Dahua Trying, Struggling To Respond To Hacking Attacks

By Brian Karas, Published Oct 04, 2017, 12:42pm EDT

Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response.

On the positive side, Dahua is clearly trying to respond, providing information and help to those impacted. However, Dahua is still struggling with a number of fundamental elements, including:

  • Unclear of what vulnerabilities is being used in the hacks
  • Unable to provide a complete list of models impacted
  • Releasing more firmware fixes but not certain that all models are covered
  • No post hacking dealer notice and misleading public statement
  • Delayed but improving OEM response

Cause ** ***** *******

***** ** ****** ** clearly ******* **** ************* is ***** **** ** *** hacks. *** *******, ***** cited ** **** ************* ***-****-****, *******, **** ****** only ***** ***** ** cameras ** ********, *** recorders *** ******* ***** hacked. Moreover, **** ****** ** anonymous, ********** *** *** filed by******, *** ********** *** Dahua ********.  ***** ***** ***** ** IPVM ***-**** ******** ****-**-***-** ***** ** *** ****** reported ********.

*** ******* ** **** Dahua *** ******** *************** that ***** ** **** here *** ***** ** not ***** ***** *** is.

  • *** ******** ******* ****** unauthenticated ******** ** * configuration **** ** *********, etc.
  • *** ****** ******* ***** has * ******* ******** of ******, *** *** admin-level ******, *** ** only ******** ** **** from *** ***** *******, not ********. *******, ****** indicated *** ****** *** easily ** ****** ** think *** ****** ***** the ****** ******* ** local **** **** *** really ******.

*** ****** ******* ** the **** ******** ***** element ** ******* ******* received, though ***** *** *** been ******** ** **** this ** *** ************* used. *******, ** *****'* only ****** *************, ***** cited ******* *********, ***** might ***** *** ****** account *** ***** ***** require * ************* ** it ***** ********* ********.

****** ***, *** **** remains **** ****** ***** does *** **** ****** or ****** ****** **** a ***** *********. *******, this *********** *** ******** of ****** ******** ******** vulnerabilities ** ***'* ********.

Impacted ******  / ******** *******

***** ***** ****** ******* a ******** **** ** models ********, ******* **** being * ******** **** of *** ********** ******* that ***** *********** **** made (*.*., ************ ********, ******* **** ******** ******** vulnerability, ***.). **** ** a ******* ******* ** makes ** **** *** users *** ******* ** understand ***** ****** *** impacted *** ***** *** not.

***** *** **** ** public **** ****** ***** *****, when * ******** ************ listed ** ******* ********** [link ** ****** *********]. Still, **** ************ **** "Part ** *** ********* product ****** *** ****** are ********", ****** ** unclear ** ***** ** a ******** ****** **** may ******* ** ******** affected ** ***:

******** ******** ** ***** for * **** **** of ******** ****** **** gone *****.

************, *****'* ******* **** not ******* ***** ******** versions ** *** ******** models *** **********. ***** need ** ***** **** a ***** ******** ******** location, **** **** ****** firmware *** ***** *****, then ********* ** **** need ** ******* ** not. ***** ******* *********** this ******* ** ****** multiple ******** ******** ********* (e.g.: *****'* ************* ******** Center [**** ** ****** available] vs.***** ***'* ****), *** ***** ***** country-specific ***-******.

**********, ***** ***** ** very *********** *** * user ** ****** ********* if ***** ******* ** impacted ** ***. ** contrast,********* ******** * ******* notification *** * ****** backdoor *************, ******* *** ******** models *** ******** ********, with ***-****** ******** ***** for *** ********.

Firmware ******* **** ***

***** ********* ***** ****** use *** ************* ******** ****** [link ** ****** *********] ** find ******* ********. ******** is ********* **** ****** to ******, *** ***** users *** ****** * specific ******* *****, **** as ***, ***, ***., there ** ** ****** / ****** ******** ** **** specific ******. 

******-********** ******** **** ***** does *** ***** ****** build *******, *.*** ******** may ** *** ****** build *** *** ******* line, ***** ****** **** be ** *.*** ** 3.21x. *** ***** **** large *********** ***/** ******** models, **** ***** ** difficult ** ********* ** units **** ** ** upgraded ******* ******** **** one ************ *** ****** firmware.

***** *** *** **** to ******* *** ******** firmware ******* **** ********** fixed *** *************. ** contrast, ********* *** **** to ******* *** **** ***** 5.4.5 *** ***** ******** fixes ** ***** ********, making ** ****** ** determine *************.

Notification ** ******* ** *******

***** *** *** ******** ******* ***** *** hacks *******, ***** ** a ******* ******* ***** dealers ******* ** **** by *** ****** **** timely ****** ** ****** update ******** ** ****** network ********, ***. ** mitigate ******* *******. ** contrast,*********, ****** **********, *** **** *** notifications.

***** ****** **** ******** dealers ** ***** ** the *************, **** ** email *** ** ***** call. ***** **** ******** notifications ******** ***** ** updated ******** (**: ***** March *, **** ******** Bulletin [**** ** ****** available]), ****** **** ******* ***** to **** ****** ********, and ** *** **** link ** * ******* firmware ********** (**: ******** ************ DHCC-201703-01 [**** ** ****** available]).

Misleading ************* ************

*****'* ***** ******* ********* ***** "Latest ************* ***********" [**** no ****** *********] ***** ** properly ******* *** *** this *************.

*** **** ***** ************ manufacturers ******** ** **** vulnerability ***** ** ***** OEMing ***** *********. **** statement ** ***** ******** to ***** **** ** a ******* ****** ** a ****** ** ********* companies, **** ** ** specific ** *****-************ ********.

*** ***-**** ******** **** Dahua ********** ***** ***** to **** ***** ** clear **** **** ** not **** *** ****** of ******* *********, ** Dahua's ************* ****** ********* to ********, *** ***, the ******** ** *** user, ******* ** ******.

*****'* ******** ** ******** this ************* ** ********* manufacturers *******, *** ***** users **** ******* *********, makes *** ******* ****** either **********, ** *********.

OEM ******

**** **** ********** ***** issues ******* ******** *****, however, **** *** **** week, ******* ******** **** Dahua *** ********, ********* more ******* *** **** older ****** ********. ******** in ********** ***** ******** ******* discussion **** ********* *** frustration **** **** ** getting ****** ********. ** **** ***** Dahua **** **** ******* up ** **** **** other, ********* ***** ** updated ******** **** ****** could *** **** **/*** it ******** **** *****.

Dahua ************ ** *************

** ******** ****** **** April **** *******, ***** has ***** ** ****-****** check, ***** ***** *** enable *** ********* ************, or ** * ****** check. **** ******** *** unit **** ******** ******.

***** *** **** ****** they **** ****** ** internal ************* ********* ** more ******** **** **** issues **** *****, *** to ***** **** ****** response ** *********, ***********, or ***** ************* ** cybersecurity ********.

*******

** *** ******** ****, Dahua *** ******* ***** that ** ** ****** to ******* *** ********** *********** and ***** ****** *** these ***************. ** *** negative ****, ***** ********** in ********** ***** ** fundamental ******** ** *** they **** ************ ********* firmware **** ***** ** hard *** **** ** rapidly *** ******* ******** issues *** ********** *****.

*** ******* **** **** signs ** ******* ******* resolving ***** ********. *******, since **** *** ****** a ******* ** ***** software *********** **********, ** could **** **** **** and *********** ******* ** resolve **** *****.

Comments (29)

What a spectacular time to be working for Dahua.

Agree
Disagree
Informative
Unhelpful
Funny: 5

Could they be struggling with a full an comprehensive solution because a lot of their products are fed in to them by smaller manufacturers and they simply don't know which products are or will be affected until a vulnerability is disclosed? 

Agree
Disagree: 1
Informative
Unhelpful
Funny

The fact that so many of their products are impacted implies they share some common (bad) firmware, rather than obtained through other smaller manufacturers.

As a point of reference, FLIR has released a full list of their Dahua OEMed products impacted, and that shows ~80 devices (cameras, DVRs, NVRs). Since FLIR only OEMs a subset of Dahua's portfolio, that indicates Dahua's total backdoored devices is in the hundreds of models.

The fact that, despite this, Dahua itself cannot get a clear list and take so long to get firmware fixes out implies development organizational issues.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

So, I think one of the questions now is what Dahua been up to the last 7 months?

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

what Dahua been up to the last 7 months?

Hoping the issue would have gone away is my best guess.

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

Guess the same

Agree: 1
Disagree
Informative
Unhelpful
Funny

On the positive side, I do think the lessons learned from this will help them better prioritize responses to this in the future, now that they see there are actually real world issues to deal with. The cost and strain of Dahua having to deal with all these dealers and OEM partners over this has been significant.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Let's hope so, "lessons learned" seems usually to be archived into the trash can.

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

Dahua was talking to their big distributors in middle Europe and they recomend to upgrade all the devices which were produced after march 2017. This happen couple of months ago. Dahua new about this "bug"

The message was not spread correctly. 

And who will upgrade if everything is ok :)

Agree
Disagree
Informative: 1
Unhelpful
Funny

You know what would redeem Dahua in my books? Is if they opened up a hotline in which we can direct all of our customers to call Dahua so they can deal with the hack fixes. 

