Dahua Trying, Struggling To Respond To Hacking Attacks

By Brian Karas, Published Oct 04, 2017, 12:42pm EDT

Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response.

On the positive side, Dahua is clearly trying to respond, providing information and help to those impacted. However, Dahua is still struggling with a number of fundamental elements, including:

  • Unclear of what vulnerabilities is being used in the hacks
  • Unable to provide a complete list of models impacted
  • Releasing more firmware fixes but not certain that all models are covered
  • No post hacking dealer notice and misleading public statement
  • Delayed but improving OEM response

Cause ** ***** *******

***** ** ****** ** clearly ******* **** ************* is ***** **** ** *** hacks. *** *******, ***** cited ** **** ************* ***-****-****, *******, **** ****** only ***** ***** ** cameras ** ********, *** recorders *** ******* ***** hacked. Moreover, **** ****** ** anonymous, ********** *** *** filed by******, *** ********** *** Dahua ********.  ***** ***** ***** ** IPVM ***-**** ******** ****-**-***-** ***** ** *** ****** reported ********.

*** ******* ** **** Dahua *** ******** *************** that ***** ** **** here *** ***** ** not ***** ***** *** is.

  • *** ******** ******* ****** unauthenticated ******** ** * configuration **** ** *********, etc.
  • *** ****** ******* ***** has * ******* ******** of ******, *** *** admin-level ******, *** ** only ******** ** **** from *** ***** *******, not ********. *******, ****** indicated *** ****** *** easily ** ****** ** think *** ****** ***** the ****** ******* ** local **** **** *** really ******.

*** ****** ******* ** the **** ******** ***** element ** ******* ******* received, though ***** *** *** been ******** ** **** this ** *** ************* used. *******, ** *****'* only ****** *************, ***** cited ******* *********, ***** might ***** *** ****** account *** ***** ***** require * ************* ** it ***** ********* ********.

****** ***, *** **** remains **** ****** ***** does *** **** ****** or ****** ****** **** a ***** *********. *******, this *********** *** ******** of ****** ******** ******** vulnerabilities ** ***'* ********.

Impacted ******  / ******** *******

***** ***** ****** ******* a ******** **** ** models ********, ******* **** being * ******** **** of *** ********** ******* that ***** *********** **** made (*.*., ************ ********, ******* **** ******** ******** vulnerability, ***.). **** ** a ******* ******* ** makes ** **** *** users *** ******* ** understand ***** ****** *** impacted *** ***** *** not.

***** *** **** ** public **** ****** ***** *****, when * ******** ************ listed ** ******* ********** [link ** ****** *********]. Still, **** ************ **** "Part ** *** ********* product ****** *** ****** are ********", ****** ** unclear ** ***** ** a ******** ****** **** may ******* ** ******** affected ** ***:

******** ******** ** ***** for * **** **** of ******** ****** **** gone *****.

************, *****'* ******* **** not ******* ***** ******** versions ** *** ******** models *** **********. ***** need ** ***** **** a ***** ******** ******** location, **** **** ****** firmware *** ***** *****, then ********* ** **** need ** ******* ** not. ***** ******* *********** this ******* ** ****** multiple ******** ******** ********* (e.g.: *****'* ************* ******** Center [**** ** ****** available] vs.***** ***'* ****), *** ***** ***** country-specific ***-******.

**********, ***** ***** ** very *********** *** * user ** ****** ********* if ***** ******* ** impacted ** ***. ** contrast,********* ******** * ******* notification *** * ****** backdoor *************, ******* *** ******** models *** ******** ********, with ***-****** ******** ***** for *** ********.

Firmware ******* **** ***

***** ********* ***** ****** use *** ************* ******** ****** [link ** ****** *********] ** find ******* ********. ******** is ********* **** ****** to ******, *** ***** users *** ****** * specific ******* *****, **** as ***, ***, ***., there ** ** ****** / ****** ******** ** **** specific ******. 

******-********** ******** **** ***** does *** ***** ****** build *******, *.*** ******** may ** *** ****** build *** *** ******* line, ***** ****** **** be ** *.*** ** 3.21x. *** ***** **** large *********** ***/** ******** models, **** ***** ** difficult ** ********* ** units **** ** ** upgraded ******* ******** **** one ************ *** ****** firmware.

***** *** *** **** to ******* *** ******** firmware ******* **** ********** fixed *** *************. ** contrast, ********* *** **** to ******* *** **** ***** 5.4.5 *** ***** ******** fixes ** ***** ********, making ** ****** ** determine *************.

Notification ** ******* ** *******

***** *** *** ******** ******* ***** *** hacks *******, ***** ** a ******* ******* ***** dealers ******* ** **** by *** ****** **** timely ****** ** ****** update ******** ** ****** network ********, ***. ** mitigate ******* *******. ** contrast,*********, ****** **********, *** **** *** notifications.

***** ****** **** ******** dealers ** ***** ** the *************, **** ** email *** ** ***** call. ***** **** ******** notifications ******** ***** ** updated ******** (**: ***** March *, **** ******** Bulletin [**** ** ****** available]), ****** **** ******* ***** to **** ****** ********, and ** *** **** link ** * ******* firmware ********** (**: ******** ************ DHCC-201703-01 [**** ** ****** available]).

