Do any of you actually use Dahua P2P for external access to your cams?

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,888
Reaction score
2,554
bigger and wattaj - answering your questions together. I'm in the USA as is my ISP (webformix.com). There's nothing about open ports on the web site. At one time they opened ports on request but after too many security problems adopted a no-open-ports blanket policy. In their favor, the connection is highly reliable and when calling for support there's no phone tree from hell and somebody that actually knows something is on the other end.

The router is integrated into the wireless receiver, so there's no physical connection to intercept. For an additional 10 bucks a month they will put the receiver into bridge mode and I could supply my own router. Contrary to everybody else on the thread I don't think I have a security problem with the way I use the Dahua P2P, thus don't see any reason to split with the extra money.

If I needed an open port for employment I could pay for the open port, use the other ISP that's available, or use a cell connection.
 

3lij4h

n3wb
Joined
Jun 6, 2018
Messages
26
Reaction score
19
Location
Israel
I've used Dahua P2P a bit for access to the NVR. I disagree with a blanket statement that P2P is not secure. There's nothing about P2P that's inherently insecure, and I would hope anybody who judges it actually knows how it works. Like everything else it can be done well or it can be done sloppily. Like everything else it can have a back door if the developers put it there. The question would be how secure Dahua's current P2P is. Anybody who has used the Dahua IP products for a few years will have seen a big emphasis on security with elimination of default accounts credentials, forced password strength, signed firmware, etc. The Dahua P2P could be insecure or it could be very secure. I don't see how anybody would know that without some good testing.
Working as a computer technician few years ago and having to deal with "my computer/network/nvr ... is hacked" I came to the conclusion that the most insecure part of any software is keeping the "admin" username and choosing easy to guess passwords.
P2P isn't the most secure thing around, but to think a company like Dahua is simply sitting around waiting for its technology to be hacked also absurd...
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
419
Reaction score
515
Location
Canada
Working as a computer technician few years ago and having to deal with "my computer/network/nvr ... is hacked" I came to the conclusion that the most insecure part of any software is keeping the "admin" username and choosing easy to guess passwords.
P2P isn't the most secure thing around, but to think a company like Dahua is simply sitting around waiting for its technology to be hacked also absurd...
If history is any indicator Dahua hasn’t proven to be very active or quick to remedy known holes in their systems. If you believe the following three letter agencies were simply sitting around doing nothing and waiting to be hacked.

You would be correct!

Consider for just a moment how many resources, man power, and budget they have. Yet every year one of these Government agencies are infiltrated and hacked. Yet you believe Dahua is even on the same level as these people?!?





The list is endless which anyone can confirm for themselves. The first level of security is identifying all threat vectors. This is followed by avoiding the use of possible entry points such as P2P. As stated here many times audio & video data should never be allowed on the Internet - ever.

People use and do it because it offers convenience of access & control. Because true security is NOT their primary objective.

This is why every three letter agencies have been infiltrated at some level. Because they yield to the people of power that are too stupid to live and circumvent those in the know!

Security is not a thing, service, port, hardware, method. It’s a mindset and way of life that adapts, learns, and iterates.

This is why blue & red teams exists . . .

Dahua most certainly does not have a blue & red team working to pen test their hardware.
 

3lij4h

n3wb
Joined
Jun 6, 2018
Messages
26
Reaction score
19
Location
Israel
@Teken
The bullet proof - hack proof system has not yet been invented, and probably would never be.
The more complex a system is the more vulnerable it becomes. Also specialized agencies who were not able to find the weak belly of a system in the beginning would find it given time and resources (remember the "unhackable" iphone!) - and it comes exactly to this: time and resources.

No one would invest time/resources to hack a wifi-connected-smart oven unless it would be worthwhile their time - and on the other hand no company would work to fix vulnerability unless its a real risk and would cause the company damage. Microsoft decided to dump the whole code of its system and start all over again to secure its system to new threats. I bet Dahua invests the exact amount of resources to fix what it needs to fix to which amount it thinks is useful.

And yet again, if I notice anyone hacking my camera to spy on my lawn growing... maybe its a good idea for me to broadcast it on Youtube and gain some views...
 
