we are seeing a number of old dahua units we sold in uk being hacked yesterday and today
dahua helpful support is their old
these are in majour fast food resellers
with 20 going down in one retailer in an hour and 5 in another
the dahua virus epidemic has hit dahua hard here
anybody experiencing this let me know if you have a fix
A Greek Dahua dealer is reporting the same thing today: Hacked Dahua recorders. Greek market. Excerpt:
Many Dahua recorders [DVR, HCVR, XVR, NVR] with default ports & user codes, have also experienced wide spread hacking during last week.
THE MOST USUAL SYMPTOMS ARE:
- IP address changed to unknown.
- Black channels with no Dahua logo.
- Locked users.
dahua are saying any unit over three years they wont support
this would effect 100000 units in the uk if they are online
just on ones we sold
What annoys me is this serious cyber issue has been put off as propaganda by ipvm
we could have potentially 100000 dahua dvrs nvrs to deal with as it just seems to be an industry issue of fire and forget
What annoys me is this serious cyber issue has been put off as propaganda by ipvm
What do you mean?
Every time there is a discussion on hacking it's very quickly dismissed by all the hik followers distributors intergrators as just ipvm picking on hikvision
Every time there is a discussion on hacking it's very quickly dismissed by all the hik followers distributors intergrators as just ipvm picking on hikvision
Actually Hik distributors would prefer Dahua hacking reports be more visible.
Hi IPVM,
I am an Australian Based integrator and saw this issue present itself with the very first unit that I installed, a 16ch HDCVI DVR.
Response I received from my supplier, a Dahua partner, was outstanding!.
I had a firmware update emailed to me within the hour and on attending site, issue was resolved within an hour.
Had to update firmware, default unit, reset all passwords and recreate remote access credentials however it is now fixed.
Regards,
Shane
Not sure if this is the same issue but I am seeing posts on some facebook groups with people claiming hacked Dahua DVRs/NVRS today.
Hi John,
The issue was on an older version HDCVI 16 channel and my client advised me 1 week ago.
I immediately consulted my supplier and asked if there were any "known issues" with the "hacked" scenario, and they took a whole of 10min to call me back with advice on a firmware upgrade followed by factory default and then reset up of DVR.
I received the firmware via email, downloaded to USB, went to site and had the issue resolved in around a 3 hour same day turnaround.
Client appreciated the resolution from manufacturer to supplier and my support.
I have had outstanding support from my supplier and Dahua as a whole and cannot commend them enough.
Regards,
Shane Lott
You must be one of the nicest installers on earth
in the uk our installer wants compensation to go back to site
they have already fitted a dvr nvr
at a tight price and then sending engineer back to site costs money
and dahua hik expect it all to be done for free
You may not know how hard Dujiangyan tried to throw its old partners under the bus
we get oem sw according to dahua it's a cut down modified version
and the full version doesn't work on oem dvrs
so with a new version from dahua for us these dvr have had it
the also limited us to 1 year warranty and 3 years for brand
in fact when dahua went brand in uk their brand partners couldn't tell customers fast enough they had the a grade firmware where as we had the b grade
You may not know how hard Dujiangyan tried to throw its old partners under the bus
Maybe it's water under the (Dujiangyan) bridge?
I take it it's a new unit
apparently product from dahua prior to 2016 doesn't qualify for support so that equates to about 100 k dvr nvr for us
it must be similar for large multinationals like flir who own lorex
where is their data on hacked dvrs
they have corporate responsibility to declare it for shaeholders
maybe. Ipvm could ask why they havent
New (Sep 21st) report from Belgium:
We are facing in recent hours a major wave of piracy, on the DAHUA brand recorders.
This time we are facing a resurgence of these attacks since yesterday, 19 September.
That report claims the hacks are using the default passwords but it is not clear if that distributor is even aware of the Dahua backdoor which allows taking over the record even with a strong password.
