What a spectacular time to be working for Dahua.
Dahua Trying, Struggling To Respond To Hacking Attacks
Published Oct 04, 2017 16:42 PM
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response.
On the positive side, Dahua is clearly trying to respond, providing information and help to those impacted. However, Dahua is still struggling with a number of fundamental elements, including:
- Unclear of what vulnerabilities is being used in the hacks
- Unable to provide a complete list of models impacted
- Releasing more firmware fixes but not certain that all models are covered
- No post hacking dealer notice and misleading public statement
- Delayed but improving OEM response
Cause ** ***** *******
***** ** ****** ** ******* ******* what ************* ** ***** **** ** *** hacks. *** *******, ***** ***** ** IPVM vulnerability ***-****-****, *******, **** ****** **** ***** Dahua ** ******* ** ********, *** recorders *** ******* ***** ******. ********, **** report ** *********, ********** *** *** filed by******, *** ********** *** ***** ********. ***** ***** ***** ** **** ***-**** ******** ****-**-***-** ***** ** *** ****** ******** ********.
*** ******* ** **** ***** *** multiple *************** **** ***** ** **** here *** ***** ** *** ***** which *** **.
- *** ******** ******* ****** *************** ******** of * ************* **** ** *********, etc.
- *** ****** ******* ***** *** * default ******** ** ******, *** *** admin-level ******, *** ** **** ******** to **** **** *** ***** *******, not ********. *******, ****** ********* *** device *** ****** ** ****** ** think *** ****** ***** *** ****** account ** ***** **** **** *** really ******.
*** ****** ******* ** *** **** commonly ***** ******* ** ******* ******* received, though ***** *** *** **** ******** to **** **** ** *** ************* used. *******, ** *****'* **** ****** communication, ***** ***** ******* *********, ***** might ***** *** ****** ******* *** still ***** ******* * ************* ** it ***** ********* ********.
****** ***, *** **** ******* **** either ***** **** *** **** ****** or ****** ****** **** * ***** statement. *******, **** *********** *** ******** of ****** ******** ******** *************** ** one's ********.
Impacted ****** / ******** *******
***** ***** ****** ******* * ******** list ** ****** ********, ******* **** being * ******** **** ** *** disclosure ******* **** ***** *********** **** made (*.*., ************ ********, ******* **** ******** ******** *************, ***.). **** ** * ******* because ** ***** ** **** *** users *** ******* ** ********** ***** models *** ******** *** ***** *** not.
***** *** **** ** ****** **** ****** since *****, **** * ******** ************ listed ** ******* ********** [**** ** longer *********]. *****, **** ************ **** "Part ** *** ********* ******* ****** and ****** *** ********", ****** ** unclear ** ***** ** * ******** device **** *** ******* ** ******** affected ** ***:
******** ******** ** ***** *** * full **** ** ******** ****** **** gone *****.
************, *****'* ******* **** *** ******* which ******** ******** ** *** ******** models *** **********. ***** **** ** first **** * ***** ******** ******** location, **** **** ****** ******** *** their *****, **** ********* ** **** need ** ******* ** ***. ***** further *********** **** ******* ** ****** multiple ******** ******** ********* (*.*.: *****'* International ******** ****** [**** ** ****** available] vs.***** ***'* ****), *** ***** ***** *******-******** ***-******.
**********, ***** ***** ** **** *********** for * **** ** ****** ********* if ***** ******* ** ******** ** not. ** ********,********* ******** * ******* ************ *** a ****** ******** *************, ******* *** ******** ****** *** firmware ********, **** ***-****** ******** ***** for *** ********.
Firmware ******* **** ***
***** ********* ***** ****** *** *** ************* download ****** [**** ** ****** *********] ** find ******* ********. ******** ** ********* from ****** ** ******, *** ***** users *** ****** * ******** ******* group, **** ** ***, ***, ***., there ** ** ****** / ****** provided to **** ******** ******.
******-********** ******** **** ***** **** *** share ****** ***** *******, *.*** ******** may ** *** ****** ***** *** one ******* ****, ***** ****** **** be ** *.*** ** *.***. *** users **** ***** *********** ***/** ******** models, **** ***** ** ********* ** determine ** ***** **** ** ** upgraded ******* ******** **** *** ************ for ****** ********.
***** *** *** **** ** ******* any ******** ******** ******* **** ********** fixed *** *************. ** ********, ********* was **** ** ******* *** **** ***** 5.4.5 *** ***** ******** ***** ** their ********, ****** ** ****** ** determine *************.
Notification ** ******* ** *******
***** *** *** ******** ******* ***** *** ***** *******, which ** * ******* ******* ***** dealers ******* ** **** ** *** giving **** ****** ****** ** ****** update ******** ** ****** ******* ********, etc. ** ******** ******* *******. ** contrast,*********, ****** **********, *** **** *** *************.
***** ****** **** ******** ******* ** March ** *** *************, **** ** email *** ** ***** ****. ***** some ******** ************* ******** ***** ** updated ******** (**: ***** ***** *, 2017 ******** ******** [**** ** ****** available]), ****** **** ******* ***** ** **** latest ********, *** ** *** **** link ** * ******* ******** ********** (ex: Security ************ ****-******-** [**** ** ****** available]).
Misleading ************* ************
*****'* ***** ******* ********* ***** "****** ************* Initiatives" [**** ** ****** *********] ***** ** properly ******* *** *** **** *************.
*** **** ***** ************ ************* ******** by **** ************* ***** ** ***** OEMing ***** *********. **** ********* ** Dahua ******** ** ***** **** ** a ******* ****** ** * ****** of ********* *********, **** ** ** specific ** *****-************ ********.
*** ***-**** ******** **** ***** ********** these ***** ** **** ***** ** clear **** **** ** *** **** the ****** ** ******* *********, ** Dahua's ************* ****** ********* ** ********, and ***, *** ******** ** *** user, ******* ** ******.
*****'* ******** ** ******** **** ************* as ********* ************* *******, *** ***** users **** ******* *********, ***** *** company ****** ****** **********, ** *********.
OEM ******
**** **** ********** ***** ****** ******* firmware *****, *******, **** *** **** week, ******* ******** **** ***** *** improved, ********* **** ******* *** **** older ****** ********. ******** ** ********** ***** ******** ******* ********** **** confusion *** *********** **** **** ** getting ****** ********. ** **** ***** ***** **** have ******* ** ** **** **** other, ********* ***** ** ******* ******** when ****** ***** *** **** **/*** it ******** **** *****.
Dahua ************ ** *************
** ******** ****** **** ***** **** forward, ***** *** ***** ** ****-****** check, ***** ***** *** ****** *** automatic ************, ** ** * ****** check. **** ******** *** **** **** internet ******.
***** *** **** ****** **** **** formed ** ******** ************* ********* ** more ******** **** **** ****** **** arise, *** ** ***** **** ****** response ** *********, ***********, ** ***** organizations ** ************* ********.
*******
** *** ******** ****, ***** *** clearly ***** **** ** ** ****** to ******* *** ********** *********** *** ***** needed *** ***** ***************. ** *** negative ****, ***** ********** ** ********** point ** *********** ******** ** *** they **** ************ ********* ******** **** makes ** **** *** **** ** rapidly *** ******* ******** ****** *** distribute *****.
*** ******* **** **** ***** ** working ******* ********* ***** ********. *******, since **** *** ****** * ******* of ***** ******** *********** **********, ** could **** **** **** *** *********** efforts ** ******* **** *****.
Comments (29)
U
Undisclosed #1
Oct 04, 2017UM
Undisclosed Manufacturer #2
Oct 04, 2017Could they be struggling with a full an comprehensive solution because a lot of their products are fed in to them by smaller manufacturers and they simply don't know which products are or will be affected until a vulnerability is disclosed?
JH
John Honovich
Oct 04, 2017The fact that so many of their products are impacted implies they share some common (bad) firmware, rather than obtained through other smaller manufacturers.
As a point of reference, FLIR has released a full list of their Dahua OEMed products impacted, and that shows ~80 devices (cameras, DVRs, NVRs). Since FLIR only OEMs a subset of Dahua's portfolio, that indicates Dahua's total backdoored devices is in the hundreds of models.
The fact that, despite this, Dahua itself cannot get a clear list and take so long to get firmware fixes out implies development organizational issues.
UE
Undisclosed End User #3
Oct 04, 2017So, I think one of the questions now is what Dahua been up to the last 7 months?
JH
John Honovich
Oct 04, 2017what Dahua been up to the last 7 months?
Hoping the issue would have gone away is my best guess.
UE
Undisclosed End User #3
Oct 04, 2017JH
John Honovich
Oct 04, 2017On the positive side, I do think the lessons learned from this will help them better prioritize responses to this in the future, now that they see there are actually real world issues to deal with. The cost and strain of Dahua having to deal with all these dealers and OEM partners over this has been significant.
UE
Undisclosed End User #3
Oct 04, 2017Let's hope so, "lessons learned" seems usually to be archived into the trash can.
UM
Undisclosed Manufacturer #6
Oct 05, 2017Dahua was talking to their big distributors in middle Europe and they recomend to upgrade all the devices which were produced after march 2017. This happen couple of months ago. Dahua new about this "bug"
The message was not spread correctly.
And who will upgrade if everything is ok :)
Sean Nelson
Oct 04, 2017You know what would redeem Dahua in my books? Is if they opened up a hotline in which we can direct all of our customers to call Dahua so they can deal with the hack fixes.
