Security Analysis of Dahua/EmpireTech NVR Web Plugin

[H. Swanson]

When I bought into the EmpireTech/Dahua NVR and camera system, I knew I would have to isolate the devices and I'd be protected from security threat. However, I didn't realize that I would need the NVR's web plugin running on my PC's browser. I can't isolate my main PC and I don't want to buy a separate PC only to interact with my NVR.

So, I ran the NVR's web plugin file through a security analysis via hybrid-analysis.com, which puts it through a variety of engines for static, ML and sandbox analysis using Crowdstrike. The results are concerning--see below.

Now I'm feeling like I need to ditch using the NVR and get my own Blue Iris PC. Any thoughts on this? Am I overthinking it?

Here is the detailed report:

https://www.hybrid-analysis.com/sample/7ff285011937f320f64784ae8e190b7deea8f889e2d2ec5475858bd24f0f4999/65621c49fe362f80e3016a92

Summary below

 

[steve1225]

But modern Dahua NVR/cams can work without plugins using html5.. There are some limitations but is usable.

 

[H. Swanson]

But modern Dahua NVR/cams can work without plugins using html5.. There are some limitations but is usable.

I can’t use the AI features in the NVR without the plugin and the UI is more limited.

 

[wittaj]

There is maybe a risk, but it is less than a risk of using P2P or port-forwarding.

It is how the "unknown Publisher" or "potential virus" or "compromised" messages are generated (just called virus moving forward in the rest of this post for simplicity).

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus. Some programs look at the total number of users and below a certain number, it is flagged. These specialty type files/programs get false positives all the time.

As you saw with MetaDefender and with VirusTotal , an antivirus website owned by Google that runs it thru a lot of different antivirus algorithms, that it is generally safe.

Do you need to access the NVR all the time from the computer? Can you use the HDMI and a monitor or SmartPSS instead? Can you set it all up and then delete the .exe?

The best we can do is lock things down the best we can and try to delete stuff when we are not actively using it.


Keep in mind that if you decide to go the BI route, if you run the Blue Iris executable file thru this same analysis you will get similar results. We also have threads here from the NOOB with BI that gets it is a virus warning. In fact, the BI help file says to exclude BI from the antivirus software.

Question

I have been getting a warning messages from MalwareBytes. I attached one but erased the IP address and the Port. The port it is trying is correct, the IP address is never the same. It references Blue Iris specifically. Can anyone tell me what is going on? MalwareBytes is apparently doing...

ipcamtalk.com

just got home starting my computer and clicked on Blue Iris icon and got this

Any ideas as to why?

ipcamtalk.com

 

[H. Swanson]

Do you need to access the NVR all the time from the computer? Can you use the HDMI and a monitor or SmartPSS instead? Can you set it all up and then delete the .exe?

My NVR is in a closet so I can’t VGA or HDMI. I was hoping to have access to the NVR UI all the time to see what events happened during the night. Isn’t SmartPSS a Dahua app I’d have to install which means I’d have the same risk?

 

[wittaj]

Yeah in that case it is just an accepted/calculated risk.

The alternative is no cameras or completely isolate it.

Fact of the matter is there are hundreds of services running on a Windows machine and we truly don't know if any are bad actors. What about all the bloatware apps on a phone that can't be deleted?

I occasionally go thru my computer and shut down services running and see if it impacts the computer. Most of the time it doesn't, but sometimes it is a whoops LOL.

 

[CanCuba]

My NVR is in a closet so I can’t VGA or HDMI. I was hoping to have access to the NVR UI all the time to see what events happened during the night. Isn’t SmartPSS a Dahua app I’d have to install which means I’d have the same risk?

An option would be an HDMI extender. Only the receiver at the NVR needs power. Signal is transmitted on a cat cable up to 165 feet. This model only supports up to 1080p but I'm sure there's 4K versions if you require it.

Also allows for a USB mouse and keyboard to be connected so you can seamlessly control your NVR from your television with ease.

https://a.co/d/eMHxKol

 

[tangent]

If you need the web plugin, consider running it in a sandboxed vm.

Looking at your report in more detail, I'm not that worried about it.

 

[H. Swanson]

If you need the web plugin, consider running it in a sandboxed vm.

Looking at your report in more detail, I'm not that worried about it.

The vm idea is good. I'll try that and I'll isolate it on a separate VLAN with the NVR. I'll be curious if this plugin needs Internet access because it does have a web socket executable per the malware analysis report.

 

[wittaj]

The vm idea is good. I'll try that and I'll isolate it on a separate VLAN with the NVR. I'll be curious if this plugin needs Internet access because it does have a web socket executable per the malware analysis report.

The laptop I use has ZERO internet access - doesn't even have wifi LOL, and it works just fine.

 

[H. Swanson]

The laptop I use has ZERO internet access - doesn't even have wifi LOL, and it works just fine.

Cool but I’m referring to the NVR specifically, which I don’t believe you use, correct?

 

[wittaj]

Cool but I’m referring to the NVR specifically, which I don’t believe you use, correct?

I started with an NVR before migrating to BI. Still running LOL. Not same model as yours, but don't see why it wouldn't work.

Simply disconnect your internet for a moment and see if you can see the NVR!

 

[H. Swanson]

Oh I was thinking network access altogether. I agree...shutting off Internet access shouldn't be an issue.

 

[tangent]

Oh I was thinking network access altogether.

You could probably restrict things so the plugin can only communicate with the NVR/Cameras if so motivated

 

[H. Swanson]

You could probably restrict things so the plugin can only communicate with the NVR/Cameras if so motivated

I would love that. Any advice on how to do that? Block the port and protocols it reaches out to from my PC?

It spawns WebSocketServer.exe as a process.

 

[tangent]

I would love that. Any advice on how to do that? Block the port and protocols it reaches out to from my PC?

It spawns WebSocketServer.exe as a process.

Firewall rules on your vm

 

[wittaj]

I would love that. Any advice on how to do that? Block the port and protocols it reaches out to from my PC?

It spawns WebSocketServer.exe as a process.

How would you find what ports it is using and are they common ports that would prevent something else from working?

 

[H. Swanson]

How would you find what ports it is using and are they common ports that would prevent something else from working?

I have ESET Premium and it has a feature that shows what IPs each node on my LAN is reaching out to. When I’m home, I’ll give it a try and we’ll see where this socket is sending me. I also have new Omada networking equipment that must have a way to track that, but I’m still figuring it all out.

 

[Broachoski]

I have a second router, not connected to internet but have an NVR and the Blue iris camaera NIC connected into it.
My laptop which I do everyting from has an added USB NIC. With this setup I can log into everything with no changes.

 

[H. Swanson]

My issue isn’t segmenting the network and restricting Internet access, it’s this browser plugin that I need to use the NVR UI

 

[H. Swanson]

So, here is what network action WebSocketServer.exe is producing on my PC while I'm using the plugin to browse the NVR's UI: .100 is my PC and .102 is my NVR

Looks like it's not calling out, but that doesn't mean it can't be triggered to do that at some point. I just added two host firewall rules where the first is allowing this service access from my PC to the NVR, and the second blocks all communication in or out with this service. I also added a full block on the WebActiveX executable in the Torch folder with any activity notifying me.