We have a client that we have installed many Dahua IP cams of various models, but specifically the IPC-HDBW5421E-Z. The issue we are having is that anyone with access to the camera VLAN can use the standard RTSP string in a browser (http://IPADDRESS/axis-cgi/mjpg/video.cgi) to view the camera stream without credentials. Worse yet, doing so changes the Encoding setting on the camera to MJPEG and max frame rate and bit rates. This essentially will greatly inflate the network bandwidth and eventually lock up the camera.
Also, DW Spectrum (VMS in use at this site) will no longer show the feed, as it is expecting a h.264 stream, not MJPEG.
My first thought was to restrict access to the camera using the IP Filter setting in the Dahua camera itself. One would think that a whitelist of allowed IPs/MACs would be a good place to start. However, and here is the flaw, the IP Filter does NOT block any access!
The logical answer here is to simply lock down the VLAN, which we don't have control of, but, the IT dept is resisting this. They say that the time spent doing so is not something they can do. Currently any PC on the network has access to the camera VLAN. They say that is secure enough for them. No one inside their org will tamper with anything.
The issue is, it just happened yesterday by accident. Someone opened an old webpage that they used to use to view now retired Axis cameras that used the same IP address of the newer Dahua cameras. This webpage had a similar RTSP string associated with the current Dahua IP addresses. When they simply viewed this page, it knocked out 7 cameras.
Matt Bischof from Dahua has contacted me and is attempting to get this resolved. I am awaiting his reply with a resolution.
Also, John, we worked with Peter Hu from your company to resolve this issue, but Dahua claimed they couldn't replicate the issue. Another Dahua OEM, Sean Nelson from Nelly's Security was able to replicate it, however since they were severing ties with Dahua, he was unable to assist me.