Do any of you actually use Dahua P2P for external access to your cams?

runraid

Getting the hang of it
Joined
May 22, 2020
Messages
88
Reaction score
45
Location
Seattle
It frightens me to think about using Dahua P2P. I turn p2p off and access the cams remotely with my WireGuard VPN. But I saw another thread mentioning using P2P which made me wonder, do any of you use it? Do you have any insight into how secure it might be?
 
Joined
Feb 4, 2020
Messages
1,120
Reaction score
1,311
Location
Minnesota USA
I think most if not all of the seasoned veterans in here say during setup, when the P2P prompt comes up, choose to turn off or not allow. From what I've seen so far in my short history with the forums. I have all mine turned off. Except on my
housemates Nightowl Dvr, I think its on. She wants to see the cameras on the Nightowl X App. But that was my first greenhorn system setup. Wish I woulda found these guys before I bought Dvr's.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
I've used Dahua P2P a bit for access to the NVR. I disagree with a blanket statement that P2P is not secure. There's nothing about P2P that's inherently insecure, and I would hope anybody who judges it actually knows how it works. Like everything else it can be done well or it can be done sloppily. Like everything else it can have a back door if the developers put it there. The question would be how secure Dahua's current P2P is. Anybody who has used the Dahua IP products for a few years will have seen a big emphasis on security with elimination of default accounts credentials, forced password strength, signed firmware, etc. The Dahua P2P could be insecure or it could be very secure. I don't see how anybody would know that without some good testing.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
1,019
Reaction score
932
...The Dahua P2P could be insecure or it could be very secure. I don't see how anybody would know that without some good testing.

 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
5,208
Reaction score
6,945
Location
USA
So millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up.

So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network, usually through a port forward, opening a port, or something else. But regardless of the method, it opens up the system.

I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam wifi camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera.

A few years later she bought a wifi printer and again, simply dowloaded the app from the manufacturer and scanned the QR code and she could start printing.

One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and the printed page says I SEE YOU and a picture of her from her Foscam was below it.

She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password, which was password because she liked thing simple.:banghead:

Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router. Problem still persists. She gets rid of camera and printer.

At some point Foscam issues a security vulnerability and issued a firmware update. Based on chatter on forums, basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.

Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.

Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company), it can happen to anyone, especially all the no-name brands being sold on Amazon.

For that reason, most of us here prevent the cams from having access to the internet.

And of course a recent example - don't know if they were set up P2P but probably...

 
Last edited:

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
On Mike A's post: For the first link I don't have a clue what the Cloud Key Web P2P control is. Doesn't sound to me like it applies to the smartPSS-to-NVR access I've used. In any case the bulletin says that Dahua has abandoned the Web P2P control. The second link adds two more issues, one with older firmware and the other with a user-selectable lower security mode. If a user selected the lower security mode, the attacker would still have to know the s/n of the NVR or camera being attacked.

On wittaj's post: Lots of examples here about breached security, almost all involving easily guessed or leaked login credentials, which don't have anything in particular to do with P2P. Access via Dahua's P2P requires knowing the target device's s/n and login credentials. If the user is careless enough to reveal that information, it's not P2P's fault.

My question wasn't specific enough. Should have been: What is insecure about Dahua's P2P using current firmware and reasonable attention to security on the user's part?
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
5,208
Reaction score
6,945
Location
USA
On Mike A's post: For the first link I don't have a clue what the Cloud Key Web P2P control is. Doesn't sound to me like it applies to the smartPSS-to-NVR access I've used. In any case the bulletin says that Dahua has abandoned the Web P2P control. The second link adds two more issues, one with older firmware and the other with a user-selectable lower security mode. If a user selected the lower security mode, the attacker would still have to know the s/n of the NVR or camera being attacked.

On wittaj's post: Lots of examples here about breached security, almost all involving easily guessed or leaked login credentials, which don't have anything in particular to do with P2P. Access via Dahua's P2P requires knowing the target device's s/n and login credentials. If the user is careless enough to reveal that information, it's not P2P's fault.

