And when I was a kid, I never thought math was important ;0
DAHUA RECORDERS HACKED
- Thread starter fenderman
- Start date
I have 256 GCM ciphers with 4k keys, with port 80 forwarded lol.
When I started researching security cams, the net was full of warnings that go something like, "If you aren't comfortable with basic network management then ip cameras are not a good idea." I was like, yeah I love hacking stuff bring it on lol. It is human nature to think highly of your own skills, but you have to take a pause when it comes to cameras that may have the keys to your privacy. Just sayin... if your nvr/cams are hacked, you can only blame your own ignorance. No reason for Dahua or anyone else to default their cams to something harder for a tech-savvy dude to handle safely... I'm fine with the insecure default thing, no different than every router or switch. Heck even my enterprise quality hp switch came insecure by default.
When I started researching security cams, the net was full of warnings that go something like, "If you aren't comfortable with basic network management then ip cameras are not a good idea." I was like, yeah I love hacking stuff bring it on lol. It is human nature to think highly of your own skills, but you have to take a pause when it comes to cameras that may have the keys to your privacy. Just sayin... if your nvr/cams are hacked, you can only blame your own ignorance. No reason for Dahua or anyone else to default their cams to something harder for a tech-savvy dude to handle safely... I'm fine with the insecure default thing, no different than every router or switch. Heck even my enterprise quality hp switch came insecure by default.
Some (good) informations back to topic, I think Dahua knows about it. And not since yesterday. A good hint for it is a new firmware developed on 14.08.17. (for both nvr 4xxxx and 5xxxx) with firmware 3.215.0000000.0.R.
Online you will find a newer one under download / firmware NVR4104/4108-P-4KS2 | Dahua Technology - Dahua Technology and NVR5208/5216/5232-8P-4KS2 | Dahua Technology - Dahua Technology from 01.09.2017
This has changed as I noticed:
- User 888888 can change password (but still not be deleted)
- local user 888888 login now with pattern like Android possible
I can´t test if this really prevents us against this hack. But it looks like it could.
In my case this firmware solves many major issues on nvr 41xxx I reviewed. I didn´t released it yet, due to the issues. Maybe in the next weeks I will release it. It´s still in testing.
Be aware to update your nvr! In my cases it was necessary to factory default! But it´s impossible to import the backup config file, so I needed to set up most of the nvr from beginning
p.e. all cameras were lost, link to web to access the cam behind the poe switch was not possible, pattern setup is missing and so on...
Online you will find a newer one under download / firmware NVR4104/4108-P-4KS2 | Dahua Technology - Dahua Technology and NVR5208/5216/5232-8P-4KS2 | Dahua Technology - Dahua Technology from 01.09.2017
This has changed as I noticed:
- User 888888 can change password (but still not be deleted)
- local user 888888 login now with pattern like Android possible
I can´t test if this really prevents us against this hack. But it looks like it could.
In my case this firmware solves many major issues on nvr 41xxx I reviewed. I didn´t released it yet, due to the issues. Maybe in the next weeks I will release it. It´s still in testing.
Be aware to update your nvr! In my cases it was necessary to factory default! But it´s impossible to import the backup config file, so I needed to set up most of the nvr from beginning
p.e. all cameras were lost, link to web to access the cam behind the poe switch was not possible, pattern setup is missing and so on...i bought an NVR (nvr5216-16p-4ks2) from Andy (arrived last week). I'm a bit nervous about doing a firmware update given issues with bricking their devices. Is there a way i can check which firmware to install?
I would. With a VPN connection, your on the local network and should be able to connect to the NVR like your home. I can't see any need for the NVR to be able to access the Internet. I personally have all my Dahua cams and NVR blocked from accessing the Internet, and all incoming traffic blocked from accessing the cams and NVR. Both TCP and UDP. Everything works fine when connected via VPN.
I'm still battling my firewall to correctly work (my lack of iptables knowledge is not helping matters) but if I manage to get it working I can post up a script.
Ideally the steps are create a vlan and assign a physical port(s) . You can then connect your nvr and cams to the ports and block access.
I found another change with V3.215.x.0, it´s been visible with internet explorer in the upgrade option field:
Unfortunately till now the nvr did not recognize the newer 3.215.x.1 .I am not sure, if this is a bug or a feature
maybe only another experiment.
I cant see if the function only send a mail or auto install the new version. But I can´t imagine (and hope) it´s not an auto upgrading.
Unfortunately till now the nvr did not recognize the newer 3.215.x.1 .I am not sure, if this is a bug or a feature
maybe only another experiment.I cant see if the function only send a mail or auto install the new version. But I can´t imagine (and hope) it´s not an auto upgrading.
I would definitely 'uncheck' the Auto-Check for updates option as it looks like this will auto install any new updates. Take it for what it's worth, but auto updating is generally a bad idea.
Sorry to resurrect this thread.. but i just wanted to add something. VLAN's might not be easy for everyone, but the truth is that VLAN's are the most ideal way to be secure with any IP Camera and you can open 100 ports on that vlan, it does not matter because they can't do shit to your network. Fact is, its safer than a VPN solution.
Is it possible to acces your vlan network through a VPN connection? Or is the vlan always seperated from the internet?
- Mar 9, 2014
- 36,892
- 21,407
No you are not because they have access to your cams, not only can they see and hear but also delete footage and disable cameras...... best solution is a vlan and VPN together...
I assume i need a managed switch and make 2 vlan's. One for my home network and internet acces. And the second for my ip cams and nvr. Right? I have a router from my internet service provider. I will disable the Wi-Fi on that. Connect a Asus rt-86u. Lan port to wan on the Asus. The Asus gets ip from isp router dhcp. Have to enable dmz on the isp router. So all traffic goes through the Asus router.
Will setup vpn server on the Asus. Behind the Asus i need a managed switch. Right?
When i am connected with the vpn, iam like at home i understand. Its inside traffic. If i make a static root so vlan1 and vlan2 can talk. Vlan 2 i dont setup the internet gateway. But then i can still acces the vlan2 through vpn with my phone? Do i understand it Right? Or is there a better solution? I have a dahua poe switch(not managed) and the Asus rt86u. Dont have the managed switch. Do i need it for network safety???
Will setup vpn server on the Asus. Behind the Asus i need a managed switch. Right?
When i am connected with the vpn, iam like at home i understand. Its inside traffic. If i make a static root so vlan1 and vlan2 can talk. Vlan 2 i dont setup the internet gateway. But then i can still acces the vlan2 through vpn with my phone? Do i understand it Right? Or is there a better solution? I have a dahua poe switch(not managed) and the Asus rt86u. Dont have the managed switch. Do i need it for network safety???
ok yes thats a better solution that only having a VLAN. Thanks for pointing that out. However convenience is a problem with VPN if you already use a general VPN on your phone, you have to disconnect and connect to home VPN everytime you want to check cameras which sounds like a pain in the ass. But sometimes you need to sacrifice time and convenience for security.
Yes it is possible.
Use your managed switch to create the two VLAN's as you said. From there, you keep all your cameras and NVR on VLAN2, then setup a VPN server on that same VLAN2 and forward the VPN port only. This will separate your traffic from your normal network (VLAN1).