Misleading ************* ************

*****'* ***** ******* ********* ***** "Latest ************* ***********" [**** no ****** *********] ***** ** properly ******* *** *** this *************.

*** **** ***** ************ manufacturers ******** ** **** vulnerability ***** ** ***** OEMing ***** *********. **** statement ** ***** ******** to ***** **** ** a ******* ****** ** a ****** ** ********* companies, **** ** ** specific ** *****-************ ********.

*** ***-**** ******** **** Dahua ********** ***** ***** to **** ***** ** clear **** **** ** not **** *** ****** of ******* *********, ** Dahua's ************* ****** ********* to ********, *** ***, the ******** ** *** user, ******* ** ******.

*****'* ******** ** ******** this ************* ** ********* manufacturers *******, *** ***** users **** ******* *********, makes *** ******* ****** either **********, ** *********.

OEM ******

**** **** ********** ***** issues ******* ******** *****, however, **** *** **** week, ******* ******** **** Dahua *** ********, ********* more ******* *** **** older ****** ********. ******** in ********** ***** ******** ******* discussion **** ********* *** frustration **** **** ** getting ****** ********. ** **** ***** Dahua **** **** ******* up ** **** **** other, ********* ***** ** updated ******** **** ****** could *** **** **/*** it ******** **** *****.

Dahua ************ ** *************

** ******** ****** **** April **** *******, ***** has ***** ** ****-****** check, ***** ***** *** enable *** ********* ************, or ** * ****** check. **** ******** *** unit **** ******** ******.

***** *** **** ****** they **** ****** ** internal ************* ********* ** more ******** **** **** issues **** *****, *** to ***** **** ****** response ** *********, ***********, or ***** ************* ** cybersecurity ********.

*******

** *** ******** ****, Dahua *** ******* ***** that ** ** ****** to ******* *** ********** *********** and ***** ****** *** these ***************. ** *** negative ****, ***** ********** in ********** ***** ** fundamental ******** ** *** they **** ************ ********* firmware **** ***** ** hard *** **** ** rapidly *** ******* ******** issues *** ********** *****.

*** ******* **** **** signs ** ******* ******* resolving ***** ********. *******, since **** *** ****** a ******* ** ***** software *********** **********, ** could **** **** **** and *********** ******* ** resolve **** *****.

Comments (29)

Undisclosed Manufacturer #1

10/04/17 05:39pm

What a spectacular time to be working for Dahua.

Undisclosed Manufacturer #2

10/04/17 07:13pm

Could they be struggling with a full an comprehensive solution because a lot of their products are fed in to them by smaller manufacturers and they simply don't know which products are or will be affected until a vulnerability is disclosed? 

John Honovich

IPVM | In reply to Undisclosed Manufacturer #2 | 10/04/17 07:52pm

The fact that so many of their products are impacted implies they share some common (bad) firmware, rather than obtained through other smaller manufacturers.

As a point of reference, FLIR has released a full list of their Dahua OEMed products impacted, and that shows ~80 devices (cameras, DVRs, NVRs). Since FLIR only OEMs a subset of Dahua's portfolio, that indicates Dahua's total backdoored devices is in the hundreds of models.

The fact that, despite this, Dahua itself cannot get a clear list and take so long to get firmware fixes out implies development organizational issues.

Undisclosed End User #3

10/04/17 07:58pm

So, I think one of the questions now is what Dahua been up to the last 7 months?

John Honovich

IPVM | In reply to Undisclosed End User #3 | 10/04/17 08:08pm

what Dahua been up to the last 7 months?

Hoping the issue would have gone away is my best guess.

Undisclosed End User #3

In reply to John Honovich | 10/04/17 08:20pm

Guess the same

John Honovich

IPVM | In reply to Undisclosed End User #3 | 10/04/17 08:23pm

On the positive side, I do think the lessons learned from this will help them better prioritize responses to this in the future, now that they see there are actually real world issues to deal with. The cost and strain of Dahua having to deal with all these dealers and OEM partners over this has been significant.

Undisclosed End User #3

In reply to John Honovich | 10/04/17 08:29pm

Let's hope so, "lessons learned" seems usually to be archived into the trash can.

Undisclosed Manufacturer #6

In reply to Undisclosed End User #3 | 10/05/17 12:18pm

Dahua was talking to their big distributors in middle Europe and they recomend to upgrade all the devices which were produced after march 2017. This happen couple of months ago. Dahua new about this "bug"

The message was not spread correctly. 

And who will upgrade if everything is ok :)

Avatar

Sean Nelson

Nelly's Security
10/04/17 09:33pm

You know what would redeem Dahua in my books? Is if they opened up a hotline in which we can direct all of our customers to call Dahua so they can deal with the hack fixes. 

Robert Shih

Independent
In reply to Sean Nelson | 10/04/17 10:22pm

Are you sure you want any manufacturer to have access to your end users? Ever?

Avatar

Sean Nelson

Nelly's Security
In reply to Robert Shih | 10/04/17 10:24pm

For this time, you bet!!