My question wasn't specific enough. Should have been: What is insecure about Dahua's P2P using current firmware and reasonable attention to security on the user's part?
That in itself says you do not understand...P2P is cloud based. P2P is your unit, whether it is a camera or NVR or toaster or printer, talking across the net across the world to a server in another country...and there are example after example after example of sloppy coding where passwords are not encrypted. And even if they are, too many examples of exploits and these companies take years if ever to push out an update. They simply abandoned the name web P2P control, but it is still essentially the same thing now.

Do you think Telsa was careless in their setup or many of these jails - no they were not, someone hacked into the cloud based system that Tesla had no control over and gained access that way. If your stuff sits on a cloud, it is more easily hacked as that is a prime target that hackers are looking for as they hack that and they gain access to hundreds of thousands of units. If you as an individual gets hacked as a lone incident, well then you are just unlucky, but hackers are going after the ones that gain access to a lot.

By using P2P you are putting all of your trust in their cloud and every camera manufacturer (or any IoT device) has shown that these are poorly coded and many are easily exploitable.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,626
Reaction score
1,133


Which part is insecure?

To start: what P2P actually does: it creates an outbound handshaked tunnel (encrypted) to China Capital. Secondly: not only you cannot see which information is sent out to the outside world, nor can you inspect the incoming traffic / commands / malicious code. Thirdly, like you should never EVER trust any IoT device: all devices can sniff your home network (eg hackable samsung fridge) and hammer these things to death FROM your internal LAN. In other words: you put YOUR WHOLE internal LAN ... at risk

And for what?

For the "ease" of a simply QR code scan and hoppa, you can connect from everywhere to your systems?

Yes, I agree, it takes a whopping 15 minutes to deploy an OpenVPN server on your own network, and you have EXACTLY the same "ease" of use, without all the evesdropping and aforementioned insecurities.

My answer remains: stay away from P2P, not only for cams btw.....
CC
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
479
Reaction score
658
Location
Canada
Really comes down to how much weight a person places on ease of use and whether you believe a third parties service / product is secure.

If the litmus test is local first vs cloud first.

Why would anyone ever trust sending data off site where you have no physical control or insight to?!?

If the next test is keeping data within a geographical location (North America) given all the endless hacks and invasion of privacy (Think NSA PRISM) where all data is intercepted and collated for later use.

What is / are your exposure when that data is controlled by the Chinese Government?!?

Both Dahua & Hikvision are majority owned by the Chinese Government. All companies foreign and domestic must comply with Access & Control laws that govern all technology.

Microsoft in its history has never provided code level access to its operating system. This is separate and different than the Microsoft GSP program of years past where the base code could be reviewed but not opened to edit.

The Chinese Government has strong armed thousands of companies in providing trade secrets or methods to access & control the same. Let’s be clear, the same has been done by many other countries for decades which until the Snowden / WiKi leakes were unknown!

Lots of people will try to counter these facts by stating complete nonsense from: I have nothing to hide, the government knows all, nothing can be done, blah blah.

It’s this sort of mentality that has allowed the world to become a cesspool of corruption and rights and freedoms being stripped away!

Bottom line audio & video data should never have outside access.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
That in itself says you do not understand...P2P is cloud based.
Sorry, this says that YOU don't understand. P2P allows a cloud based relay server, but certainly does not require it. A secure P2P system uses the P2P server only to exchange IP addresses of the endpoints. In Dahua's case, it's the target device serial number that's used to match the IP addresses. I've read and observed enough to conclude that the endpoints then use UDP Hole Punching to communicate directly with each other, with none of the login credentials or data going through P2P sever. I don't have enough evidence to prove the security level of the current Dahua P2P implementation. From what I've read and observed, I believe it to be good enough as I am using it for my home network needs. These blanket statements of P2P being inherently insecure or the data necessarily going through a server are incorrect assumptions. If anybody has real information about Dahua's P2P implementation instead of these broad assumptions that have been put forth, I'd certainly like to see it.
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
479
Reaction score
658
Location
Canada
In the field the adage is Trust but verify. There are countless incidents where network appliances were used to execute DDoS attacks and recent ones using IP cameras:


