Dahua Critical Cloud Vulnerabilities
Dahua has acknowledged a series of cloud vulnerabilities that researcher Bashis discovered. Additionally, and separately, researcher Thomas Vogt found a separate vulnerability.
Dahua has had numerous vulnerabilities over the past few years including the 2019 critical vulnerabilities that Vogt's team found and the 2017 backdoor that Bashis found. The company is moreover banned for US federal use (NDAA) based on cybersecurity risks.
Inside this report:
- A summary of the vulnerabilities
- The vulnerabilities explained
- A statement from Dahua
- OEMs Impacted
- Response from bashis
- Analysis from Refirm Labs
- Continued cybersecurity issues
- IPVM recommendations
Long **** *************** *** *****
***** *** ****** **** ********* **** Dahua *** *** (*********) ***** ***** issues, *******, **** ******* *** * long ****, ************ ***** ****** * ******* ** this ** **** ** ********:
********, ****** *** **** ** **** that **** ***** ******* **** *** cloud ****:
****, **’* *** ** **** ** just ****** ***** **** ** *** devices ****** *** *****, ** **** will **** *** **** **** ***** – ** *** ***** ******* ***.
****** **** ********* ***** ********* *****:
******* ** **** ******* **** ** connected *** ********** ** *** ***** by *** *******, **** ** ****** has ********** **** ** ***** *** account.
**, **** ** *******,
*) ***** *** ****** ** ******* – **** **** ****** ***** **** that ***?
*) ****** **** ***** ***** **** ownership ** **** *** ******** ** their ******* (******** **** * ***** above ***** ********).
*** ******** ********:
- ***** *** ** ****, ********* ********* and *******, ***** ***** ***** ******** were **********.
- ***** ********* *** ***** ****/********* *** all **** (********* ********* *** *******) then ******** *** **** ** ** executable **** *** *********** ** ***.
- ********* ***** *** ***** ***** **** to ******* *********** ***** * ******* listening ****** ** ******* **********.
- ***** **** ***/**** ** ******* ********* / ***** ******** ********* ******* ** a ****** ******** **** ***.
- ***** *** ******* ****** ** ******** and ***** ********* ***** ******.
- ********* ***** **** **** ****** ** equipment *** ***** ****** ** ******* by ******* ** *** ***** ********.
Dahua ***** ************* *********
****** ****** * ***** ** ******* for *** ***************. *****'* ***** ******** ** **** for ***** ******* ********* ** **** as ** **** *** *** ********* cloud **** ****** ****** ** ********** that *** *********** ** ***** *** available *** ******** *** *** ***.
***** *************** ****** ********* ** **** full ****** ** *** ********* *********.
*** ***** ************* ****** ** *********** being ****** *** *** ***** ******, which ********* *** ****** *** ***** 8 ********** ** *********. ***** *** two ******* *************** ********* **** ******* with ********* ******* ** ******* *** data.
*** ***** ************* ** * ****-********** file ** *** ***** ******** **** IMOU ***** ********* ***** ****/******** *** other ******* ******* *** ***** *** 22 ****.
Statement **** *****
********** ****** * ******** ******** ************** ** *** ***************, **** *** not ****** *** ********* ***** *** they **** ** **** ***** ******* vulnerabilities. **** *** *****, **** **** made ******* *******, ********* **** ** 2017, ***** *** ********,******:
“************** **** ******* **** * ***** source ** ********** *** ***********, ********** and *********** *****-****,” ********* **. ******, Head ** *********, ***** *******, ***** Technology ***. “** ********* ** *** development ** ******** ************* *********** *** new ******* ******** **** ****** ********** to *****-*******, *****’* ******* **** **** to ****** ******* ***** ********* ******* cyber ******* *** **** ******* ****** protection *** *** ****** ****** ********* community.”
OEM's ********
***** *** ** **** ****** ******* notables **** ********* *** *******. **** reached *** ** ********* *** *******.
***** ** * ********** **** *** PoC ******* *** ***** **** *** Panasonic, *******, *** ******:
********* ********* ******* **** **** **** continue ** ******** **** *** ****** if ***** *** **** ** ***** customers.
Refirm **** ********
************* ******* ****** ************ *** *************** *** ******** ** IPVM *********:
*** *** **** ***** ** ***** it *** *********** *** ********* **** either *** ** **** **** **** in *** *****. *** ****** *** Unix-like ******* *** *** ******** ** the *** ** ******** *** **** so *** ******** ****** ** (******) reversed. ***** ** ***** ********* ***/**** keys ** ******* *** ******** ******** on *** ***** ****. **** ** bad *** **** ******* *** ********* if ** ******** ***** *** ********* key *** *** ********* ******* *** network ******* *** ***** ** **** to ********* ******* *** *********** ** the ****. *** ******* ***** **** a ******* ********* ****** ** ******* the ******** *** ******* ********** ***** also ****.
**** ** *** ***** **** ***** the ****. ***** *** ********** *** of ***** ***** **** "*****" ***/**** keys ** ***** ********** **** *** being ***********. **** ********. ** ***** let *** **** ****** ***** *** password *** ****** ** **********? * cannot ***** ** * ********* ****** to ** ****.
** *** *** **** ** *** Dahua ***** **** *** *** *********** remotely ******* *** ****** ********* ** it.
**** ************ ***** **** ** ***** cyber ******** **** *********. *********** ****** always ** ********* ** ** ******** accepted ****** ******** (*.*. ***), ********* keys ****** ***** ** **** ** protect ************** ****, *** ** *** do *** ******** **** ***'* ******* them *** ** * ****** ********** that *** ******* ** *** *****.
