1 Million Dahua Devices Exposed To Backdoor

By: Brian Karas, Published on Mar 22, 2017

Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor.

Despite this, Dahua has downplayed the severity and obstructed public access to firmware for most affected devices.

In this report, we highlight how these devices were discovered, and which countries have the most Dahua product exposed to remote attack.

********** **** **** * million ***** ******* *** publicly ******* *** ********** to ******** ********.

******* ****, ***** *** downplayed *** ******** *** obstructed public ****** ** ******** for **** ******** *******.

** **** ******, ** highlight how ***** ******* **** discovered, *** ***** ********* have *** **** ***** product ******* ** ****** attack.

[***************]

Locations ** ********** *******

**** * ******* ***** devices ****** *** ***** are ********** **** *** public ********, ******** **** to ******* *********, ********* to * ***** *** a ******** **** ****** used ** ***** ******** ** "IoT ****** ******" ******

****** ***** **** ***,*** devices ** **** ***** and *** **, ** well ** ***** ******* in *******, ******, ***** and ***** *********:

**** ****** *** ***** reported *********' ********* ******** ** the ***** **************** *** ********* ** Bashis.

HTTPS, ****** ********* ** ****

* ***** ****** ** the ******* *** **** accessible via *****, ********* ** shodan, ***** ********* ****** or ********** ** ***** devices *** **** ********* to **** ***** ******** precautions:

*******, *** ** *** nature ** **** ********, using *****, ***-******** *****, or ****** ********* **** not **** *** ******* any **** **********. *** device ******** ********** ** able ** ** ********* if ** *** *** had * ******** *******.

Majority ** ******* **********

**** ******** * ****** of ******* **** *** overall **** ** ****** and ****** **** **** Bashis' *****-**-******* ****. *** majority ** ******* ****** all ********* **** **** unpatched *** ********** ** exploit. 

Dahua ******* ******

** ** **** ******, Dahua's **** ****** ** their ** ************* **** [**** no ****** *********] *** ***** ***, 2017 [**** ** ****** available], ***** **** **** a ***** ** ** affected ******. *** ** Dahua's international ***** [**** ** longer *********] ***** ** ******** products. ** *******, ***** are ******, ** *** hundreds, ** ***** ******** (and ****) ********** ** this ********.

*****'* ******** *** ***** reporting *** ****** ** affected ********, **** ******** updates ***** ******** ** a ********** **** ****. Additionally, ***** ********, **** as ****, ** *** yet **** ******* ******** for ***** *** ********. The ****** ** * large ****** ** ********* still ** ****, **** minimal ******* ** ******* themselves.

Danger ** * ******* **********

**** * ******* ******* vulnerable, **** ** * very ***** ****** *** a ****** ******** ** other ********* ***** **** wants ** ******* ******* or ****** *******. *** example, *** ***** ******, ***** significantly ********* *** ******** ** Fall **** **** * similar ****** ** *******. 

No *** ** ** **-******** *** ********* *** *****

****** *** ******* *** to **-******* *** ***** of ******* ********** ********* for ***** *, ****, citing *** **** ** so **** ******* **********. However, ******* ****** ****** online *** ******* ******* *** to ******* ***** ******* based ** **** ************* so ** ** ****** only * ****** ** time ****** ***** ***** attacks **** **. 

***************

** **** ****** ** on *** ********** ***** list ** ******** **** updated ********, ** ********* an ********* ******* *** those *******.

*** ***** **** **** not ******** ** ****** from *****, ** *** of ***** ****, *** best ****** *** *** is ** ******* ****** access ** *** ****, or ******** ****** ****** only ** *** ***** or ****** *** ** whitelisted ** ********* *** those ********* ******.

Comments (21)

hrmmmmmmm.

1080p @ 30fps using h264 =~2Mbps

2Mbps * 1,000,000 = 2,000,000Mbps = 2Tbps

~2Tbps can really mess up some major services in the internet sphere including Netflix.

Right now there's a black hat in a basement with a really big smile thinking about this.

Uh, but these cameras may be already streaming on to the Internet without impact,no?  And are likely limited by their upstream speed in any event.

Who are the clients requesting the new streams, other bots?

IMHO, the most damaging use is DDNS. It doesn't try to saturate the bandwidth of the internet, it just overwhelms DNS server capacity.

Yes right now (Hopefully) they are streaming to multiple points as intended.

But if you had total control over all of them you could route them though specific  routers( like home routers business routers and ISP routers) going to other places effectively blocking all other traffic trying to pass though those points.

how many routers have you seen that could handle 2Tbps passing though it?

I doubt many ISP routers could handle it even one for small cities could cause internet traffic to come to a crawl.

 

of course I am talking about a worse case scenario, but possible none the less.

Any idea how many of these devices using port forwarding? Certainly quite a lot.

Does this help anyone to change their mind on the wisdom / danger of using port forwarding? Related: Should You Use Port Forwarding?

It is my understanding that devices connected by P2P only are safe from this exploit since there is no way they can be directly connected to.  Would that assumption be correct?

I wouldn't assume anything, better to try verify that they are not. And also turn off uPnP on routers and Dahua devices.

Are you sure those http and https numbers are not mostly the same hosts?  The numbers of 80/443 hosts are suspiciously close.

Some of the hosts had only HTTP, some had HTTPS only, and some had both.

There may be some overlap there, but I think they are primarily distinct. 