Joined
Dec 28, 2019
Messages
4,322
Reaction score
8,590
Location
New Jersey
They aren't hacking to watch your video. They want to use your devices for DoS attacks, typically. Given the level of "sophistication" that the average person has when it comes to their own security, let alone security on the internet, P2P is just another way for them to get hacked since they haven't got a clue, or don't care to know or learn, how to take basic security steps. There are many threads on here started with "I want a simple and easy surveillance system". We all know those are both mutually exclusive terms.

As for the level of "sophistication", what I tend to call "situational awareness" have a look at this thread. It illustrates just how ignorant most, or at least too many, people truly are.

 
Joined
May 1, 2019
Messages
1,146
Reaction score
1,491
Location
Reno, NV
I am no computer professional. All I remember about programming is from my middle school days on a dot matrix printer playing Star Wars and typing in 10 print hi, 20 goto 10 in BASIC :)
I will jump in the conversation as an outsider. The Mass of Humanity are quite simply dumb. As long as folks like Paris Hilton or Kardashians are top news, we are a doomed species!
With that being said... the perception of IOT security is in a bad place, created by hardware/software people who had no foresight of the future in regards to security. When I bring up home cameras to friends, they all remember that creepy person talking to those 2 little girls in their room on camera (NEST?). Never mind about the use of crappy username/password selection. It's the perception that is the end result. I like to describe network security as using a sliding scale. The more easier and user friendly to install & config a network device, the more easier and hacker friendly to hack and infiltrate.
And now it comes down to what do the hardware/software manufactures do to appease the masses? I believe P2P was create with good intentions, just like moving from manual IRQ settings to USB (oh the days of autoexec.bat!). But it has created a massive security concern (just like what port forwarding can do) not only because Dahua does not have a fantastic history with responsible security in their cameras, but also because 80% of consumers are dumb... they don't care... consumers want something that works without knowing why or how it works.
This is why using P2P is a bad thing for the general mass of people. Folks here on IPCT who are the 20% who care and learn, are very comfortable using Dahua cameras because we are aware that even if we do not understand P2P 100%, we know enough to not enable it because we can not rely on Dahua to have our backs in this regard even though the hardware is fantastic.
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
419
Reaction score
515
Location
Canada
@Teken
The bullet proof - hack proof system has not yet been invented, and probably would never be.
The more complex a system is the more vulnerable it becomes. Also specialized agencies who were not able to find the weak belly of a system in the beginning would find it given time and resources (remember the "unhackable" iphone!) - and it comes exactly to this: time and resources.

No one would invest time/resources to hack a wifi-connected-smart oven unless it would be worthwhile their time - and on the other hand no company would work to fix vulnerability unless its a real risk and would cause the company damage. Microsoft decided to dump the whole code of its system and start all over again to secure its system to new threats. I bet Dahua invests the exact amount of resources to fix what it needs to fix to which amount it thinks is useful.

And yet again, if I notice anyone hacking my camera to spy on my lawn growing... maybe its a good idea for me to broadcast it on Youtube and gain some views...
You’re missing the whole point of what I stated up above. The first step is to identify all known threats. This leads to NOT using known entry points into the network such as P2P, Port Forwarding, etc.

So in this case everyone knows this is a threat vector. This isn’t magic, guessing, possibility - It’s fact.

Yet people choose to ignore these facts and try to balance between access & control (convenience) while believing just because a connection is encrypted life is all good!

Even worse they believe only a small subset of information is relayed to a offsite entity.

We haven’t even addressed the very fact all the data is going to the Chinese Government!!!

Which I’ll restate once again . . .

The Chinese Government have majority shares in the Dahua company. They have laws in place which state they can access and use said companies resources anytime when needed.

Every known encryption cypher has been broken or will be broken. Think TLS / SSL, 4096 bit RSA:


More than 15 years ago it was movie magic and fiction that someone could infect and control a computer from a email. It was fiction that someone could hold a persons computer for ransom and if not paid wipe it clean.

It was pure fiction that someone could infect a none standard code base and make a giant motor explode.

Absolute pure fiction someone could start, stop, control a vehicle.

