Dahua ESM: "No One Can Prove" Our Backdoor Is Intentional

The Tyco specifier backdoor defense has been joined, this time by a Dahua enterprise sales manager:

A few counters:

  • The Dahua 8888888 account is definitely intentional. Whether Dahua intentionally allowed remote access to that or was just incompetent, only Dahua knows. But putting in that 88888888 account was intentional and was dangerous.
  • The Hikvision ?auth=YWRtaW46MTEK magic string was hidden to the public but someone intentionally programmed that in.
  • Dahua's response to their devices ongoing hacks has been terrible. If I was a Dahua sales person, I would quit I would not want to draw attention to this.
  • These 'unintentional' mistakes are so basic that even if you believe they are unintentional, it raises very significant concerns about the competency of these organizations.

Instead of these excuses, prove that your companies can do better. Can you?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

***** ****** ****** *** ***** ***** ** ********* ** ******* more *********** ******** ** ******* **** ** **** ****** ****** themselves *** ***** ******* **** ******* (** *****). "** *** should ** ******* *** ******* **** * ******** ** ****" - **** ** *** ******* **** * ******** ** * method ** ********* *** *** ** *** ** ******?

***** '*************' ******** *** ** ***** **** **** ** *** believe **** *** *************, ** ****** **** *********** ******** ***** the ********** ** ***** *************.

***** **********.

***-********* ***********.

**** ***. ** ***** ***.

*******...*** ***??

**** *********** **********.

* *** ******* ** ******* ****** **** ** ****** ***** days. *****.

** ******

****** *******

# -[ **** *********** ]-
#
# *) ************ ****** ****** ** ******* **** **********, *** used **** **** ** ****** *** .** ** **** '************' and '***********'
# *) ****** *** ******** **-***** ** ****** ********, ******* with *** **** '******** ************' ** ********** *
# *) ********* ***** *** ********** ***** ** ****** ******* from ****** ****** *** *******, ** **** ** ***** *** bruteforce ********
# *) ********** **** ***** ** ******** *** ******** ******** that ***** **** ******** ****** ******, ** ** '**** ** vulnerability'
# - **** ************* **** * **** ***** ******** *** firmware ******** **** ****** **** ********** *********, ***** ** ********

*** ** ******* *** *** *** * ****** *** ***** are ********* **** ** ** *********** ********, *** ** ********* style.

**** * ***** *** *** ** ******** *** ***** **** user ******** **** ***** *** ****** *********, * *** ******* convinced ** *** ****** * ***.

**** * **** *** ******* ** *** ******** ****** ** Gen2 * ******* *** **** ***** ***** ******, ********** *** .js ******* *'** **** **** *******, ** ** *** *** strange.

**** * ******* *** **** **** ** **** * *** it *** ******* **** ** ****, **** ** .** ** that ****** *** ***** *** *** *********.

*** ******** "*** * *** ***** ****** ** *****?", ******* to ** **** ***** *** **** ****** *** *** ******, and ** ****... ****, ****** **** **** ***

* *** ** ******** *** ****** ** ****** *** *** the ****** *** *** *******, **** **** ***** ** *** how ** ****** **** *** ** ********** *****.

*** ****** ***** ** ****** ** *** ***, **** **** and ** * ***** ******** **** ******, ******** **** ***'* be **** ****, *** **** * *** - * ******* all **** - **** ********** ** *** ******, * ***** not ******* **** *'** **** ********...

***** ** **** ** *** * ***** ** *** **** together ** ** ***** *** **** ****, **** *** ******** and ********** **** *** **** ** *** ******, ****** ******.

******, *** ***** **** **: ***** *** ***** * ***** plugin *** **** ********* ******* (******/*******/**/********) **** ****** **;

*. ******** *** ***** **** **** ********

*. ******* ******** *** ******

*. *** *** ******* ****** ** **** *** ********** ****, random *** *** *** ****** ***** **** ****** ******

*. ****** ***** **** ******* **** *** ***** ****, ** compute *** ****** *** ****

*. **** ***** ****** *******, *** ****** ***'* **** **** to **** * ******.

*'* *** **** *** *** ******** *********** ********? ** ***** maybe ****** ** ****** ******?

** *** *** **, * ** ******* ******* ******** *** utter **** ** *************** ** *** *****, ******* ** *** intentional ********. ***** *** * **** ***** ****** ** ******, mismanaged, ****** ********. **** ****, **** *** ****** * ***** Royce **** *** *** *****. ***’** ****** * ********.

***, ****'* ***** **** *********** ********, ** **** ***** **** cannot ** ****** ******.

*'** **** *** ****...

***, ****'* ***** **** *********** ********, ** **** ***** **** cannot ** ****** ******.

**** ** * ********* ****** **** ******** :)

*** ** *** ******* ***

  1. ***'* ** ******* ** ** ****** ******
  2. ***'* ** ******* ******

#* *** ** ********, *** **** *** *** ** **** #2?

***, ****** ***** ** **** **** ** *** ********: "*** they **** ** **** ********** ***********?" *** ***** ** *****?

*********** ** ********* *** *****, ** *** ***'* **** **** they ******* **** ** *********** ************ *** **. *** ********.

********* ****** +* (*****)

******, *** ********** ********** *** *** ** *** **** ** nonpareil.

*******, ** * *** ***, **** *** **** **** ** actual, *** ** ***, ** *** ********, ******* *** ****, programmer?

*******, ** * *** ***, **** *** **** **** ** actual, *** ** ***, ** *** ********, ******* *** ****, programmer?

** ***** *** **** *** ***** *** *****'*, *** ** you *****'* ******** ****:

*** **** *** **** * ****** ** ******* **** **** are ******** ** * **** *** **** **** **** *** engineer(s) *** ***** *** ******** ***** *************. ***** ***** ** code ** ****** ** *** ****** ** ** *** ******** was ******* ** ************ ** ****** *** ******.

*** ******'* *** ****** *** **** **** * ****? ***** all, *** *** ******** ** ******* *** ******* *** *************** in ********** ****.***'* ******** ********* ***** ***** *** ******** ** ******* *** how ** ****** *** ******?

************* **, **** **** ***** ******** ** ****. *** ******** they **** **** **:

  1. ***** **** **** **** ********* ** *****
  2. ***** **** **** ** ******* *** **********
  3. ***** **** **** ** ********** *** ************
  4. ***** **** **** ******** ********** **** **** ******* *********.

* ******* ******* **** *** ** ****** ** * *********. But * ***-******* ******* **** ***'* ** ****** ** *******.

*********** ****** ********* *** ***** *********** ** ******* ** ******* excellence, *** *********** **** ********* ******.

***, **** **** ** ** *** ****** ** ********; ******* are **** *****'* **** ******** ** ***. ******* ******* *** incentive.

***** *** *** ****** **** ** ****** ******* *** ****. Enjoy **** ***** **** ****!

***, * **** **** ** **** ******, *** * **** the ***** ** "*******".

***'* **** ****** ** *****, *** *** ** *******, *** leave *** *&* **** *** *** **********, *** **** ** the ********* *** ***** ******* ***** (*** **** ***) *** be *** *****.

******* ******** ***** *** "****** ****", **** - * ***** from **, *** *** **** ** ***** **** ****** *** everybody ******* ****.

****** *** *** ********.

******* ******** ***** *** "****** ****", **** - * ***** from **, *** *** **** ** ***** **** ****** *** everybody ******* ****.

****'* * **** *** ****** *********.

***, ***** ***'** ***** *****, **** **, **** *** *** looking *** * ************* *** **** *****! * **** *** appears, *** *** *** ***** ** **** **?

******* *** *** ******* *************** ** *** *****, *** **** that ****** *** ********* ** *** **** *** ********* "******", but ******* *&* ****/********/...******** *** **** ** **** **, ** I ** *** ***** ** *** ** **** ** - I ***** **** ** **** ****** ******* **.

************, ** *** ********* ****, *** ****** ** ** ********, and *** * ******** ** *** *** * *** ** well ********** **** *****.

# -[ ** **** ********** ****** ]-
#
# ****** **************: * ******* ****** *********** ***** ** ******** and ****** ** ****** *** ****** ** **** *********** **********
# *********: **/**** **** *** ********, *** ******* ***** ** hide/keep **** (** ******), **** ***** *** *******? ****** *** vendor ** **** **********?
# ***** ** *****: *********** ** **** ******* ***** ***** not ***** ********, ** *** ***** ******'* ** ****** ******* real **** **** *****
# - ************* ****** *** **** ******** ****** ** ****, and *** **** ***** * **** **** **** ** ****, was ** ****, *** ********* *** ***** **** *** **** there.

*************** ** ******* **** *** ******** ** **** ****** **** are **** ****** ** ******* ********, *** * ******* **** efforts, ******. ** *** ********* ** * ******** ** **** with ********* *** ******* ** **** ** *** *** ********* risks ** ***** ******* ***** *** ****** ****** **** ** tell ***** ****. *********** **** ****** **** *** **** ** them *** ****.

******** **'* *** *** ****** ** **** **** *********, * could **** ******* ***** *** ******** ***** * **** **** job **** ** ***** **** **** ** ********* ** ******** vulnerabilities.

********* ** ** * **** *** ******, **** ******** "******* with ***", **** ** ***** *********, **** ******* *** ******** until **** ****** ** ****** ******* **** ***** ** **** Disclosure, ** **** ******* *** ******** ** ***.

* ******* **** *** ********* ** ** **** ***** ********** when ** ***** ** **** **** ** ********, **** ** mature *** ** *** **** *** ***.

**** **** ********** ****** **.

********* ** ** * **** *** ******, **** ******** "******* with ***"...

* **** *** *** *********** ** **** *******, *** *** many *********** "******* **** ***" ** **** **** *** ********** in, ******** *** "*******" *** **********, ** * *****?

**** **** ********** ****** **.

*********** ** ****-***? *** ******?

* *** * ***** ** ******* ********** ****** *** **** years. ****** *** ****, **** ***** *** ** ***** ********* on *** ** ** ***** *****. ***** * ***** * was **** ** ********* *********, **** * **** "******, ****** your ******** *** ***** *** ***** ****! ****!"... **** * realized **** ** *** ** ****** ** ******... **** *** enlightening *** ** ** ********** *** **** ** ** **** stupid ********.

***** **** **** **** ** ****/***** ****** ** ** ** date ************. ***** *** **** ** *** ***** *** ****** ask ****** ** **** **** ***** ** *** *** ****** fragments, *****, *********** ** **** ****** ********, ***** ******* **** are *** *** **** ** ***********, ******* *** *********** ** not ******* ** ******* ****** *******.

************ **** ******* ********** * ******* ** ****, ** *** know ******** ********. **** **** ** ************... ** ** ** information *** *** **********, **** ** **** *** *****.

***** ***** ***** * ******* ** ********** *** ***** ****** things ******. ** ** **** ** *****: **** ***'* **** it ******, ***** ****** *** ***** **** ***** ****** *** state ** *** ***.

**'* ***** *********** ** *** *** **** ** ******* * certain *********** *** **** **** ******* **** ** **** ******... /facepalm

****** **** ******** *** ***** *** ***** ****!

***, *** *** **** * **** ** ***** *** "*'* Feeling *****" ****** :)

****, ****** *** *** ****, *** * *** *** ******* bar ** ** ******** ** **% ** ** ********, **** I **** *** ********** ***** :)

******* *** ****** ** **** **** *** ********* ********** ***** save **** ***... * ***** **** ** ** **** ****!

**** ** *****:

* **** **** ***** *** *********** ** ****** ************ ************ is ***** ****** ** *****, *** *** ********** * ******* to **** **** *** ** ** ******* **********, *** *** their ********* ****. ***** **** *** ********** *** * *** account, ** *** **** **** ** *** *** ** **** can *** **... **** ** * *** *******.

**** *** ******'* ***** ******* *** **** **.

***** ********* ** ****** **** ***** ** ********** ********* ** stupidity.

**** **** ***** *** *********** *** **** *** ****** ** Tyco ***, *** ***** ** ****.

* *** *********** **** ** ** ****** ** **** ******'* razor, ***** ******, "***** ********* ** ****** **** ***** ** adequately ********* ** *********."