Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor.
Despite this, Dahua has downplayed the severity and obstructed public access to firmware for most affected devices.
In this report, we highlight how these devices were discovered, and which countries have the most Dahua product exposed to remote attack.
Locations ** ********** *******
**** * ******* ***** ******* ****** the ***** *** ********** **** *** public ********, ******** **** ** ******* potential, ********* ** * ***** *** a ******** **** ****** **** ** ***** products ** "*** ****** ******" ******.
****** ***** **** ***,*** ******* ** both ***** *** *** **, ** well ** ***** ******* ** *******, Brazil, ***** *** ***** *********:
**** ****** *** ***** ******** *********' ********* ******** ** *** ***** Vulnerability*** *** ********* ** ******.
HTTPS, ****** ********* ** ****
* ***** ****** ** *** ******* are **** ********** *** *****, ********* ** shodan, ***** ********* ****** ** ********** of ***** ******* *** **** ********* to **** ***** ******** ***********:
*******, *** ** *** ****** ** this ********, ***** *****, ***-******** *****, or ****** ********* **** *** **** the ******* *** **** **********. *** device ******** ********** ** **** ** be ********* ** ** *** *** had * ******** *******.
Majority ** ******* **********
**** ******** * ****** ** ******* from *** ******* **** ** ****** and ****** **** **** ******' *****-**-******* tool. *** ******** ** ******* ****** all ********* **** **** ********* *** vulnerable ** *******.
Dahua ******* ******
** ** **** ******, *****'* **** update ** ***** ** ************* **** [**** no ****** *********] *** ***** ***, **** [**** no ****** *********], ***** **** **** a ***** ** ** ******** ******. One ** *****'* ************* ***** [**** ** longer *********] ***** ** ******** ********. ** reality, ***** *** ******, ** *** hundreds, ** ***** ******** (*** ****) vulnerable ** **** ********.
*****'* ******** *** ***** ********* *** number ** ******** ********, **** ******** updates ***** ******** ** * ********** slow ****. ************, ***** ********, **** as ****, ** *** *** **** updated ******** *** ***** *** ********. The ****** ** * ***** ****** of ********* ***** ** ****, **** minimal ******* ** ******* **********.
Danger ** * ******* **********
**** * ******* ******* **********, **** is * **** ***** ****** *** a ****** ******** ** ***** ********* actor **** ***** ** ******* ******* or ****** *******. *** *******, *** Mirai ******, ***** ************* ********* *** ******** ** Fall **** **** * ******* ****** of *******.
No *** ** ** **-******** *** ********* *** *****
****** *** ******* *** ** **-******* the ***** ** ******* ********** ********* for ***** *, ****, ****** *** risk ** ** **** ******* **********. However, ******* ****** ****** ****** *** already ******* *** ** ******* ***** ******* based ** **** ************* ** ** is ****** **** * ****** ** time ****** ***** ***** ******* **** up.
***************
** **** ****** ** ** *** relatively ***** **** ** ******** **** updated ********, ** ********* ** ********* upgrade *** ***** *******.
*** ***** **** **** *** ******** an ****** **** *****, ** *** of ***** ****, *** **** ****** for *** ** ** ******* ****** access ** *** ****, ** ******** remote ****** **** ** *** ***** or ****** *** ** *********** ** addresses *** ***** ********* ******.
hrmmmmmmm.
1080p @ 30fps using h264 =~2Mbps
2Mbps * 1,000,000 = 2,000,000Mbps = 2Tbps
~2Tbps can really mess up some major services in the internet sphere including Netflix.
Right now there's a black hat in a basement with a really big smile thinking about this.
Uh, but these cameras may be already streaming on to the Internet without impact,no? And are likely limited by their upstream speed in any event.
Who are the clients requesting the new streams, other bots?
IMHO, the most damaging use is DDNS. It doesn't try to saturate the bandwidth of the internet, it just overwhelms DNS server capacity.
Yes right now (Hopefully) they are streaming to multiple points as intended.
But if you had total control over all of them you could route them though specific routers( like home routers business routers and ISP routers) going to other places effectively blocking all other traffic trying to pass though those points.
how many routers have you seen that could handle 2Tbps passing though it?
I doubt many ISP routers could handle it even one for small cities could cause internet traffic to come to a crawl.
of course I am talking about a worse case scenario, but possible none the less.
Any idea how many of these devices using port forwarding? Certainly quite a lot.
Does this help anyone to change their mind on the wisdom / danger of using port forwarding? Related: Should You Use Port Forwarding?