Whelps, in 2021 everything and more has been done along with shutting down half the internet.

As with anything in life people have choices. Ideally these same people would seek the knowledge from others as to best practices when making those choices.

When a person knows nothing about a subject matter that is called ignorance. When that same person has been given all the facts, knowledge to do better to avoid others past mistakes.

Yet, ignores these best practices and industry standards, this is called stupid.

It doesn’t take millions or billions to secure a network. It takes a person / team with the right mindset of saying What are the threats and how can we do better each day

Many people in the IT world fall prey to things are impossible. It’s impossible to them because they lack imagination. Impossible simply takes longer to achieve!

Think landing on the moon, splitting of the atom, cloning, reusable rockets, tracking someone based on facial features.

Almost every known (not foreign sponsored) breach & hack has been accomplished by a high school drop out?!?

Why???

Because they have incredible imagination and the will to succeed.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,888
Reaction score
2,554
Dahua does not have a fantastic history with responsible security in their cameras
I totally agree with the history. From what I see, Dahua has significantly improved on this. The main reason I'm aware is I've been complaining about being forced into long passwords and losing the default account into the NVR. Port forwarding can be secure as evidenced by this is what OpenVPN uses. A P2P implementation can be made to be just as secure, and even more because there isn't an associated open port to discover by scanning. The weakest point could be the P2P server that introduces the endpoints to each other. If it gets hacked you're at the same level as an open port and the software receiving the inbound traffic (openVPN, Dahua P2P, etc.) controls the security. I'm of the opinion that the Dahua camera and NVR firmware is now past the point of being used for DOS attacks. Rogue firmware can't be installed. Without some ultra-level hacking that makes no sense for targeting a small network I believe the worst damage that can be done is viewing the video stream or messing up configuration settings. This assumes there's no backdoor that can be exploited by hackers.
 

brianegge

Pulling my weight
Joined
Apr 27, 2020
Messages
147
Reaction score
168
Location
Ridgefield, CT
Windows has an update almost weekly.
Yes, not because they ship sloppy products but because security is a changing landscape and they have a pipeline for finding and fixing vulnerabilities. The track record for ipcams and IoT devices is not nearly as good. Lorex has never shipped an update for my system.

Generally the best advice is defense in depth. You want multiple layers of security.
If you only allow inbound connections via VPN, you’ve added a layer. If you have you IoT devices on a vlan in a zone without access to your LAN or internet, you’ve added another layer.
 

3lij4h

n3wb
Joined
Jun 6, 2018
Messages
26
Reaction score
19
Location
Israel
You’re missing the whole point of what I stated up above. The first step is to identify all known threats. This leads to NOT using known entry points into the network such as P2P, Port Forwarding, etc.

//

The Chinese Government have majority shares in the Dahua company. They have laws in place which state they can access and use said companies resources anytime when needed.

//

When a person knows nothing about a subject matter that is called ignorance. When that same person has been given all the facts, knowledge to do better to avoid others past mistakes.

Yet, ignores these best practices and industry standards, this is called stupid.
//

It doesn’t take millions or billions to secure a network. It takes a person / team with the right mindset of saying What are the threats and how can we do better each day
1- The most possibly secure system is offline. All internet connected router systems are breakable, if they have wifi (given the distance) they are even more so. The largest network companies in Israel lease a wireless modem/router covering 90% of connected homes in Israel with a master password known to most people who worked as technicians in the company... and well... you know about the internet, so its there! Most people use even older modems/routers with admin/admin passwords.
Point is: if you want a fully secure system live off grid. If you want an easy life, pick your battles - 1% or 100% hackable is up to you.

2- yup, you are right, any guarantee other governments are not doing the same?

3- True, still, most people are not experts, they want an easy to use product and provide they buy a product from a decent company they expect the company to "fix" these issues. By your rules 99% of people are stupid/ignorant - but then again, I don't expect you or anyone buying a complex product they need and understand the full mechanics. This forum have professionals and they should know better, not the "regular user".

4- I was the same age of an Israeli hacker (analizer if my memory serves me right ) who at the age of 16 hacked the pentagon website and God alone knows what else. I trust US government have those people who wake up every morning and ask "What are the threats and how can we do better each day" fact is, it was hacked.

