever sends the push notifications need outgoing internet access in order to hit the right service.
 
  • Like
Reactions: hmjgriffon
@cb8
We are still not sure about push for dahua works. I know that this way is possible, but dahua seems to have there own way. Anyway, if you are right, it's still not a good idea to cut Internet for cam or nvr.

Ot: And like I mentioned in my other push notifications topic, push service is broken with android 7.x. Therefore I can't test it momentarily, all my phones have Android 7.
 
Latest tinyCam Monitor version (Android app for video surveillance) introduced vulnerability scanner for Dahua IP cameras. If you want to check quickly if your Dahua camera contains vulnerability, just download tinyCam Monitor FREE from Google Play and run network scanner.

More info about vulnerability scanner is here
https://goo.gl/X6ySaV
 
Just to chime in. When I replaced my Apple Airport Extreme router with an Asus RT-AC68U recently I was surprised at the number of UPnP ports my Hikvision cameras had opened. I quickly disabled UPnP on the router and blocked the 6 cameras from accessing the internet - a 2 minute job on the router.

If anyone is looking the Asus is a good little router. A few years old now but rock solid and been through a couple of hardware updates. I was briefly blinded by all the flashy marketing of the newer model routers but stuck with the '68U. I'd recommend it (oh and has VPN server functionality).
 
  • Like
Reactions: wantafastz28