Should I Hack 10,000 Dahua Cameras?

Just for the hell of it I wrote this program. It's very simple. It goes out to the infamous internet registry known as shodan.io and retrieves IP addresses belonging to Dahua cameras and recorders.

It then tries the default passwords and if successful updates all the channel names to various warning messages, indicating that the camera is viewable on the Internet and that the password should be changed, as well as leaving a pointer back to shodan.io.

Here's a video showing briefly the process on my NVR:

Should I run it or not?

Added: Vote Below


Somebody is going to get a solemn declaration....

What is Dahua's password management approach now? I thought, per Ethan's post here (IP Camera Passwords - Axis, Dahua, Samsung) that it has improved?

You can go to jail as a white hat hacker for embarrassing a billion dollar corporation. Just ask Weev

Chinese jail is not fun...

You can go to jail as a white hat hacker for embarrassing a billion dollar corporation. Just ask Weev

I reached out to Weev, nothing so far. As luck would have it I have boot on the ground in Belgrade, putting out feelers...

Anyway Dahua should not be embarrassed, they should thankful, every camera that comes off the Internet is one less potential Foscam screaming baby cam out there.

"Anyway Dahua should not be embarrassed"

Now you are trying to reason why Dahua?

Well, as long as it's not rubbed in their face I don't see why they would react.

Thats the main reason I didn't put their name in the publicly searchable title of the discussion, as any Dahuan can note by looking at the URL of the topic.

Anyway, Its not about Dahua, I just don't own a Hik; and a Stardot hack wouldn't have quite the same impact...

There are times in every man's life when he is compelled to act;
No matter how great the cost or little the gain,
With nary a thought to ones own life or limb,
But only to stare steely-eyed into the eyes of pernicious depravity,
Without blinking...

Fortunately, this is not one of those times...

I have deleted the rogue program...

Oh noes.... Even if Dahua tried to sue you, they would send it to the wrong court or something...

It's definitely intriguing. Btw, a Shodan Dahua search returns 380,000+ results, how did you filter down to 10,000?

I voted no but you make a great point. I hope you are keeping Dahua in the loop. I want to know if they even care at all.

Why no?

For me, the ethical consideration is the actual owner of the device, not Dahua.

Better to find the problems now than to find out later with the criminal minds out there.

go for it , that way we learn how to better protect our systems from your test.

Whether you are doing this as a "friendly service" or not wouldn't matter. You would be making unauthorized access and changes to computer systems and would be in violation of a crime.

For one thing, you don't know what other dependencies exist around the current parameters of those systems. Some of them may be monitored and have automation software programmed to respond to specific channel names/camera names.

Also, if it came down to a lawsuit you have posted here publicly that you were debating "hacking" cameras. Even though your post is undisclosed your actual information would easily be subpoenaed.

Officially, I wouldn't recommend pursuing something like this. But if you didn't take my advice, I also wouldn't recommend posting a public request for comments about it. I'd probably also recommend you spin up a cheap VM somewhere to do your "testing" on.

For one thing, you don't know what other dependencies exist around the current parameters of those systems. Some of them may be monitored and have automation software programmed to respond to specific channel names/camera names.

This is true, no matter how few instances of Internet accessible, and password defaulted Dahua DVRs are likely to have PSIM integration dependent on the actual channel string, which then might miss an important event before the new label was noticed.

It could happen. Even one would be one too many. And even though I might argue that someone with such a sophisticated and critical system would prefer to be notified of their vulnerability, that is not my call.

So forget changing channel names, which could be considered cyber-vandalism.

Therefore Version 2 just triggers a custom event. Which causes a window to appear on the console. Much more elegant and appropriate, something like "Internet Access Detected - from shodan.io, blah, blah, blah, change your password..."

As for the law, the big one in the U.S. is the Computer Fraud and Abuse Act, and it has seven statutes: I would expect you would agree that 1, 3, 4, 6, 7 are not applicable. Starting with 2 then:

2) Whoever who intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information.

