1 Million Dahua Devices Exposed To Backdoor

By: Brian Karas, Published on Mar 22, 2017

Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor.

Despite this, Dahua has downplayed the severity and obstructed public access to firmware for most affected devices.

In this report, we highlight how these devices were discovered, and which countries have the most Dahua product exposed to remote attack.

********** **** **** * million ***** ******* *** publicly ******* *** ********** to ******** ********.

******* ****, ***** *** downplayed *** ******** *** obstructed public ****** ** ******** for **** ******** *******.

** **** ******, ** highlight how ***** ******* **** discovered, *** ***** ********* have *** **** ***** product ******* ** ****** attack.

[***************]

Locations ** ********** *******

**** * ******* ***** devices ****** *** ***** are ********** **** *** public ********, ******** **** to ******* *********, ********* to * ***** *** a ******** **** ****** used ** ***** ******** ** "IoT ****** ******" ******

****** ***** **** ***,*** devices ** **** ***** and *** **, ** well ** ***** ******* in *******, ******, ***** and ***** *********:

**** ****** *** ***** reported *********' ********* ******** ** the ***** **************** *** ********* ** Bashis.

HTTPS, ****** ********* ** ****

* ***** ****** ** the ******* *** **** accessible via *****, ********* ** shodan, ***** ********* ****** or ********** ** ***** devices *** **** ********* to **** ***** ******** precautions:

*******, *** ** *** nature ** **** ********, using *****, ***-******** *****, or ****** ********* **** not **** *** ******* any **** **********. *** device ******** ********** ** able ** ** ********* if ** *** *** had * ******** *******.

Majority ** ******* **********

**** ******** * ****** of ******* **** *** overall **** ** ****** and ****** **** **** Bashis' *****-**-******* ****. *** majority ** ******* ****** all ********* **** **** unpatched *** ********** ** exploit. 

Dahua ******* ******

** ** **** ******, Dahua's **** ****** ** their ** ************* **** *** ***** ***, ****, ***** **** **** a ***** ** ** affected ******. *** ** Dahua's ************* ***** ***** ** ******** ********. In *******, ***** *** dozens, ** *** ********, of ***** ******** (*** OEMs) ********** ** **** backdoor.

*****'* ******** *** ***** reporting *** ****** ** affected ********, **** ******** updates ***** ******** ** a ********** **** ****. Additionally, ***** ********, **** as ****, ** *** yet **** ******* ******** for ***** *** ********. The ****** ** * large ****** ** ********* still ** ****, **** minimal ******* ** ******* themselves.

Danger ** * ******* **********

**** * ******* ******* vulnerable, **** ** * very ***** ****** *** a ****** ******** ** other ********* ***** **** wants ** ******* ******* or ****** *******. *** example, *** ***** ******, ***** significantly ********* *** ******** ** Fall **** **** * similar ****** ** *******. 

No *** ** ** **-******** *** ********* *** *****

****** *** ******* *** to **-******* *** ***** of ******* ********** ********* for ***** *, ****, citing *** **** ** so **** ******* **********. However, ******* ****** ****** online *** ******* ******* *** to ******* ***** ******* based ** **** ************* so ** ** ****** only * ****** ** time ****** ***** ***** attacks **** **. 

***************

** **** ****** ** on *** ********** ***** list ** ******** **** updated ********, ** ********* an ********* ******* *** those *******.

*** ***** **** **** not ******** ** ****** from *****, ** *** of ***** ****, *** best ****** *** *** is ** ******* ****** access ** *** ****, or ******** ****** ****** only ** *** ***** or ****** *** ** whitelisted ** ********* *** those ********* ******.

Comments (21)

hrmmmmmmm.

1080p @ 30fps using h264 =~2Mbps

2Mbps * 1,000,000 = 2,000,000Mbps = 2Tbps

~2Tbps can really mess up some major services in the internet sphere including Netflix.

Right now there's a black hat in a basement with a really big smile thinking about this.

Uh, but these cameras may be already streaming on to the Internet without impact,no?  And are likely limited by their upstream speed in any event.

Who are the clients requesting the new streams, other bots?

IMHO, the most damaging use is DDNS. It doesn't try to saturate the bandwidth of the internet, it just overwhelms DNS server capacity.

Yes right now (Hopefully) they are streaming to multiple points as intended.

But if you had total control over all of them you could route them though specific  routers( like home routers business routers and ISP routers) going to other places effectively blocking all other traffic trying to pass though those points.

how many routers have you seen that could handle 2Tbps passing though it?

I doubt many ISP routers could handle it even one for small cities could cause internet traffic to come to a crawl.

 

of course I am talking about a worse case scenario, but possible none the less.

Any idea how many of these devices using port forwarding? Certainly quite a lot.

Does this help anyone to change their mind on the wisdom / danger of using port forwarding? Related: Should You Use Port Forwarding?

It is my understanding that devices connected by P2P only are safe from this exploit since there is no way they can be directly connected to.  Would that assumption be correct?

I wouldn't assume anything, better to try verify that they are not. And also turn off uPnP on routers and Dahua devices.

