Dahua Trying, Struggling To Respond To Hacking Attacks

By: Brian Karas, Published on Oct 04, 2017

Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response.

On the positive side, Dahua is clearly trying to respond, providing information and help to those impacted. However, Dahua is still struggling with a number of fundamental elements, including:

  • Unclear of what vulnerabilities is being used in the hacks
  • Unable to provide a complete list of models impacted
  • Releasing more firmware fixes but not certain that all models are covered
  • No post hacking dealer notice and misleading public statement
  • Delayed but improving OEM response

Cause ** ***** *******

***** ** ****** ** clearly ******* **** ************* is ***** **** ** *** hacks. *** *******, ***** cited ** **** ************* ***-****-****, *******, **** ****** only ***** ***** ** cameras ** ********, *** recorders *** ******* ***** hacked. Moreover, **** ****** ** anonymous, ********** *** *** filed by******, *** ********** *** Dahua ********.  ***** ***** ***** ** IPVM ***-**** ******** ****-**-***-** ***** ** *** ****** reported ********.

*** ******* ** **** Dahua *** ******** *************** that ***** ** **** here *** ***** ** not ***** ***** *** is.

  • *** ******** ******* ****** unauthenticated ******** ** * configuration **** ** *********, etc.
  • *** ****** ******* ***** has * ******* ******** of ******, *** *** admin-level ******, *** ** only ******** ** **** from *** ***** *******, not ********. *******, ****** indicated *** ****** *** easily ** ****** ** think *** ****** ***** the ****** ******* ** local **** **** *** really ******.

*** ****** ******* ** the **** ******** ***** element ** ******* ******* received, though ***** *** *** been ******** ** **** this ** *** ************* used. *******, ** *****'* only ****** *************, ***** cited ******* *********, ***** might ***** *** ****** account *** ***** ***** require * ************* ** it ***** ********* ********.

****** ***, *** **** remains **** ****** ***** does *** **** ****** or ****** ****** **** a ***** *********. *******, this *********** *** ******** of ****** ******** ******** vulnerabilities ** ***'* ********.

Impacted ******  / ******** *******

***** ***** ****** ******* a ******** **** ** models ********, ******* **** being * ******** **** of *** ********** ******* that ***** *********** **** made (*.*., ************ ********, ******* **** ******** ******** vulnerability, ***.). **** ** a ******* ******* ** makes ** **** *** users *** ******* ** understand ***** ****** *** impacted *** ***** *** not.

***** *** **** ** public **** ****** ***** *****, when * ******** ************ listed ** ******* ********** [link ** ****** *********]. Still, **** ************ **** "Part ** *** ********* product ****** *** ****** are ********", ****** ** unclear ** ***** ** a ******** ****** **** may ******* ** ******** affected ** ***:

******** ******** ** ***** for * **** **** of ******** ****** **** gone *****.

************, *****'* ******* **** not ******* ***** ******** versions ** *** ******** models *** **********. ***** need ** ***** **** a ***** ******** ******** location, **** **** ****** firmware *** ***** *****, then ********* ** **** need ** ******* ** not. ***** ******* *********** this ******* ** ****** multiple ******** ******** ********* (e.g.: *****'* ************* ******** Center [**** ** ****** available] vs.***** ***'* ****), *** ***** ***** country-specific ***-******.

**********, ***** ***** ** very *********** *** * user ** ****** ********* if ***** ******* ** impacted ** ***. ** contrast,********* ******** * ******* notification *** * ****** backdoor *************, ******* *** ******** models *** ******** ********, with ***-****** ******** ***** for *** ********.

Firmware ******* **** ***

***** ********* ***** ****** use *** ************* ******** ****** [link ** ****** *********] ** find ******* ********. ******** is ********* **** ****** to ******, *** ***** users *** ****** * specific ******* *****, **** as ***, ***, ***., there ** ** ****** / ****** ******** ** **** specific ******. 

******-********** ******** **** ***** does *** ***** ****** build *******, *.*** ******** may ** *** ****** build *** *** ******* line, ***** ****** **** be ** *.*** ** 3.21x. *** ***** **** large *********** ***/** ******** models, **** ***** ** difficult ** ********* ** units **** ** ** upgraded ******* ******** **** one ************ *** ****** firmware.