This one does not apply, since I retrieve no information. In fact, I close the TCP/IP socket before reading even the return code.

Statute five seems the most problematic, it breaks into 3 sub-paragraphs: A, B, C

5A) Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

This one fails because I certainly am not intentionally causing damage, even if damage is done, I do not wish for it to be.

Which leaves us with 5B and 5C, of which the Version 1 channel rename method would arguably be in violation of both.

5B) Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
5C) Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

However, with the Event pop-up method, I find it a stretch to imagine any damage or loss. No information is changed or erased, only an additional event is created.

Moving on,

Also, if it came down to a lawsuit you have posted here publicly that you were debating "hacking" cameras. Even though your post is undisclosed your actual information would easily be subpoenaed.

Agreed that information could be subpoenaed, disagree that it is likely to be used against me for two reasons.

  1. The use of the word "hacking" is clearly used by me as a shorthand way to communicate the mechanics of the act easily to others. As the entire discussion would be read, my intention is would be understood not to cause damage to anyone's system. In fact, I would be the first to provide this discussion as a priori as opposed to ex post facto evidence of my intent.
  2. I wouldn't do this unless I have at a strong belief that it is legal.

Officially, I wouldn't recommend pursuing something like this. But if you didn't take my advice, I also wouldn't recommend posting a public request for comments about it.

I understand your concern and did not undertake this lightly. But as I said, as I would not knowingly do something illegally, I would rather hear any objection and be able to discuss it with the widest ranging input possible before making such a decision.

Thank you for your comments, and please continue to challenge any of mine as you see fit.

:)

Brings up a good pt. (Snow-den ) example

But this should be a wake up call for the manufacturers and other security agency's out there.

Be Aware, Take Pre Action, Complete in house Testing to Verify that this cannot happen to you.

Don't Wait until someone post like this to change your protocols on your systems .

Prevention is Better than Response to acts of Cyber Crime.

I can confirm that even the newer Dahua IP cams that have the password change at first login prompt still can be access via ONVIF using admin:admin. When will Dahua realize this is a major security flaw? I know they do it to facilitate the easy connection to their NVR/DVRs, but there should at least be a way to disable it.

I can confirm that even the newer Dahua IP cams that have the password change at first login prompt still can be access via ONVIF using admin:admin.

Even after you set the password at the first login prompt? ONVIF in Axis, for instance, is wide open until you actually set the password in the browser. Then it deletes the ONVIF account. It's weird.

Dahua has always had a flaw, if you ask me, where they allow an ONVIF connection using default credentials of admin:admin, even after the password for the admin account is changed.

Just noticed that Dahua also has this other API call

SetAccessFilterConfig

So theoretically one could also set the DVR to block any incoming connections from shodan and other hacker/voyuer sites.

Though I guess you could argue some people want to be on shodan.

Yes, or you could simply not have it port forwared and open to the Internet. If you use the P2P service from Dahua, you won't need to expose the device(s) directly to the web, hence they won't show up in a port scan, or shodan.

Yes, or you could simply not have it port forwared and open to the Internet...

It's not my DVR and I don't have access to the router, so I am limited to whatever the Dahua API provides. I could leave a note in the log with the P2P suggestion. After that it's up to them.

It's none of your business what they do with their cameras.

I can honestly say that if I misconfigured my DVR and an alarm popped up on my NVR console that said "You cameras feeds are publicly available for viewing at shodan.io. ", I would be thankful.

Would you?

If I didn't misconfigure my DVR and wanted it open to the world with default passwords, I might not be thankful, but I don't think I would be upset. But I'm not sure, since I have a hard time imagining that scenario.

It's none of your business what they do with their cameras.

This is a valid objection. I certainly feel there's more than a little truth there.

True, if unexciting story from 2 weeks ago: My son rides his new bike to the to the park. Because of its possible value to thieves, I have insisted that he use the chain lock that I bought with the bike, whenever he leaves it out of sight.