While I appreciate the huge security event occurring here, I am seeing that this is happening because they are still set to the default ports and login credentials. Having worked in IT for 30 years, if someone breaches your system because you left everything involved with accessing it at its default value, the system is not at fault - YOU ARE. This is not a "hack" this is exploiting unprofessional installers/end users who have not changed their login credentials.
If this is not the case and these systems are being accessed through non-standard means then I retract my accusation of fault, but not the definition of what it is to be "hacked". It's like shouting "fire" in a crowded theater, it immediately inspires panic, but shout "flood" and nothing happens.
I am seeing that this is happening because they are still set to the default ports and login credentials.
There are easily hundreds of thousands of Dahua devices vulnerable to the backdoor.
So could some of these be a victim of default passwords? Sure. But the Dahua backdoor is a real security issue and to the extent that this is being exploited I think Dahua users should be somewhat panicked.
Exactly why I appended the retraction if it was not the case of unchanged login credentials.
Good find #3! Thanks.
Quote from that:
There is a group of people hacking into Dahua DVR's all over the world, we are experiencing allot here is Gujarat, what you need to do is disconnect your DVR from the network, do a complete factory default, add two new users and passwords , delete the admin user, change ports and upgrade your firmware before connecting it back to the internet.
Note: Guajarat is in India.
More and more showing up in Google searches..
Visiotech: How to secure your Dahua recorders against Online Attacks
http://vlab.su/viewtopic.php?f=270&t=64841
CCTVForum: Hacked DVR--Dahua
Update we communicated with a number of Dahua customers whose recorders have been hacked and repeatedly they mention their camera labels being changed to 'Hacked 1', 'Hacked 2', etc. like so:
https://blog.setik.biz/dahua-hacked-apparati-di-videosorveglianza-a-rischio/
/*
In the last few days, news of a huge hacker attack on the Italian network has blocked nearly 6,000 Dahua recording apps, only from our channel, over 800 calls between September 19 and 21, regarding Dahua Hackerati recorders.
*/
There is a difference in firmware between oem and dahua brand
oem is a cut down version so an oem dahua dvr nvr can't be fixed with update dahua firmware dahua themselves have to give the oem updated firmware
rather risk a costly return to site and then no fix
take a new dvr nvr along
take out the old
units hard drive put it in the newone
and at least be sure
of a working product bare bones dvr nvr are in expensiVe
leas than return visits
I stopped by one of our old customers today to look at his DVR, looks like the local only account 888888 was accessed via the internet. I’ve got the logs and will upload them when I get home.
From: https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
# 6) The admin account '888888' is claimed by Dahua to be limited for local login with 'monitor and mouse' only, and not from remote
# - However, that validation is done locally in users browser by 'loginEx.js', and has therefore no practical effect
So they are doing *client side* validation of determining if the user attempting to use the 8888888 account is local or not??
function loginWeb(a,b,c,d)
Redundant front-end code, to provide a better error response, I'm hoping.
But I wouldn't be surprised if that was all that was guarding the store :(
Not redundant code, that's the only piece of code to "prevent" user '888888' for logging in at older firmware versions.
Can easily be verified by looking into;
/js/login.js: function login()
/js/loginEx.js: function loginWeb()
Not redundant code, that's the only piece of code to "prevent" user '888888' for logging in at older firmware versions.
I just clicked on the github link. Until then I didn't realize this was a bashis claim. Then it must be so :)
http://discovermagazine.com/~/media/Images/Issues/2015/jan-feb/ebola_waste.jpg
A lot more chatter about this on some facebook groups. This was in the last 4 hours. Some are mentioning Honeywell, GEN IV and ICRealtime systems further down the post.
Dahua brand and oem have different firmware
all waiting on new firmware on oem
from dahua
our update after severe pressure on dahua we may get Wednesday
this has dragged on too long
dahua disowned all their old partners
so best of luck getting Gen iv or ic realtime firmware updates
both were dahua oem
buy a shovel bury that toxic dvr nvr
you can't keep going back to site
buy a new one
Here are the logs from one compromised NVR,
https://pastebin.com/pKEMdQJZ
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