***** *** *** **** to ******* *** ******** firmware ******* **** ********** fixed *** *************. ** contrast, ********* *** **** to ******* *** **** ***** 5.4.5 *** ***** ******** fixes ** ***** ********, making ** ****** ** determine *************.

Notification ** ******* ** *******

***** *** *** ******** ******* ***** *** hacks *******, ***** ** a ******* ******* ***** dealers ******* ** **** by *** ****** **** timely ****** ** ****** update ******** ** ****** network ********, ***. ** mitigate ******* *******. ** contrast,*********, ****** **********, *** **** *** notifications.

***** ****** **** ******** dealers ** ***** ** the *************, **** ** email *** ** ***** call. ***** **** ******** notifications ******** ***** ** updated ******** (**: ***** March *, **** ******** Bulletin [**** ** ****** available]), ****** **** ******* ***** to **** ****** ********, and ** *** **** link ** * ******* firmware ********** (**: ******** ************ DHCC-201703-01 [**** ** ****** available]).

Misleading ************* ************

*****'* ***** ******* ********* ***** "Latest ************* ***********" [**** no ****** *********] ***** ** properly ******* *** *** this *************.

*** **** ***** ************ manufacturers ******** ** **** vulnerability ***** ** ***** OEMing ***** *********. **** statement ** ***** ******** to ***** **** ** a ******* ****** ** a ****** ** ********* companies, **** ** ** specific ** *****-************ ********.

*** ***-**** ******** **** Dahua ********** ***** ***** to **** ***** ** clear **** **** ** not **** *** ****** of ******* *********, ** Dahua's ************* ****** ********* to ********, *** ***, the ******** ** *** user, ******* ** ******.

*****'* ******** ** ******** this ************* ** ********* manufacturers *******, *** ***** users **** ******* *********, makes *** ******* ****** either **********, ** *********.

OEM ******

**** **** ********** ***** issues ******* ******** *****, however, **** *** **** week, ******* ******** **** Dahua *** ********, ********* more ******* *** **** older ****** ********. ******** in ********** ***** ******** ******* discussion **** ********* *** frustration **** **** ** getting ****** ********. ** **** ***** Dahua **** **** ******* up ** **** **** other, ********* ***** ** updated ******** **** ****** could *** **** **/*** it ******** **** *****.

Dahua ************ ** *************

** ******** ****** **** April **** *******, ***** has ***** ** ****-****** check, ***** ***** *** enable *** ********* ************, or ** * ****** check. **** ******** *** unit **** ******** ******.

***** *** **** ****** they **** ****** ** internal ************* ********* ** more ******** **** **** issues **** *****, *** to ***** **** ****** response ** *********, ***********, or ***** ************* ** cybersecurity ********.

*******

** *** ******** ****, Dahua *** ******* ***** that ** ** ****** to ******* *** ********** *********** and ***** ****** *** these ***************. ** *** negative ****, ***** ********** in ********** ***** ** fundamental ******** ** *** they **** ************ ********* firmware **** ***** ** hard *** **** ** rapidly *** ******* ******** issues *** ********** *****.

*** ******* **** **** signs ** ******* ******* resolving ***** ********. *******, since **** *** ****** a ******* ** ***** software *********** **********, ** could **** **** **** and *********** ******* ** resolve **** *****.

Comments (29)

What a spectacular time to be working for Dahua.

Could they be struggling with a full an comprehensive solution because a lot of their products are fed in to them by smaller manufacturers and they simply don't know which products are or will be affected until a vulnerability is disclosed? 

The fact that so many of their products are impacted implies they share some common (bad) firmware, rather than obtained through other smaller manufacturers.

As a point of reference, FLIR has released a full list of their Dahua OEMed products impacted, and that shows ~80 devices (cameras, DVRs, NVRs). Since FLIR only OEMs a subset of Dahua's portfolio, that indicates Dahua's total backdoored devices is in the hundreds of models.

The fact that, despite this, Dahua itself cannot get a clear list and take so long to get firmware fixes out implies development organizational issues.

So, I think one of the questions now is what Dahua been up to the last 7 months?

what Dahua been up to the last 7 months?

Hoping the issue would have gone away is my best guess.

Guess the same

On the positive side, I do think the lessons learned from this will help them better prioritize responses to this in the future, now that they see there are actually real world issues to deal with. The cost and strain of Dahua having to deal with all these dealers and OEM partners over this has been significant.