RS
Robert Shih
Oct 04, 2017Are you sure you want any manufacturer to have access to your end users? Ever?
Sean Nelson
Oct 04, 2017For this time, you bet!!
If you are saying that in a concerned tone that they may sell direct to them. I can promise you that after working a week of fixing hacked DVR's that they will think twice.
U
Undisclosed #4
Oct 05, 2017Hacked is hacked. I do not know what to tell you dahua.
H A C K E D is H A C K E D ! ! !
Get your company together!
UE
Undisclosed End User #3
Oct 05, 2017Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.
JH
John Honovich
Oct 05, 2017Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.
Bashis, I believe part of the confusion / error is that Dahua's report there is from March 17th whereas ICSA-17-124-02 was not issued until May.
Do you know who reported CVE-2017-7253 or how it relates to your research? CVE-2017-7253 is short, anonymous and only claims IP cameras as vulnerable, so it is unclear.
UE
Undisclosed End User #3
Oct 05, 2017Only thing I know, is that this was Dahua first post after my FD in March.
By Google the CVE, you will end up on "anonymous" Git (by following references).
This is not my Git, and I have not applied for CVE either.
U
Undisclosed #8
Oct 05, 2017U
Undisclosed #11
Oct 11, 2017Rhetorical question, but how do you know #3 is bashis?
John's a quick learner:
UM
Undisclosed Manufacturer #5
Oct 05, 2017Another annoying aspect about Dahua and most Chinese companies is the amount of national holidays they have throughout the year.
While I respect they work hard but if the company is international (in Dahua's case) they should work in line with there markets and not close up shop completely.
This week for example no-one in Dahua China is working! so if you happen to have a issue no-one is there to help properly and this is through there current hacking crisis!
U
Undisclosed #1
Oct 05, 2017So if the reactivity to their unending problems wasn’t already piss-poor, expect it to be piss-poorer.
UM
Undisclosed Manufacturer #7
Oct 05, 2017They have to pay 300% for everyone working during the holiday and will end up with really unhappy employees.
After all the week of national holiday is the best time to be with family since their families also have the entire week off. For 2017 it is 8 days in total.
UM
Undisclosed Manufacturer #5
Oct 05, 2017You could say that is the cost of operating a international business.
I fully understand factories closing as they work 7 day weeks etc. but it shouldn't be the full operation. Most Dahua HQ employees in overseas operation don't work the weekend.
I don't think too many people in the west would accept if their supplier would just close up shop completely for 2 full weeks during the year. Also the way they handle the lead up to these national holidays is always rushed so the impact is much greater than the 2 weeks.
UM
Undisclosed Manufacturer #10
Oct 10, 2017UM5 Yep super annoying. And the biggest issues always occur right at the beginning or in the middle of the Chinese New Year lol.
UD
Undisclosed Distributor #9
Oct 05, 2017This isn't a localized phenomenon, it's the entire country of china that basically shuts down during these holidays. It's certainly a drastic interruption of normal business, rushing or delaying orders because of it. I've also been told that for week long holidays like this, they will often times have a large percentage of the work force go home, often in other cities or to the countryside, and just won't come back. So, after coming back from holiday, they have to hire new workers and train them which can take quite a while and further impact production. I would say that leading up to these holidays and after them that it's a month long interruption of normal business.
JH
Jay Hobdy
Oct 11, 2017Maybe they need their programmers to stay in the countryside and hire some new ones
UM
Undisclosed Manufacturer #12
Oct 20, 2017Programmers are at a higher level pay and don't affect production, factory workers are the large workforce. They will often change to a new factory which pays more money, but this is only after the chinese new year because this is the time workers would have an annual bonus paid.
So with two months pay in the pocket, you have time to find another better-paid job because you get to pick and choose a better place which is desperate for factory staff.
$0.2
RS
Robert Shih
Oct 27, 2017FYI, Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders for us as we speak. They have been here for the last 2 days. So it looks like they ARE trying.
JH
John Honovich
Oct 27, 2017Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders
Robert, what firmware version are they updating to? What does that firmware version address or fix?
RS
Robert Shih
Oct 30, 2017For recorders, the following:
- General_HCVR7x04-4K_Eng_NP_V3.218.0000001.2.R.170808
- General_HCVR7x08-4K_Eng_NP_V3.218.0000001.2.R.170808
- General_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902
- General_NVR5XXX-4K_Eng_V3.215.0000000.1.R.20170901
- General_XVR5x04_Eng_NP_V3.218.0000001.2.R.170808
- General_XVR5x08_Eng_NP_V3.218.0000001.2.R.170808
- General_XVR5x16_Eng_NP_V3.218.0000001.2.R.170808
- General_XVR7x16_Eng_NP_V3.218.0000001.2.R.170808
I do not think they are doing cameras.
These firmwares represent a new baseline enforcing much stricter security policies. I sent you an email with some release notes.