ADI Hides Dahua Relabeled Capture Camera Critical Vulnerability [Now Issues Notification]
ADI's Dahua-relabeled Capture cameras are vulnerable to a critical vulnerability, IPVM has verified. However, ADI has not notified users nor posted instructions to patch them plus ADI management refused to respond to IPVM.
In this report, we examine the details of these vulnerabilities, proof of concept showing they are vulnerable, response from ADI management and tech support, and how relabeling impacts cybersecurity.
Update, more than 3 months after Dahua was informed and a month after Dahua disclosed publicly, ADI has issued a statement copied primarily from Dahua's statement:
ADI ******* ********
******* ** ***'* ****** "***** *****" of ************ *********, ******** ******* ** 2021, ********** ** ********* ***** ******* and ****, ******** ** *** ********* ******** ******** *****.
******* ** *** ********* *****'* *-*** *****, ****** **** ***** ***** **** line, ** ****.
Dahua ******** ************** ****** ***************
** ********* ** *** ****,*****'* ******** *************** (*** *** ******)*** ** *********:
...****** *** ***** *******. ********* *** bypass ****** ******** ************** ** ************ malicious **** *******.
*** *** *************** **** ******** ** how **** *** *********, *** *** conceptually *******.******' ********************* **** *******.
*** **** *** ****** **** *************** as *.*, ***** ** ******** ******** according ******** ************* ******* ****** (****) ** metrics(******-****-***********-****-*****).
ADI ******* ************* ***** ** *******
******, *** ********** *** ********** *** Dahua ******** ***************, *** ******** * proof-of-concept (************ ** ******) **** ****** ******* ******* *** vulnerable.
** *** ******* *****, ** *** the ****** ** ******* ** * Capture **-******** ****** ** *** *** network, **** *** "*******" ******* ****** indicating **** *** ****** ** **********. In **** ****, ***-****-***** ("***********" **** bypass) *** ****, ****** ******* *** similar ***** *** ******** *************.
*** ******* ****** **** ** **** example ** ******* ******** **.***.*******.*.*, ***** Date: ****-**-**.
** ********, ***-********** ******* ****** **** "Failed" **** ********** ** *** *** script, *.*., ** *** ******* **-**-**** firmware ** **** *******.
Low ********** ******** ********
******' ***** ** ******* **** *** further ******* *** *******, *** ***** this ************** ****** ** ****** ******** on *** ******, ******/****** *****, ** disable ** ******** ** *** ********** and ******** ******* *********** ****** *** even ********** ******* ******** *********.
No ************ ** ***************
***'* ******* ************ ** *********** ********* ***** ****** vulnerabilities, *** **** ** (** * purchaser ** ******* *******) ******** *** notification *** ***** ** *********. ** asked *** ** ************* **** **** or ********* ********, *** **** **** not ********* ** *** ******* *** comment.
ADI **** ******* *******
**** ** ********* *** **** *******, no ***** ** ***** ** **** aware **** ******* ******* **** ******** by ***** ***************. *******, **** ** asked ** ******* ******** *** *********, one **** ******* **** **** "***** it" *** **** **** ***** ***** the ****** ******** ** **, ***** we **** *** *** ********.
Firmware ******* *** ******
*** **** ******* **** **** **** are "******* **" ******* ******** ******, though *** *** **** * ******** for ********** ****. ** ** **********, the **** ******* *********** ********* *** Capture ** ***** ** *** ****** of*** *** ***** ****, ********** ****** ** * ******* form *** ***** ******.
No ******** **** ***
*** ********** *** *** ******* ** requests *** *******. **/**** **** *******, we **** ****** **** ******.
Trust *** ********
***** *************** *** *** ****** ** a **** ********* *** ** ***** *** *** product ***************, ***** ************ ********** ******* **** ****** ********* chips,************ ****** ********* ***** *******, *** *********"******** **" ** ***** ***** **** were ********** *** ***** ****** ******.