Are you sure those http and https numbers are not mostly the same hosts?  The numbers of 80/443 hosts are suspiciously close.

Some of the hosts had only HTTP, some had HTTPS only, and some had both.

There may be some overlap there, but I think they are primarily distinct. 

Wow John. Thanks for making my point for me. You are making a lot of claims here about 'too slow', hundreds of proucts, blah blah blah. Cite your sources.

could someone please explain what is the difference between any other vendor's exposure and vulnerability to these kind of attempts . all of the vendors allow external access by remote , using apple and android aps and of course pc remote clients access platforms using http , https  to their devices .

so what is so called Backdoor issue . everyone within his organization/ home should protect his own network by changing ports numbers ,default credentials ( user and pass ), firewall rules and maybe to use other remote access methods than port forwarding  using VPN :ipsec, gre ,ssl …

Is there actually any difference between hikvison and Dahuwa to other vendors in the aspect of the remote access methods given to the end users ?

I understand the Backdoor as a cyber attempt from the first place related to these companies ( Hik and Dah - sounds nice (: ) , but what is the special attempt from the aspect of the network that is a general "network issues" for any other IP device in the world using http and https... all  IP devices around  the world in this case has the same vulnerability .

So why mentioning these two all the time speaking of general network issues ?

Thanks,

 

 

 

 

 

 

 

Koby, the Dahua backdoor is so significant because:

  • It allows getting admin access regardless of how strong the device's admin password is. You mentioned changing default credentials. With this backdoor, even if you do change the defaults, an attacker can still get admin access to the device.
  • It is simple for an attacker to execute.
  • It works across numerous Dahua devices, both current and older.

A VPN would certainly be beneficial but the point of this 1 million figure is that the devices showing up on Shodan are not using a VPN and are publicly accessible.

More details in our original post / test results here - Dahua Backdoor Uncovered

I'm not clear on something.  Upon setup, if the admin logs into a camera and changes the ports (80 to 1080 for example), then sets up port forwarding, could the vulnerability be used via the Internet to expose the camera's credentials?

I understand that cameras set to the default ports are vulnerable, as well as port forwarding schemes involving a custom port being forwarded to a default port (WAN port 1080 to LAN port 80 for example), but am not certain if the backdoor can be reached if the ports are changed on the actual camera.

To test a theory, we found that the new Dahua wifi NVR could not automatically detect a Dahua wifi camera via LAN or wifi after changing the camera's ports.  Was the backdoor vulnerability restricted to cameras set to port 80 as well?

Thanks in advance.

If your Dahua camera or NVR's web interface is remotely accessible on ANY port, and it is not running patched firmware it is vulnerable.

Using non-standard ports may make the camera harder for a random IP scanner to find, but it does not remove the vulnerability from being there.

 

am i correct in my understanding that Tyco cameras are OEM from Dahua?

if so - are they infected?

 

Yes, Tyco does OEM at least some cameras from Dahua. Those cameras are likely vulnerable as well (infected implies they have non-manufacturer code installed, which is not the case with this backdoor, the code is Dahua's).

 

Still, after more than two years, there is more than 1 million devices vulnerable....

More than 1 million according Shodan

https://www.shodan.io/search?query=P3P%3A+CP%3DCAO+PSA+OUR

More than 4 million according Zoomeye

https://www.zoomeye.org/searchResult?q=%22P3P%3A%20CP%3DCAO%20PSA%20OUR%22

[sigh]

 

It's a slippery slope but wouldn't it be nice if we could legally "vaccinate" the internet and push out patches to fix insecure devices like this without the risk of imprisonment? Maybe some ISP's could identify broadly known vulnerabilities and if present on their subscriber's networks, block ports or at least notify the subscriber?

I'm reminded of the recent story where the government of Japan is planning to scan networks for vulnerabilities and notify owners of problems found.

I do not really agree to to "vaccinate" the Internet, since then we would invade private property without permission.

This is more the result of lacking of proper information to the public from the manufacture...

 

I agree that to actually patch publicly accessible devices without notice/permission is crossing a line. But I can also see how having an infected, or easily infected device publicly accessible is making it easier for those devices to be used in nefarious ways which can potentially have negative effects on broad ranges of Internet users.

ISP's could help by having policies outlining the responsibility of the subscriber to maintain the security/integrity of the devices they expose to the internet through their service, and then blocking specific traffic to/from those customers identified as suffering a known vulnerability after first notifying them of the issue.

Just a thought - it's irritating that there can be such an incredible number of vulnerable devices out there (not just in our industry of course) and there's nothing to be done about it.

Totally agree with you...

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Axis Perimeter Defender Improves, Yet Worse Than Dahua and Wyze on Sep 19, 2019
While Axis Perimeter Defender analytics improved from our 2018 testing, the market has improved much faster, with much less expensive offerings...
Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Uniview Prime Series 4K Camera Tested on Sep 18, 2019
Is the new Uniview 'Prime' better than the more expensive existing Uniview 'Pro'? In August, IPVM tested Uniview 4K 'Pro' but members advocated...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...
How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...