Last time after he came back for the bike, he found a post-it note on the underside of the chain. It said:

Don't lock your bike like this. It WILL be stolen soon, if it hasn't already been today. Put the chain thru the tire AND frame or you will come back and find ONLY a tire, or maybe only just a lock! I know too well.

When I read this I admit I was a little put off, until I had my son demonstrate for me his method of locking, basically chain around pole thru (1) spoke.

The guy didn't want someone he didn't even know to get ripped off.

But its technically "none of his business".

Was what he did wrong in your eyes?

I'll read the thread tomorrow on the airplane, it's late ;-)

But I think the actual responsible disclosure thing to do is "report it to ICS-CERT". Large scale faux pas in the public infrastructure. They take reports like that. Don't hit the button. I mean, if you've never submitted a talk to Defcon or something, maybe yes then.

So what about all the Avigilon cameras on the public net? Is that possible to be correct?

Update: I have decided against proceeding with any action at this time for three reasons.

1. I am unable to find a way to trigger an event with custom verbiage in my test Dahua system. Without that I would have to change camera descriptions or titles, which could be viewed as damage.

2. The voting stands slightly against (48% vs 52% with 81 votes), which is a surprise to me. I am not sure what the reasons, whether it be concern for the hacked or the hacker, but either way its enough to make me reassess.

3. The Undisclosed(s)

One thing, I was wondering about, if someone did change all the titles on say 1000 cameras, after a week how many would still be open?

100? 500? 1000?

Bump: I need to give U1 his due and recognition here, related: Hacked Dahua Cameras Drive Massive Cyber Attack

This may be unrelated to this OP, but I had a client with a hacked Dahua NVR that I had to battle these past few weeks. The only way we knew it had been hacked was because we could not save any changes. We found this out when I attempted to install three additional Dahua cameras at this site.

The NVR had no issue adding the new cameras, but as soon as it rebooted (Dahua devices reboot weekly on Tuesday @ 02:00 by default), it lost the new cameras.

When I was called back to the site Wednesday AM, I found that the NVR had been reverted to the settings just before I added the three cameras. It was after digging further that I found an additional user account named "service" that had a note on the account that said "your_device_has_been_hacked_ple".

I was unable to make any changes to the NVR config that would survive a reboot. My admin credentials remained intact and usable, but there was little hope of fixing the issue via the NVR GUI. I attempted to navigate CLI via telnet, but was not able to correct the issue myself.

I leaned on my Dahua OEM suppliers for their assistance in locating a newer firmware with hopes that it would overwrite / correct the permissions issues. After upgrading the firmware, the permissions issue persisted. Note that I could not run the firmware update via the GUI, I had to use the Dahua DVR Upgrade Tool Ver1.16 utility to push it to the device.

My next step was trying to again use telnet access to try and unlock the NVR. However, there was a new roadblock. The original firmware 2.608 allowed up to 8 character passwords, but the newer firmware 2.616 only allowed 6 character passwords. This made my 8 character password unusable. I could use the Dahua daily code to make changes in the NVR GUI, but these were not saved to the telnet level password list. So now I was locked out of telnet access.

My final attempt was to connect via RS232 and try to erase everything on the NVR and upload a complete firmware image. To do this, you will need a few programs, NCOM and a Cisco TFTP server app. NCOM allows you a CLI console to run commands. I was able to use the HELP command to find ERASECFG, which successfully cleared the permissions issue. I also used the NCOM/TFTP method to upload the complete Dahua firmware image (update.img).

I guess I am documenting this here in case others have a similar issue. To fend off this from happening again, we now are using a non-standard port externally forwarded to port 37777 in hopes that this will prevent its discovery by hackers again. This isn't a sure fire way to prevent future hacks, but it will surely take longer for them to find it.

NOTICE: This comment has been moved to its own discussion: How I Handled a Hacked Dahua NVR

This may be unrelated to this OP, but I had a client with a hacked Dahua NVR that I had to battle these past few weeks.

I swear it wasn't me. I'm all talk. Really.