Relabeling ************* ****
******* *******' ************* *************** ********** *** of *** ***** ***** ** **********. Since ***'* ***** ** *** ********* in ***** ***** ***************, *** **** to ***** ***** ** **** *****, making ** **** ****** **** **** will ** ********* ** *********** ****** firmware *** ****** ***** ** ***** potential ******** *** *****.
*******, ** *** ****** **** ********** shown, ********** ***** ******* ** ********** devices ** ***** ** ***** **** them ********* ** **** ** *** public, ** *********** ******* **** **** used ** ****** **** *******,******* ********** **** ****** ******** ******* *******.
Comments (11)
AM
Andrew Myers
Oct 08, 2021
UD
Undisclosed Distributor #1
Oct 08, 2021*** **** ** ***** ***********, ** should ** *******
UI
Undisclosed Integrator #2
Oct 11, 2021** *** **** ********* ** ****, anymore? * ****, *** ****** **** are ********* **** **** **** ** vulnerability ******** ****'* ****** ***-**** ******** from ***, ******. *** *** ****** that ****'* ********* **** **** *** probably *** **** ************ *****-******** **** aren't ******* ****, ******, *** ******'* care **** **** ******* ****, ** they *** **** **. *** **** is **** ********** **** *** ** still ***. *'* *** *********, *** I **** **** *'* ******** ** the ********. ****** *** *** *******, though.
JH
John Honovich
Oct 11, 2021***, ***, * *** **** *******.
* ** ******* **** *** *** and ****** ** ****** **** ****.
*** ********* ** ****** *** **** of ********** ** *** ****"**** ** ************ ****** *** ******** security ** *** ****** ****** ** the ******** *** ****** ** ****** States *******" **** **** *.* *************** that **** **** *** *****.
*** ***** ** *** ***** ** ADI **** *** ****** *** ** held *********** *** ****?
UI
Undisclosed Integrator #2
Oct 11, 2021** *** ********, * ** *** need ** ***** ****** ** *** to ******* **** ****** ** **** accountable. ** ** *****: * ***** ANYONE ********* ****** *** **** ** devices*** ** *** ****"**** ** ************ **** ** *** national ******** ** *** ****** ****** or *** ******** *** ****** ** United ****** *******" ****** ** **** accountable. ******* * ***** ****** ** them, ** ***.
** **** *****'* ******** ** **** ADI *** ******* ** **** **** of ********.
JH
John Honovich
Oct 11, 2021*** ******* * *** **** ** ********, ** *** ****** *** ******* responded, ****** **, **** *** ****** not *** **. ****....
JH
John Honovich
Oct 13, 2021******, *** *** *** ****** * notification, ******* ****** **** *****'*:
UI
Undisclosed Integrator #3
Oct 13, 2021* ****** *** **** ** ** had ** ** **** **** *******.
** *** ** ********** *** *** OEM *** * ************* **** ****** be ******* ** *** *** **** through *** ***'* ******** (***, *** example, *** *** ****** *** *** OEM **), **** *** ********** *** a ************** ** *** **** ****** ASAP *** ***** *** ********.
**** *** * ******* *** ** when **** **** ****** *********. ** bought * ***** ** ***** *-*** IP ********* ***** *** **** ********* Hik ***, *** ** *** ***** uploading *** ******** *** ****** ***** just ****** ** ****** ** *** incompatible.
bm
bashis mcw
Oct 13, 2021* ****** *** **** ** ** had ** ** **** **** *******.
** ******** ******* ** **** **'* 95% ****** ** **** ******* *** IPVM, *** ***** *% ** ** can ******** ** ****** ** ** PoC - *** ****'* **** ** main ****** *** ********* ******* ***.
JH
John Honovich
Oct 13, 2021** ***** *** **** ******** ** without ****** ***.
*** ****** *** ***** **** ********** updated *** ******** *** * ** think ** ******* ********* ** **** helped *** ***** (****** * ***'* see *** ****** ** *** *** did *** ****** ******** ****** ***** Dahua ******** ********* **** **** **** a ***** ***).
UD
Undisclosed Distributor #1
Oct 13, 2021*** ******** ** ***** ******** *********, a ***** *****+ ** *************, *** at ** ********** ******. /*