It is my understanding that devices connected by P2P only are safe from this exploit since there is no way they can be directly connected to. Would that assumption be correct?
I wouldn't assume anything, better to try verify that they are not. And also turn off uPnP on routers and Dahua devices.
Are you sure those http and https numbers are not mostly the same hosts? The numbers of 80/443 hosts are suspiciously close.
Some of the hosts had only HTTP, some had HTTPS only, and some had both.
There may be some overlap there, but I think they are primarily distinct.
Wow John. Thanks for making my point for me. You are making a lot of claims here about 'too slow', hundreds of proucts, blah blah blah. Cite your sources.
could someone please explain what is the difference between any other vendor's exposure and vulnerability to these kind of attempts . all of the vendors allow external access by remote , using apple and android aps and of course pc remote clients access platforms using http , https to their devices .
so what is so called Backdoor issue . everyone within his organization/ home should protect his own network by changing ports numbers ,default credentials ( user and pass ), firewall rules and maybe to use other remote access methods than port forwarding using VPN :ipsec, gre ,ssl …
Is there actually any difference between hikvison and Dahuwa to other vendors in the aspect of the remote access methods given to the end users ?
I understand the Backdoor as a cyber attempt from the first place related to these companies ( Hik and Dah - sounds nice (: ) , but what is the special attempt from the aspect of the network that is a general "network issues" for any other IP device in the world using http and https... all IP devices around the world in this case has the same vulnerability .
So why mentioning these two all the time speaking of general network issues ?
Thanks,
Koby, the Dahua backdoor is so significant because:
A VPN would certainly be beneficial but the point of this 1 million figure is that the devices showing up on Shodan are not using a VPN and are publicly accessible.
More details in our original post / test results here - Dahua Backdoor Uncovered
I'm not clear on something. Upon setup, if the admin logs into a camera and changes the ports (80 to 1080 for example), then sets up port forwarding, could the vulnerability be used via the Internet to expose the camera's credentials?
I understand that cameras set to the default ports are vulnerable, as well as port forwarding schemes involving a custom port being forwarded to a default port (WAN port 1080 to LAN port 80 for example), but am not certain if the backdoor can be reached if the ports are changed on the actual camera.
To test a theory, we found that the new Dahua wifi NVR could not automatically detect a Dahua wifi camera via LAN or wifi after changing the camera's ports. Was the backdoor vulnerability restricted to cameras set to port 80 as well?
Thanks in advance.
If your Dahua camera or NVR's web interface is remotely accessible on ANY port, and it is not running patched firmware it is vulnerable.
Using non-standard ports may make the camera harder for a random IP scanner to find, but it does not remove the vulnerability from being there.
am i correct in my understanding that Tyco cameras are OEM from Dahua?
if so - are they infected?
Yes, Tyco does OEM at least some cameras from Dahua. Those cameras are likely vulnerable as well (infected implies they have non-manufacturer code installed, which is not the case with this backdoor, the code is Dahua's).
Still, after more than two years, there is more than 1 million devices vulnerable....
More than 1 million according Shodan
https://www.shodan.io/search?query=P3P%3A+CP%3DCAO+PSA+OUR
More than 4 million according Zoomeye
https://www.zoomeye.org/searchResult?q=%22P3P%3A%20CP%3DCAO%20PSA%20OUR%22
[sigh]
It's a slippery slope but wouldn't it be nice if we could legally "vaccinate" the internet and push out patches to fix insecure devices like this without the risk of imprisonment? Maybe some ISP's could identify broadly known vulnerabilities and if present on their subscriber's networks, block ports or at least notify the subscriber?
I'm reminded of the recent story where the government of Japan is planning to scan networks for vulnerabilities and notify owners of problems found.
I do not really agree to to "vaccinate" the Internet, since then we would invade private property without permission.
This is more the result of lacking of proper information to the public from the manufacture...
I agree that to actually patch publicly accessible devices without notice/permission is crossing a line. But I can also see how having an infected, or easily infected device publicly accessible is making it easier for those devices to be used in nefarious ways which can potentially have negative effects on broad ranges of Internet users.
ISP's could help by having policies outlining the responsibility of the subscriber to maintain the security/integrity of the devices they expose to the internet through their service, and then blocking specific traffic to/from those customers identified as suffering a known vulnerability after first notifying them of the issue.
Just a thought - it's irritating that there can be such an incredible number of vulnerable devices out there (not just in our industry of course) and there's nothing to be done about it.