Agree: 3
Disagree
Informative
Unhelpful
Funny: 1

Are you sure you want any manufacturer to have access to your end users? Ever?

Agree: 2
Disagree
Informative
Unhelpful
Funny

For this time, you bet!!

If you are saying that in a concerned tone that they may sell direct to them. I can promise you that after working a week of fixing hacked DVR's that they will think twice.

Agree: 3
Disagree
Informative
Unhelpful
Funny: 2

Hacked is hacked. I do not know what to tell you dahua.

 

H A C K E D is H A C K E D ! ! !

 

Get your company together! 

Agree
Disagree
Informative
Unhelpful
Funny

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

 

Agree
Disagree
Informative
Unhelpful
Funny

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

Bashis, I believe part of the confusion / error is that Dahua's report there is from March 17th whereas ICSA-17-124-02 was not issued until May.

Do you know who reported CVE-2017-7253 or how it relates to your research? CVE-2017-7253 is short, anonymous and only claims IP cameras as vulnerable, so it is unclear.

Agree
Disagree
Informative
Unhelpful
Funny

Only thing I know, is that this was Dahua first post after my FD in March.

By Google the CVE, you will end up on "anonymous" Git (by following references).

This is not my Git, and I have not applied for CVE either.

 

Agree
Disagree
Informative
Unhelpful
Funny

Rhetorical question, but how do you know #3 is bashis?

Agree: 2
Disagree
Informative
Unhelpful
Funny: 3

Rhetorical question, but how do you know #3 is bashis?

John's a quick learner:

Agree
Disagree: 1
Informative
Unhelpful
Funny: 2

Another annoying aspect about Dahua and most Chinese companies is the amount of national holidays they have throughout the year. 

While I respect they work hard but if the company is international (in Dahua's case) they should work in line with there markets and not close up shop completely. 

This week for example no-one in Dahua China is working! so if you happen to have a issue no-one is there to help properly and this is through there current hacking crisis!

Agree: 2
Disagree: 1
Informative: 1
Unhelpful
Funny

So if the reactivity to their unending problems wasn’t already piss-poor, expect it to be piss-poorer.

Agree
Disagree
Informative
Unhelpful
Funny

They have to pay 300% for everyone working during the holiday and will end up with really unhappy employees.

After all the week of national holiday is the best time to be with family since their families also have the entire week off. For 2017 it is 8 days in total.

Agree
Disagree
Informative: 1
Unhelpful
Funny

You could say that is the cost of operating a international business. 

I fully understand factories closing as they work 7 day weeks etc. but it shouldn't be the full operation. Most Dahua HQ employees in overseas operation don't work the weekend.

I don't think too many people in the west would accept if their supplier would just close up shop completely for 2 full weeks during the year. Also the way they handle the lead up to these national holidays is always rushed so the impact is much greater than the 2 weeks.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

UM5 Yep super annoying. And the biggest issues always occur right at the beginning or in the middle of the Chinese New Year lol.

Agree: 1
Disagree
Informative
Unhelpful
Funny

This isn't a localized phenomenon, it's the entire country of china that basically shuts down during these holidays.  It's certainly a drastic interruption of normal business, rushing or delaying orders because of it.  I've also been told that for week long holidays like this, they will often times have a large percentage of the work force go home, often in other cities or to the countryside, and just won't come back.  So, after coming back from holiday, they have to hire new workers and train them which can take quite a while and further impact production.  I would say that leading up to these holidays and after them that it's a month long interruption of normal business.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Maybe they need their programmers to stay in the countryside and hire some new ones

Agree
Disagree: 1
Informative
Unhelpful
Funny

Programmers are at a higher level pay and don't affect production, factory workers are the large workforce. They will often change to a new factory which pays more money, but this is only after the chinese new year because this is the time workers would have an annual bonus paid.

So with two months pay in the pocket, you have time to find another better-paid job because you get to pick and choose a better place which is desperate for factory staff.

 

$0.2

Agree
Disagree
Informative
Unhelpful
Funny

FYI, Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders for us as we speak. They have been here for the last 2 days. So it looks like they ARE trying.

Agree
Disagree
Informative: 3
Unhelpful
Funny: 1

Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders 

Robert, what firmware version are they updating to? What does that firmware version address or fix?

Agree
Disagree
Informative
Unhelpful
Funny

For recorders, the following:

  • General_HCVR7x04-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_HCVR7x08-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902
  • General_NVR5XXX-4K_Eng_V3.215.0000000.1.R.20170901
  • General_XVR5x04_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x08_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x16_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR7x16_Eng_NP_V3.218.0000001.2.R.170808

I do not think they are doing cameras.

These firmwares represent a new baseline enforcing much stricter security policies. I sent you an email with some release notes.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,887 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports