Dahua RTSP Security Flaw

We have a client that we have installed many Dahua IP cams of various models. The issue we are having is that anyone with access to the camera VLAN can use the standard RTSP string (rtsp://IPADDRESS/axis-cgi/mjpg/video.cgi) to view the camera stream without credentials. Worse yet, doing so changes the Encoding setting on the camera to MJPEG and max frame rate and bit rates. This essentially will greatly inflate the network bandwidth and eventually lock up the camera.

Also, DW Spectrum (VMS in use at this site) will no longer show the feed, as it is expecting a h.264 stream, not MJPEG.

My first thought was to restrict access to the camera using the IP Filter setting in the Dahua camera itself. One would think that a whitelist of allowed IPs/MACs would be a good place to start. However, and here is the flaw, the IP Filter does NOT block RTSP access. It only filters the ability to log in to the cameras webpage.

The logical answer here is to simply lock down the VLAN, which we don't have control of, but, the IT dept is resisting this. They say that the time spent doing so is not something they can do. Currently any PC on the network has access to the camera VLAN. They say that is secure enough for them. No one inside their org will tamper with anything.

The issue is, it just happened yesterday by accident. Someone opened an old webpage that they used to use to view now retired Axis cameras that used the same IP address of the newer Dahua cameras. This webpage had a similar RTSP string associated with the current Dahua IP addresses. When they simply viewed this page, it knocked out 7 cameras.

Anyone have a contact at Dahua who could possibly address this issue?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

***. ***** *** * ****** **** * *** **** **** would **** ** *** ***** ****:

  • ***** * *** ******* ******** *** ******* ****** *** ****** settings ** *** ******. ******** ******** ****** ** ********** ** authenticated ***** *** *** ***** ********, *** ******* ********.
  • ** ********* ****** ****** *** ****** ** *** ******, ********** of *** **** ** ******/******.
  • ************** ****** ****** *** **** ******* *****, *** **** ****, ONVIF, ***.

** ***** ** **** **** **** *** **** ***** *** for *************, *** ***'* **** ** ***** ** ******* ** is "***". ********* **** **** * ******* ** ******* **** type ** ******... **** ****.

***, * *** ******* *** ******** ** *** ****** ** mjpeg **** ** ******* *** **** ******. ** * ****** other ******** *** **** **** ******* ** ****. *****'* * post ***** ** *********, *** * ***'* ******* ***** *** a **********.

* ******* ***** *** ***** ** ** ***, *** *** saying **** ******* ** *** ****** ********?

***, ** ** ***** ** ***** *** *** ** *** Dahua ******, *** ** ***** *** ** ** **** **** the ****** ********* ********. * *** *** ******/******** ** ****** or ** ** ***** ******* *** *****.

**, ***** ** ******* ******** ********** ******* *** ***** *** cams ******** *** *** *** ****** *** ******** ******* *.***.*.**.* did ****** *** *** **** *****. * *** ***** *** to ******** *** *** ** **** **** ** **** *** firmware, *** * ***** ****** **** ****** *** ** ** needed.

**, ***** * ******** * *** ******** **** *** *** 3MP ******* *** ** **** ******** *** **** **** **** we *** ****** ****.

****** ** ****** @ *********!

******!

*** ******* ****, ** ******* ***** **** **** ** ********* similar *** ** *** *****, ****** ** ******* ** ***** so * *** ** **** *** *** *** ***** ********.

**** ***** * **** ** ** **** ****** ******** ***** cameras ******* ***********.

**** ****** **** ** ** *** @ *****!

*** ***** ** **** ******* **** *****!