Let's hope so, "lessons learned" seems usually to be archived into the trash can.

Dahua was talking to their big distributors in middle Europe and they recomend to upgrade all the devices which were produced after march 2017. This happen couple of months ago. Dahua new about this "bug"

The message was not spread correctly. 

And who will upgrade if everything is ok :)

You know what would redeem Dahua in my books? Is if they opened up a hotline in which we can direct all of our customers to call Dahua so they can deal with the hack fixes. 

Are you sure you want any manufacturer to have access to your end users? Ever?

For this time, you bet!!

If you are saying that in a concerned tone that they may sell direct to them. I can promise you that after working a week of fixing hacked DVR's that they will think twice.

Hacked is hacked. I do not know what to tell you dahua.

 

H A C K E D is H A C K E D ! ! !

 

Get your company together! 

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

 

Indeed confusion between CVE-2017-7253 and ICSA-17-124-02, as here Dahua refers to the incorrect report.

Bashis, I believe part of the confusion / error is that Dahua's report there is from March 17th whereas ICSA-17-124-02 was not issued until May.

Do you know who reported CVE-2017-7253 or how it relates to your research? CVE-2017-7253 is short, anonymous and only claims IP cameras as vulnerable, so it is unclear.

Only thing I know, is that this was Dahua first post after my FD in March.

By Google the CVE, you will end up on "anonymous" Git (by following references).

This is not my Git, and I have not applied for CVE either.

 

Rhetorical question, but how do you know #3 is bashis?

Rhetorical question, but how do you know #3 is bashis?

John's a quick learner:

Another annoying aspect about Dahua and most Chinese companies is the amount of national holidays they have throughout the year. 

While I respect they work hard but if the company is international (in Dahua's case) they should work in line with there markets and not close up shop completely. 

This week for example no-one in Dahua China is working! so if you happen to have a issue no-one is there to help properly and this is through there current hacking crisis!

So if the reactivity to their unending problems wasn’t already piss-poor, expect it to be piss-poorer.

They have to pay 300% for everyone working during the holiday and will end up with really unhappy employees.

After all the week of national holiday is the best time to be with family since their families also have the entire week off. For 2017 it is 8 days in total.

You could say that is the cost of operating a international business. 

I fully understand factories closing as they work 7 day weeks etc. but it shouldn't be the full operation. Most Dahua HQ employees in overseas operation don't work the weekend.

I don't think too many people in the west would accept if their supplier would just close up shop completely for 2 full weeks during the year. Also the way they handle the lead up to these national holidays is always rushed so the impact is much greater than the 2 weeks.

UM5 Yep super annoying. And the biggest issues always occur right at the beginning or in the middle of the Chinese New Year lol.

This isn't a localized phenomenon, it's the entire country of china that basically shuts down during these holidays.  It's certainly a drastic interruption of normal business, rushing or delaying orders because of it.  I've also been told that for week long holidays like this, they will often times have a large percentage of the work force go home, often in other cities or to the countryside, and just won't come back.  So, after coming back from holiday, they have to hire new workers and train them which can take quite a while and further impact production.  I would say that leading up to these holidays and after them that it's a month long interruption of normal business.

Maybe they need their programmers to stay in the countryside and hire some new ones

Programmers are at a higher level pay and don't affect production, factory workers are the large workforce. They will often change to a new factory which pays more money, but this is only after the chinese new year because this is the time workers would have an annual bonus paid.

So with two months pay in the pocket, you have time to find another better-paid job because you get to pick and choose a better place which is desperate for factory staff.

 

$0.2

FYI, Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders for us as we speak. They have been here for the last 2 days. So it looks like they ARE trying.

Dahua engineers are in the Houston warehouse with us updating our entire stock of recorders 

Robert, what firmware version are they updating to? What does that firmware version address or fix?

For recorders, the following:

  • General_HCVR7x04-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_HCVR7x08-4K_Eng_NP_V3.218.0000001.2.R.170808
  • General_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902
  • General_NVR5XXX-4K_Eng_V3.215.0000000.1.R.20170901
  • General_XVR5x04_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x08_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR5x16_Eng_NP_V3.218.0000001.2.R.170808
  • General_XVR7x16_Eng_NP_V3.218.0000001.2.R.170808

I do not think they are doing cameras.

These firmwares represent a new baseline enforcing much stricter security policies. I sent you an email with some release notes.

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...