You are right in most points and I agree.
My point is, I understand most people (including myself) are security fanatics - hell that's why we read every damn pixel - I don't expect others to be so, I expect companies to invest more in security, and maybe our whole point of view in exaggerated ...
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,614
Reaction score
1,121
Oh, and for the ones diving into this topic in 2042: yes, OpenVPN is not safe anymore! Do not use it, you will be hacked! Use its backward compatible nephew called NPVnepO! Much safer :slap:

</humor off>

There is no such thing as "100% safe", or "100% availability". We are talking about "probabilities". It's like this Windows versus Linux discussions: which one is better/safer/easier... ALL THINGS CAN BE HACKED/WHACKED/CRACKED. It's only a matter of YOU feeling safe/secure/better off than with the other. I wouldn't drive a car without airbags, but if I'd hit a Mustang from 1965 (for a good price that is), I WOULD NOT COMPLAIN IT DOESN'T HAVE AIRBAGS.

Off we go! :D
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
419
Reaction score
515
Location
Canada
Oh, and for the ones diving into this topic in 2042: yes, OpenVPN is not safe anymore! Do not use it, you will be hacked! Use its backward compatible nephew called NPVnepO! Much safer :slap:

</humor off>

There is no such thing as "100% safe", or "100% availability". We are talking about "probabilities". It's like this Windows versus Linux discussions: which one is better/safer/easier... ALL THINGS CAN BE HACKED/WHACKED/CRACKED. It's only a matter of YOU feeling safe/secure/better off than with the other. I wouldn't drive a car without airbags, but if I'd hit a Mustang from 1965 (for a good price that is), I WOULD NOT COMPLAIN IT DOESN'T HAVE AIRBAGS.

Off we go! :D
From my personal view this isn't about feeling safe or what is better than the next. Its accepting the facts there are weaknesses in the networking environment whether it be physical, electronic, or software related. Every day billions of people smoke and do drugs and both of these things are done with the full knowledge it will kill you. :banghead:

Everyone likes to jump on the bandwagon and tout about Risks and how everything is a risk. Sure, getting into the tub each day is a risk but surely its not on the same order as sky diving! :facepalm: Walking across the road at a pedestrian cross walk is a risk every day at rush hour. There's always going to be that Guy who tries to race past the blinking lights so he isn't slowed down for his next donut. This same risk is magnified by the stupid imbecils that have their face planted firmly in their phone while walking across the cross walk! :thumb:

These people are too stupid to live - period . . .

Everyday around the world there are stupid people doing something crazy stupid it defies plain logic. Think, walking down a rail road track with headphones on at the dead of night - like that won't end poorly! :wtf:

Now, the use of P2P isn't going to kill you, it surely won't reduce your life expectancy, but why increase your risk ten fold?

Of all transport methods used by man today in North America a surface vehicle is the most dangerous to be in. The least dangerous is depending upon its availability is water and rail. Neither of these are used enmass due to their limited entry / exit points to a final destination say the super mall! :lmao:

P2P is the latest rage and is literally that surface vehicle . . .

Now, if the conversation was about Feeling Safe vs Actually being safe. People feel hot, cold, sad, which has no direct relations to being safe. Feeling safe in the P2P scenario is the belief This awesome company has done everything right for me to quickly setup and access my new toy. That's feeling safe based on no empirical facts just a fancy QR code, Advert, Naked girl pointing to click here.

Safe is keeping all of your hardware up to date in terms of software & firmware to address evolving threats. This of course starts at the edge of the network which is guarded by a firewall to manage the flow of data and negate unsolicited traffic using IDS / IPS. Next is having software antivirus & firewall rules in place on every computer system.

All hardware is added to the internal network based on MAC address . . .

The same network systems are segregated by different subnets and IP class which is bolstered by isolating the same via VLAN. Anyone who has ever contracted or worked for any 3 letter agency knows every asset has a ring back application in place. This very small but powerful application is used to identify itself to the network and if its not present it can never be allowed on the LAN / WAN.

If we assume there was magic in place and the ring back software was not present the sentry system would drop that connection.

