Should I Hack 10,000 Dahua Cameras?
Just for the hell of it I wrote this program. It's very simple. It goes out to the infamous internet registry known as shodan.io and retrieves IP addresses belonging to Dahua cameras and recorders.
It then tries the default passwords and if successful updates all the channel names to various warning messages, indicating that the camera is viewable on the Internet and that the password should be changed, as well as leaving a pointer back to shodan.io.
Here's a video showing briefly the process on my NVR:
Should I run it or not?
Added: Vote Below
Somebody is going to get a solemn declaration....
What is Dahua's password management approach now? I thought, per Ethan's post here (IP Camera Passwords - Axis, Dahua, Samsung) that it has improved?
You can go to jail as a white hat hacker for embarrassing a billion dollar corporation. Just ask Weev
There are times in every man's life when he is compelled to act;
No matter how great the cost or little the gain,
With nary a thought to ones own life or limb,
But only to stare steely-eyed into the eyes of pernicious depravity,
Fortunately, this is not one of those times...
I have deleted the rogue program...
I voted no but you make a great point. I hope you are keeping Dahua in the loop. I want to know if they even care at all.
Better to find the problems now than to find out later with the criminal minds out there.
go for it , that way we learn how to better protect our systems from your test.
Whether you are doing this as a "friendly service" or not wouldn't matter. You would be making unauthorized access and changes to computer systems and would be in violation of a crime.
For one thing, you don't know what other dependencies exist around the current parameters of those systems. Some of them may be monitored and have automation software programmed to respond to specific channel names/camera names.
Also, if it came down to a lawsuit you have posted here publicly that you were debating "hacking" cameras. Even though your post is undisclosed your actual information would easily be subpoenaed.
Officially, I wouldn't recommend pursuing something like this. But if you didn't take my advice, I also wouldn't recommend posting a public request for comments about it. I'd probably also recommend you spin up a cheap VM somewhere to do your "testing" on.
Brings up a good pt. (Snow-den ) example
But this should be a wake up call for the manufacturers and other security agency's out there.
Be Aware, Take Pre Action, Complete in house Testing to Verify that this cannot happen to you.
Don't Wait until someone post like this to change your protocols on your systems .
Prevention is Better than Response to acts of Cyber Crime.
I can confirm that even the newer Dahua IP cams that have the password change at first login prompt still can be access via ONVIF using admin:admin. When will Dahua realize this is a major security flaw? I know they do it to facilitate the easy connection to their NVR/DVRs, but there should at least be a way to disable it.
Just noticed that Dahua also has this other API call
So theoretically one could also set the DVR to block any incoming connections from shodan and other hacker/voyuer sites.
Though I guess you could argue some people want to be on shodan.
I'll read the thread tomorrow on the airplane, it's late ;-)
But I think the actual responsible disclosure thing to do is "report it to ICS-CERT". Large scale faux pas in the public infrastructure. They take reports like that. Don't hit the button. I mean, if you've never submitted a talk to Defcon or something, maybe yes then.
So what about all the Avigilon cameras on the public net? Is that possible to be correct?
Update: I have decided against proceeding with any action at this time for three reasons.
1. I am unable to find a way to trigger an event with custom verbiage in my test Dahua system. Without that I would have to change camera descriptions or titles, which could be viewed as damage.
2. The voting stands slightly against (48% vs 52% with 81 votes), which is a surprise to me. I am not sure what the reasons, whether it be concern for the hacked or the hacker, but either way its enough to make me reassess.
3. The Undisclosed(s)
One thing, I was wondering about, if someone did change all the titles on say 1000 cameras, after a week how many would still be open?
100? 500? 1000?
Bump: I need to give U1 his due and recognition here, related: Hacked Dahua Cameras Drive Massive Cyber Attack
This may be unrelated to this OP, but I had a client with a hacked Dahua NVR that I had to battle these past few weeks. The only way we knew it had been hacked was because we could not save any changes. We found this out when I attempted to install three additional Dahua cameras at this site.
The NVR had no issue adding the new cameras, but as soon as it rebooted (Dahua devices reboot weekly on Tuesday @ 02:00 by default), it lost the new cameras.
When I was called back to the site Wednesday AM, I found that the NVR had been reverted to the settings just before I added the three cameras. It was after digging further that I found an additional user account named "service" that had a note on the account that said "your_device_has_been_hacked_
I was unable to make any changes to the NVR config that would survive a reboot. My admin credentials remained intact and usable, but there was little hope of fixing the issue via the NVR GUI. I attempted to navigate CLI via telnet, but was not able to correct the issue myself.
I leaned on my Dahua OEM suppliers for their assistance in locating a newer firmware with hopes that it would overwrite / correct the permissions issues. After upgrading the firmware, the permissions issue persisted. Note that I could not run the firmware update via the GUI, I had to use the Dahua DVR Upgrade Tool Ver1.16 utility to push it to the device.
My next step was trying to again use telnet access to try and unlock the NVR. However, there was a new roadblock. The original firmware 2.608 allowed up to 8 character passwords, but the newer firmware 2.616 only allowed 6 character passwords. This made my 8 character password unusable. I could use the Dahua daily code to make changes in the NVR GUI, but these were not saved to the telnet level password list. So now I was locked out of telnet access.
My final attempt was to connect via RS232 and try to erase everything on the NVR and upload a complete firmware image. To do this, you will need a few programs, NCOM and a Cisco TFTP server app. NCOM allows you a CLI console to run commands. I was able to use the HELP command to find ERASECFG, which successfully cleared the permissions issue. I also used the NCOM/TFTP method to upload the complete Dahua firmware image (update.img).
I guess I am documenting this here in case others have a similar issue. To fend off this from happening again, we now are using a non-standard port externally forwarded to port 37777 in hopes that this will prevent its discovery by hackers again. This isn't a sure fire way to prevent future hacks, but it will surely take longer for them to find it.
NOTICE: This comment has been moved to its own discussion: How I Handled a Hacked Dahua NVR
Started by Lee Jones
|less than a minute by Lee Jones|
Started by John Honovich
|2 minutes by Shannon Davis|
Video Surveillance Show Armed Suspect Trying To Enter Club, Security Intervenes, Fight Breaks Out (6)
Started by Jermaine Wilson
|less than a minute by Undisclosed Manufacturer #4|
Started by John Honovich
|7 minutes by John Honovich|
Started by Keith Atwood
|less than a minute by Shannon Davis|
Back to Top