There are endless incidents where unsecured wifi / open public wifi have been used for various crimes like child porn:


As stated early on both security companies are majority owned by the Chinese Government. All of the new so called cyber security laws in place and more to come dictate access & control anytime and compliance is not up to debate or challenge:


All of the above has nothing to do with (I have nothing to hide) this is a case where a person(s) and their own hardware can be used in illegal activity which directly impacts you / them!

If your the guy who receives a bill from the ISP for thousands of dollars because you maxed out your data limit because of a breach. Or wakes up being thrown on the ground for being identified as downloading, hosting, uploading child porn.

To losing your job, family, friends, because the court of opinion came out first before all the facts.

Do you really believe connecting to a Chinese server in any way is going to end in a positive manner?!?

Bottom line, trust no one . . .
 
Last edited:

wittaj

Known around here
Joined
Apr 28, 2019
Messages
5,208
Reaction score
6,945
Location
USA
Sorry, this says that YOU don't understand. P2P allows a cloud based relay server, but certainly does not require it. A secure P2P system uses the P2P server only to exchange IP addresses of the endpoints. In Dahua's case, it's the target device serial number that's used to match the IP addresses. I've read and observed enough to conclude that the endpoints then use UDP Hole Punching to communicate directly with each other, with none of the login credentials or data going through P2P sever. I don't have enough evidence to prove the security level of the current Dahua P2P implementation. From what I've read and observed, I believe it to be good enough as I am using it for my home network needs. These blanket statements of P2P being inherently insecure or the data necessarily going through a server are incorrect assumptions. If anybody has real information about Dahua's P2P implementation instead of these broad assumptions that have been put forth, I'd certainly like to see it.
That's fine you don't believe me and others and continue to use P2P...if it is only matching IP addresses with serial numbers, why is it that it still works when the IP address changes...take your camera to a neighbors and plug it in to their router and because of P2P you will still see your camera...there has been enough evidence IoTs are not the most secure products on the market...

What about the people that have bought an Amcrest camera and plug it in and are seeing some other houses video feed because the camera they bought was a return and they could still see other people's cameras despite a hard reset and changing of passwords...

And don't be surprised in a year or so and we will see yet another Dahua security issue update and fix...the track record is not good when it comes to these things that are obviously set up to make it easy for the average consumer to connect...and with that easy comes vulnerabilities....
 
Last edited:

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
..if it is only matching IP addresses with serial numbers, why is it that it still works when the IP address changes...take your camera to a neighbors and plug it in to their router and because of P2P you will still see your camera.
Since the Dahua P2P purpose is to match changing IP addresses, this is what I'd expect it to do. I'm not addressing anything for Armcrest cameras. The OP asked about Dahua, and that's what I'm responding to. I don't have experience with other P2P implementations and am not intending to extrapolate what I've learned about Dahua P2P to something I don't know anything about. I will not be surprised at all to see an update in a year. I'm assuming there are flaws. By comparison, Windows has an update almost weekly. I appreciate that it's fine for me to continue to use the Dahua P2P that I've researched and have some experience with.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
I realize I should have answered the question:

Why don't you use a VPN? The answer is:

My ISP supplies the router. They configure it and will not share the login credentials. They have a blanket policy of no open ports. Can't use a VPN. I could switch to a different provider with about a $150 install fee and supply my own router. Besides not wanting to cough up the install fee, my current ISP has no data cap, and the other one does. It's a rural area and the only ISP choices are two wireless providers and the phone company, and the phone company is my last choice.
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
246
Reaction score
115
Location
Australia
I'd say about 80% of security installers/electricians/'professionals' here in Aus would set up NVR's with P2P. They are in a hurry to complete the job and move on to the next. Setting something up more securely would require more skills and time which they do NOT have. Customers also demand cheaper prices resulting in a poor outcome. Picture quality is also generally poor because installers would rarely return to fine tune due to same reason.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,626
Reaction score
1,133
I realize I should have answered the question:

Why don't you use a VPN? The answer is:

My ISP supplies the router. They configure it and will not share the login credentials. They have a blanket policy of no open ports. Can't use a VPN. I could switch to a different provider with about a $150 install fee and supply my own router. Besides not wanting to cough up the install fee, my current ISP has no data cap, and the other one does. It's a rural area and the only ISP choices are two wireless providers and the phone company, and the phone company is my last choice.
Even then there are other (outbound) VPN tunneling contraptions possible, one easier than another. I've setup once, with one VPS a site2site VPN where the "difficult" LAN connected to that VPS. With enough bandwidth constraints, you connect your VPN Client to that VPS and hoppa, you are "at home". Simple and easy. Other users on this forum worked with NATed routers (with no "public" WAN IP) and used tools like Hamachi. It's all about choices and you have the choice not to use P2P.

CC
 

biggen

Known around here
Joined
May 6, 2018
Messages
1,841
Reaction score
1,744
I realize I should have answered the question:

Why don't you use a VPN? The answer is:

My ISP supplies the router. They configure it and will not share the login credentials. They have a blanket policy of no open ports. Can't use a VPN. I could switch to a different provider with about a $150 install fee and supply my own router. Besides not wanting to cough up the install fee, my current ISP has no data cap, and the other one does. It's a rural area and the only ISP choices are two wireless providers and the phone company, and the phone company is my last choice.
Is this a provider in the USA or elsewhere?

I've never seen an ISP have a blanket statement that disallows all incoming services unless we are talking about a 4G/5G wireless provider or those really old school rural wifi WISPs. They won't even allow you to provide your own router in lieu of theirs?
 
Last edited:

wittaj

Known around here
Joined
Apr 28, 2019
Messages
5,208
Reaction score
6,945
Location
USA
I realize I should have answered the question:

Why don't you use a VPN? The answer is:

My ISP supplies the router. They configure it and will not share the login credentials. They have a blanket policy of no open ports. Can't use a VPN. I could switch to a different provider with about a $150 install fee and supply my own router. Besides not wanting to cough up the install fee, my current ISP has no data cap, and the other one does. It's a rural area and the only ISP choices are two wireless providers and the phone company, and the phone company is my last choice.
So if your employer required VPN to securely connect your ISP wouldn't allow it?

And they will not allow you to VPN back into your system? I could understand them not allowing a VPN connection out as they are probably trying to prevent illegal streaming and what not on their system.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,998
Reaction score
2,987
Other users on this forum worked with NATed routers (with no "public" WAN IP) and used tools like Hamachi. It's all about choices and you have the choice not to use P2P.
I'll hang in there and keep trying to make my point that P2P itself is not the issue. Hamachi for instance uses P2P.

The virtual private networking system
The "just work" nature of the program was a sum of several components - p2p connectivity, fallback traffic relaying, broadcast/multicast forwarding, the use of virtual network adapter and the allocation of virtual IPs from a non-standard Class A range.

Hamachi: Peer to Peer VPN Connections
Simply put, Hamachi is a peer to peer software VPN solution.

The security issue doesn't have anything to do with P2P, but what's behind the P2P connection. The "traffic cop" in a sense. OpenVPN supplies its traffic cop, Hamachi supplies its, and with Dahua P2P, the Dahua software is the traffic cop.

Best I can tell from reading the details is that Hamachi operation is almost identical to Dahua's P2P operation for establishing the connections and transferring the data, with the exception that Hamachi sometimes routes the data through a relay server.

I maintain that P2P is a red herring. It's the software behind the P2P that's the issue, and specifically how secure Dahua's current P2P software is.
 
Top