That never happens because the person on the other side has zero ability to even connect.

Now, the question always comes up if such a powerful system is available and in place why and how do these people get hacked?!? Because these so called professional IT people don't actually use it! :facepalm:

Management has either told them their risk is so low or say what are the odds??? They override what the IT guy has told them is not if - but when! But, the world is literally controlled by fools who truly believe they know better than the guy who has 9999999999999999999999 years in the field and you pay him $500K a year so you can ignore him?!?!? :rofl:

People smoke because they are stupid . . . People drive drunk because they are stupid . . . People do drugs because they are stupid . . . People use P2P because they are stupid . . .

Life's about choices - make the right one! :headbang:
 

3lij4h

n3wb
Joined
Jun 6, 2018
Messages
26
Reaction score
19
Location
Israel
@Teken
If everyone were so smart we would have lost the opportunity to have the Darwin Awards
:p
 

Teken

Getting comfortable
Joined
Aug 11, 2020
Messages
419
Reaction score
515
Location
Canada
@Teken
If everyone were so smart we would have lost the opportunity to have the Darwin Awards
:p
I have no words . . . :facepalm: :lmao: :headbang:
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
3,842
Reaction score
4,627
Location
USA
Someone just posted their rebranded Dahua DVR getting hacked that they suspect happened through P2P...no idea if it was Dahua or the rebrand P2P though...

 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,888
Reaction score
2,554
I just heard that a Ford Pinto burst into flames after getting rear ended, therefore an F150 is a death trap.

No question that older Dahua products and firmware had weak security. I don't recall seeing a report anywhere of a breach due to P2P on a current model with current firmware.
 
Joined
Sep 21, 2017
Messages
5
Reaction score
0
Location
Australia
I use P2P and am happy to do so. I know how to set up a VPN and segregate NVR from the internet and port forward etc, however P2P is simply more convenient and as others have said it is just as secure. It also allows for things such as push notifications to be sent to your phone, without any cumbersome workarounds.

The people who demonize P2P because the camera is communicating with a server "iN ChInA" don't seem to apply the same rationale with every other smart device in their house which "phones home" such as:

Google home / Amazon Alexa / Apple Homepod
Smart TV
Desktop / Laptop
Cable Box
Playstation / Xbox / Wii
Tablet
and most importantly your Smartphone!!!!

And I don't buy the whole "well at least the above are American companies" bullshit either. If you're comfortable with your Smartphone (which contains a lot more sensitive and lucrative information than your camera feeds) maintaining a constant connection with it's remote server, then you should be comfortable with you cameras or NVR using P2P. Yes if there is credible and recent information which suggests that there are existing vulnerabilities then P2P should be called into question, however Dahua and the like have learnt from their past mistakes and there are plenty of white and black hat hackers who test the robustness of their system.

The simple fact is, without P2P your average consumer would not be able to view their cameras remotely. Expecting mom/pop/grandparents, etc to setup and maintain a private VPN is unreasonable.
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
3,842
Reaction score
4,627
Location
USA
The difference is computers, tablets, phones constantly get updates and you can run security software on them....with an NVR not so much....

And a lot of us do not use all the IoTs that you mention for that very reason....

And you are correct that without P2P the average consumer would not use these products...but that convenience does come at a cost of security...

At the end of the day, we each take the risks we decide are appropriate - some smoke, some decide not to get the vaccine, some decide whatever.....and computer and network security is no different...it is up to each of us to decide our level of risk...
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
1,888
Reaction score
2,554
I've been watching with interest a bipolar aspect of the forum. There's this "P2P is bad" thread, and another about Starlink satellite internet. In the Starlink thread a number of remote access ideas are discussed, some examples being cgnat, zero tier, ngrok, hoppy, and VPN in a cloud. All of these are some form of P2P with some or all of the traffic going through somebody else's server, and there's no P2P paranoia, or even suspicion, on that thread.

I've got a roku and Tivo on my network and often wonder what info they are calling home with. I was suspicious enough about the "smart" TV with a camera to open it up and disconnect its wifi module. Hacking-wise, I'm more concerned about the camera and microphone in the living room than the outside security cameras.
 
Top