Another ***** *** **** *************
***** *********** *** *************** ***** ** were******** ** *** ******* ***** ************************* ****** ****:
***** *** ****** ********* ******** ***** **** ****, ******:
**** ***** ******** **** ******* ** predictable ***************. ****** ****** **** ******, an ******** *** *** *** ********* Session ** ** ********* * **** packet ** ****** *** ******.
* ******* ** ****** *** ******** is ********, ********* ******** ** ********* the *************.
Continued ************* ******
***** *** **** *** **** ****** vulnerabilities. ***** *** * **** ******* of ************* *************** ***** *** ** them *********** *** *** **** *** ** government *** ** ********** ****** *********. ***** ****** *************** ******* *** are *** ******* ** *** **** below:
- ***** ******** ***************
- ***** *********** *************
- ***** **** ***** *********** *************
- ***** *** ********* / ***** ****** Overflow *************
- ***** ******** *********
- ***** ********* **** ******
What ***** ******?
** ****** ****,***** *** ****** ********* **** **** would ** "******-**", ********* * *************, ******, *** featured ***** ******** *** ****** ****** cloud ********. *** ******* **** **** both *** ** ***** **** **** which ** *********** ** *** ************* findings ** * ***** ** ******* and *** ************ ** ****. **** contacted ***** *** ****** *** ** update. ******* ** ***** * ****** since *** ***** ******* ***** ** no ******** ** ***** **. ***** has *** ********* ** *** ******* and ****** ********* ****:
***** ******** **********, ** ** *** have ******* ** *** **** ******* to ***** ** **** ****.
IPVM ***************
** *** *** ***** ***** ** Dahua *** ********* *** ****** ***** to ****** **** ***** ****** ** disabled. ***** ******* **** ** *******, so **** ** *** *** *** actively ***** ***** ***** ******** ********* can ***** **** ****** ** **** equipment ****** *** ******* **. ** you *** ******** ***** *** ***** solution *** *** ******** ****** ** a **** ************ ****** ****** **** ***.
Poll / ****
**, ****** ****** * ****** ***** he *** * **** ** *****. And **** *** ** *** ** the ***** ** **** ** *** a ******** **** *****.
***** *** ********** *** ** ***** major **** "*****" ***/**** **** ** their ********** **** *** ***** ***********. Just ********. ** ***** *** *** OEMs ****** ***** *** ******** *** secure ** **********? * ****** ***** of * ********* ****** ** ** this.
**** ** *** **** ****** ***** to **. **'* *** ***** ** their ***** **** *** *********** ***** things **** ******** *** ******* *** and **** ******* ********** ***** ** bad *** **************, *** ********** *** encryption **** ** *** ********** *** all ***** ********* *** ***** **** and ***** **** ** ********** ** terms ** ********.
*****'* ***** ******** ** **** *** Dahua ******* ********* ** **** ** 22 **** *** *** ********* ***** keys ****** ****** ** ********** **** was *********** ** ***** *** ********* for ******** *** *** ***.
** ***** ** *** ** **** only *********** *** ********** **** *** keys ********** ** *****, *** **'* a *********** **** ***** *********** **** been *** ** *** ****** **** the ********** ****.
****:** **** ********* ** **** **** of *** **** *** *** * requirement **** **** **** ** *** a ********** *** **** **** **** generated ********** ****** **** *** **** was ******** ** ****. *'* ****** that ******* *** *** ** *** system *** *** **** ***** **** realized **** **** *** **** ** strange, ** ***** ***** *** ** the ***** ******** *** ****?
* ***** ****** ** *** *******, that ***** ****** *** ** *** cloud *** *** ****. ** ***** they ***'* **** *** ** *** it ** ******* ** *** ******** and **** **** *********** **.
*** ****** *** *** **** ** security ** **** ** ** ****. That ** *** *** ** ***** companies ** ** ** ***.
*** ******, *** *** ***** *** Cloud **** *** ***** **/**** ** their *****. (** *** *** **** exposed *****/**** **/****, * ***** ***'* IP/FQDN ** **** ********** ***, *** didn't **** ** ********* ** ****** them ** *** *** ***********, *** cloud **** ***** ******)
**** ** ***** ** **** ********** leaks *** ***** *** *****, *** - **** ***** **** ***.
****:
**** *** ********* *** *** ****** the ******, ** ******** ******** **** the ***** ****** (*******/*******) ***** **** PSK, ****** ******* ***** *** **** needs ** ******* *** ***** **** need ** ******* - *** *** thing ** **** ***** *********** *** sent ** ****** *** ********** *****/****** for *****/*****, *** *** **** ***** login **** ****.
* *** ** ****** ** ******* ***** ******* ********** **** ***** ** ****, (******* w/o ********** *****), *** ** ***** you *** *** **** *** ** you ****.
*****'* **** *** **** *** ****. It *** **** ****** ***** ****** cameras **** ****, *** *** **** we *** **** ** *** ******** it ** ***** ****** ** *** them. ** *** **** *** ***** for *** ***** *****.
**** ** *******, *** ****** ***** your *** ****** ********** *** ******** before *** ******. **** * ******* security ************ ****** *** ************** ****** you ** *******.
**** ******** *** ******** *******. *** how ***** ***?
******: **** ****** *** **** ******* to ******* ****,******* ** ***** * months ***** *** ***** *******, ***** is ** ******** ** ***** ** with ******* ** *** ***** / Pepper ************. ***** *** *** ********* to *** ******* *** ****** ********* stating:
***** ******** **********, ** ** *** have ******* ** *** **** ******* to ***** ** **** ****.
*** **** ****** ****** ****** ** the **** ***** *** ***** ***** guys. **** ***** ***** ***** **** WEAK. *** ****** ***** **** **** AVERAGE. 🤣
** ******* *** *** ***** ******** to ***** ****** ****** **********? * don't ********** *** *** ***** ***** be ******* ** ******* !?