If you are saying that in a concerned tone that they may sell direct to them. I can promise you that after working a week of fixing hacked DVR's that they will think twice.

Undisclosed #4

10/05/17 03:34am

Hacked is hacked. I do not know what to tell you dahua.

 

H A C K E D is H A C K E D ! ! !

 

Get your company together! 

Undisclosed End User #3

10/05/17 09:33am

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

 

John Honovich

IPVM | In reply to Undisclosed End User #3 | 10/05/17 12:11pm

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

Bashis, I believe part of the confusion / error is that Dahua's report there is from March 17th whereas ICSA-17-124-02 was not issued until May.

Do you know who reported CVE-2017-7253 or how it relates to your research? CVE-2017-7253 is short, anonymous and only claims IP cameras as vulnerable, so it is unclear.

Undisclosed End User #3

In reply to John Honovich | 10/05/17 01:00pm

Only thing I know, is that this was Dahua first post after my FD in March.

By Google the CVE, you will end up on "anonymous" Git (by following references).

This is not my Git, and I have not applied for CVE either.

 

Undisclosed #8

In reply to John Honovich | 10/05/17 02:44pm

Rhetorical question, but how do you know #3 is bashis?

Undisclosed #11

IPVMU Certified | In reply to Undisclosed #8 | 10/11/17 12:32am

Rhetorical question, but how do you know #3 is bashis?

John's a quick learner:

Undisclosed Manufacturer #5

10/05/17 12:03pm

Another annoying aspect about Dahua and most Chinese companies is the amount of national holidays they have throughout the year. 

While I respect they work hard but if the company is international (in Dahua's case) they should work in line with there markets and not close up shop completely. 

This week for example no-one in Dahua China is working! so if you happen to have a issue no-one is there to help properly and this is through there current hacking crisis!

Undisclosed Manufacturer #1

In reply to Undisclosed Manufacturer #5 | 10/05/17 12:11pm

So if the reactivity to their unending problems wasn’t already piss-poor, expect it to be piss-poorer.

Undisclosed Manufacturer #7

In reply to Undisclosed Manufacturer #5 | 10/05/17 02:38pm

They have to pay 300% for everyone working during the holiday and will end up with really unhappy employees.

After all the week of national holiday is the best time to be with family since their families also have the entire week off. For 2017 it is 8 days in total.

Undisclosed Manufacturer #5

In reply to Undisclosed Manufacturer #7 | 10/05/17 02:53pm

You could say that is the cost of operating a international business. 

I fully understand factories closing as they work 7 day weeks etc. but it shouldn't be the full operation. Most Dahua HQ employees in overseas operation don't work the weekend.

I don't think too many people in the west would accept if their supplier would just close up shop completely for 2 full weeks during the year. Also the way they handle the lead up to these national holidays is always rushed so the impact is much greater than the 2 weeks.

Undisclosed Manufacturer #10

In reply to Undisclosed Manufacturer #5 | 10/10/17 11:17pm

UM5 Yep super annoying. And the biggest issues always occur right at the beginning or in the middle of the Chinese New Year lol.

Undisclosed Distributor #9

10/05/17 03:56pm

This isn't a localized phenomenon, it's the entire country of china that basically shuts down during these holidays.  It's certainly a drastic interruption of normal business, rushing or delaying orders because of it.  I've also been told that for week long holidays like this, they will often times have a large percentage of the work force go home, often in other cities or to the countryside, and just won't come back.  So, after coming back from holiday, they have to hire new workers and train them which can take quite a while and further impact production.  I would say that leading up to these holidays and after them that it's a month long interruption of normal business.

Jay Hobdy

IPVMU Certified | In reply to Undisclosed Distributor #9 | 10/11/17 11:09am

Maybe they need their programmers to stay in the countryside and hire some new ones

Undisclosed Manufacturer #12

In reply to Jay Hobdy | 10/20/17 03:12am

Programmers are at a higher level pay and don't affect production, factory workers are the large workforce. They will often change to a new factory which pays more money, but this is only after the chinese new year because this is the time workers would have an annual bonus paid.

So with two months pay in the pocket, you have time to find another better-paid job because you get to pick and choose a better place which is desperate for factory staff.

 

$0.2

Robert Shih

Independent
10/27/17 02:32pm

FYI, Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders for us as we speak. They have been here for the last 2 days. So it looks like they ARE trying.

John Honovich

IPVM | In reply to Robert Shih | 10/27/17 09:34pm

Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders 

Robert, what firmware version are they updating to? What does that firmware version address or fix?

Robert Shih

Independent
In reply to John Honovich | 10/30/17 01:47pm

For recorders, the following:

  • General_HCVR7x04-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_HCVR7x08-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902
  • General_NVR5XXX-4K_Eng_V3.215.0000000.1.R.20170901
  • General_XVR5x04_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x08_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x16_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR7x16_Eng_NP_V3.218.0000001.2.R.170808

I do not think they are doing cameras.

These firmwares represent a new baseline enforcing much stricter security policies. I sent you an email with some release notes.

Read this IPVM report for free.

This article is part of IPVM's 6,738 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports