ADI Hides Dahua Relabeled Capture Camera Critical Vulnerability [Now Issues Notification]
ADI's Dahua-relabeled Capture cameras are vulnerable to a critical vulnerability, IPVM has verified. However, ADI has not notified users nor posted instructions to patch them plus ADI management refused to respond to IPVM.
In this report, we examine the details of these vulnerabilities, proof of concept showing they are vulnerable, response from ADI management and tech support, and how relabeling impacts cybersecurity.
Update, more than 3 months after Dahua was informed and a month after Dahua disclosed publicly, ADI has issued a statement copied primarily from Dahua's statement:
ADI ******* ********
******* ** ***'* ****** "***** *****" of ************ *********, ******** ******* ** 2021, ********** ** ********* ***** ******* and ****, ******** ** *** ********* ******** ******** *****.
******* ** *** ********* *****'* *-*** *****, ****** **** ***** ***** **** line, ** ****.
Dahua ******** ************** ****** ***************
** ********* ** *** ****,*****'* ******** *************** (*** *** ******)*** ** *********:
...****** *** ***** *******. ********* *** bypass ****** ******** ************** ** ************ malicious **** *******.
*** *** *************** **** ******** ** how **** *** *********, *** *** conceptually *******.******' ********************* **** *******.
*** **** *** ****** **** *************** as *.*, ***** ** ******** ******** according ******** ************* ******* ****** (****) ** metrics(******-****-***********-****-*****).
ADI ******* ************* ***** ** *******
******, *** ********** *** ********** *** Dahua ******** ***************, *** ******** * proof-of-concept (************ ** ******) **** ****** ******* ******* *** vulnerable.
** *** ******* *****, ** *** the ****** ** ******* ** * Capture **-******** ****** ** *** *** network, **** *** "*******" ******* ****** indicating **** *** ****** ** **********. In **** ****, ***-****-***** ("***********" **** bypass) *** ****, ****** ******* *** similar ***** *** ******** *************.
*** ******* ****** **** ** **** example ** ******* ******** **.***.*******.*.*, ***** Date: ****-**-**.
** ********, ***-********** ******* ****** **** "Failed" **** ********** ** *** *** script, *.*., ** *** ******* **-**-**** firmware ** **** *******.
Low ********** ******** ********
******' ***** ** ******* **** *** further ******* *** *******, *** ***** this ************** ****** ** ****** ******** on *** ******, ******/****** *****, ** disable ** ******** ** *** ********** and ******** ******* *********** ****** *** even ********** ******* ******** *********.
No ************ ** ***************
***'* ******* ************ ** *********** ********* ***** ****** vulnerabilities, *** **** ** (** * purchaser ** ******* *******) ******** *** notification *** ***** ** *********. ** asked *** ** ************* **** **** or ********* ********, *** **** **** not ********* ** *** ******* *** comment.
ADI **** ******* *******
**** ** ********* *** **** *******, no ***** ** ***** ** **** aware **** ******* ******* **** ******** by ***** ***************. *******, **** ** asked ** ******* ******** *** *********, one **** ******* **** **** "***** it" *** **** **** ***** ***** the ****** ******** ** **, ***** we **** *** *** ********.
Firmware ******* *** ******
*** **** ******* **** **** **** are "******* **" ******* ******** ******, though *** *** **** * ******** for ********** ****. ** ** **********, the **** ******* *********** ********* *** Capture ** ***** ** *** ****** of*** *** ***** ****, ********** ****** ** * ******* form *** ***** ******.
No ******** **** ***
*** ********** *** *** ******* ** requests *** *******. **/**** **** *******, we **** ****** **** ******.
Trust *** ********
***** *************** *** *** ****** ** a **** ********* *** ** ***** *** *** product ***************, ***** ************ ********** ******* **** ****** ********* chips,************ ****** ********* ***** *******, *** *********"******** **" ** ***** ***** **** were ********** *** ***** ****** ******.
Relabeling ************* ****
******* *******' ************* *************** ********** *** of *** ***** ***** ** **********. Since ***'* ***** ** *** ********* in ***** ***** ***************, *** **** to ***** ***** ** **** *****, making ** **** ****** **** **** will ** ********* ** *********** ****** firmware *** ****** ***** ** ***** potential ******** *** *****.
*******, ** *** ****** **** ********** shown, ********** ***** ******* ** ********** devices ** ***** ** ***** **** them ********* ** **** ** *** public, ** *********** ******* **** **** used ** ****** **** *******,******* ********** **** ****** ******** ******* *******.
*** **** ** ***** ***********, ** should ** *******
** *** **** ********* ** ****, anymore? * ****, *** ****** **** are ********* **** **** **** ** vulnerability ******** ****'* ****** ***-**** ******** from ***, ******. *** *** ****** that ****'* ********* **** **** *** probably *** **** ************ *****-******** **** aren't ******* ****, ******, *** ******'* care **** **** ******* ****, ** they *** **** **. *** **** is **** ********** **** *** ** still ***. *'* *** *********, *** I **** **** *'* ******** ** the ********. ****** *** *** *******, though.
***, ***, * *** **** *******.
* ** ******* **** *** *** and ****** ** ****** **** ****.
*** ********* ** ****** *** **** of ********** ** *** ****"**** ** ************ ****** *** ******** security ** *** ****** ****** ** the ******** *** ****** ** ****** States *******" **** **** *.* *************** that **** **** *** *****.
*** ***** ** *** ***** ** ADI **** *** ****** *** ** held *********** *** ****?
** *** ********, * ** *** need ** ***** ****** ** *** to ******* **** ****** ** **** accountable. ** ** *****: * ***** ANYONE ********* ****** *** **** ** devices*** ** *** ****"**** ** ************ **** ** *** national ******** ** *** ****** ****** or *** ******** *** ****** ** United ****** *******" ****** ** **** accountable. ******* * ***** ****** ** them, ** ***.
** **** *****'* ******** ** **** ADI *** ******* ** **** **** of ********.
*** ******* * *** **** ** ********, ** *** ****** *** ******* responded, ****** **, **** *** ****** not *** **. ****....
******, *** *** *** ****** * notification, ******* ****** **** *****'*:
* ****** *** **** ** ** had ** ** **** **** *******.
** *** ** ********** *** *** OEM *** * ************* **** ****** be ******* ** *** *** **** through *** ***'* ******** (***, *** example, *** *** ****** *** *** OEM **), **** *** ********** *** a ************** ** *** **** ****** ASAP *** ***** *** ********.
**** *** * ******* *** ** when **** **** ****** *********. ** bought * ***** ** ***** *-*** IP ********* ***** *** **** ********* Hik ***, *** ** *** ***** uploading *** ******** *** ****** ***** just ****** ** ****** ** *** incompatible.
* ****** *** **** ** ** had ** ** **** **** *******.
** ******** ******* ** **** **'* 95% ****** ** **** ******* *** IPVM, *** ***** *% ** ** can ******** ** ****** ** ** PoC - *** ****'* **** ** main ****** *** ********* ******* ***.
** ***** *** **** ******** ** without ****** ***.
*** ****** *** ***** **** ********** updated *** ******** *** * ** think ** ******* ********* ** **** helped *** ***** (****** * ***'* see *** ****** ** *** *** did *** ****** ******** ****** ***** Dahua ******** ********* **** **** **** a ***** ***).
*** ******** ** ***** ******** *********, a ***** *****+ ** *************, *** at ** ********** ******. /*