Wow John. Thanks for making my point for me. You are making a lot of claims here about 'too slow', hundreds of proucts, blah blah blah. Cite your sources.

could someone please explain what is the difference between any other vendor's exposure and vulnerability to these kind of attempts . all of the vendors allow external access by remote , using apple and android aps and of course pc remote clients access platforms using http , https  to their devices .

so what is so called Backdoor issue . everyone within his organization/ home should protect his own network by changing ports numbers ,default credentials ( user and pass ), firewall rules and maybe to use other remote access methods than port forwarding  using VPN :ipsec, gre ,ssl …

Is there actually any difference between hikvison and Dahuwa to other vendors in the aspect of the remote access methods given to the end users ?

I understand the Backdoor as a cyber attempt from the first place related to these companies ( Hik and Dah - sounds nice (: ) , but what is the special attempt from the aspect of the network that is a general "network issues" for any other IP device in the world using http and https... all  IP devices around  the world in this case has the same vulnerability .

So why mentioning these two all the time speaking of general network issues ?

Thanks,

 

 

 

 

 

 

 

Koby, the Dahua backdoor is so significant because:

  • It allows getting admin access regardless of how strong the device's admin password is. You mentioned changing default credentials. With this backdoor, even if you do change the defaults, an attacker can still get admin access to the device.
  • It is simple for an attacker to execute.
  • It works across numerous Dahua devices, both current and older.

A VPN would certainly be beneficial but the point of this 1 million figure is that the devices showing up on Shodan are not using a VPN and are publicly accessible.

More details in our original post / test results here - Dahua Backdoor Uncovered

I'm not clear on something.  Upon setup, if the admin logs into a camera and changes the ports (80 to 1080 for example), then sets up port forwarding, could the vulnerability be used via the Internet to expose the camera's credentials?

I understand that cameras set to the default ports are vulnerable, as well as port forwarding schemes involving a custom port being forwarded to a default port (WAN port 1080 to LAN port 80 for example), but am not certain if the backdoor can be reached if the ports are changed on the actual camera.

To test a theory, we found that the new Dahua wifi NVR could not automatically detect a Dahua wifi camera via LAN or wifi after changing the camera's ports.  Was the backdoor vulnerability restricted to cameras set to port 80 as well?

Thanks in advance.

If your Dahua camera or NVR's web interface is remotely accessible on ANY port, and it is not running patched firmware it is vulnerable.

Using non-standard ports may make the camera harder for a random IP scanner to find, but it does not remove the vulnerability from being there.

 

am i correct in my understanding that Tyco cameras are OEM from Dahua?

if so - are they infected?

 

Yes, Tyco does OEM at least some cameras from Dahua. Those cameras are likely vulnerable as well (infected implies they have non-manufacturer code installed, which is not the case with this backdoor, the code is Dahua's).

 

Still, after more than two years, there is more than 1 million devices vulnerable....

More than 1 million according Shodan

https://www.shodan.io/search?query=P3P%3A+CP%3DCAO+PSA+OUR

More than 4 million according Zoomeye

https://www.zoomeye.org/searchResult?q=%22P3P%3A%20CP%3DCAO%20PSA%20OUR%22

[sigh]

 

It's a slippery slope but wouldn't it be nice if we could legally "vaccinate" the internet and push out patches to fix insecure devices like this without the risk of imprisonment? Maybe some ISP's could identify broadly known vulnerabilities and if present on their subscriber's networks, block ports or at least notify the subscriber?

I'm reminded of the recent story where the government of Japan is planning to scan networks for vulnerabilities and notify owners of problems found.

I do not really agree to to "vaccinate" the Internet, since then we would invade private property without permission.

This is more the result of lacking of proper information to the public from the manufacture...

 

I agree that to actually patch publicly accessible devices without notice/permission is crossing a line. But I can also see how having an infected, or easily infected device publicly accessible is making it easier for those devices to be used in nefarious ways which can potentially have negative effects on broad ranges of Internet users.

ISP's could help by having policies outlining the responsibility of the subscriber to maintain the security/integrity of the devices they expose to the internet through their service, and then blocking specific traffic to/from those customers identified as suffering a known vulnerability after first notifying them of the issue.

Just a thought - it's irritating that there can be such an incredible number of vulnerable devices out there (not just in our industry of course) and there's nothing to be done about it.

Totally agree with you...

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

Hazardous & Explosion Proof Access Control Tutorial on Feb 27, 2020
Controlling access to hazardous environments requires equipment meeting specific ratings that certify they will not start fires or will not...
Motorola / Avigilon Drops ISC West on Feb 26, 2020
Motorola Solutions has pulled out of ISC West 2020 effective immediately, because of coronavirus concerns, IPVM has learned. This is done amidst...
Cancel or Not? Industry Split Over ISC West on Feb 26, 2020
The industry is split, polarized, over whether ISC West 2020 should run or be canceled. New IPVM survey results of 400+ respondents show heated...
Coronavirus Hits Sony, Bosch Says Switch on Feb 26, 2020
Sony's fall in video surveillance has been severe over the past decade. Now, they may be done. In this note, we examine Bosch's new...
Video Surveillance Cameras 101 on Feb 25, 2020
Cameras come in many shapes, sizes and specifications. This 101 examines the basics of cameras and features used in 2020. In this report, we...
Favorite Video Analytic Manufacturers 2020 on Feb 25, 2020
Video analytics is now as hot as ever, driven by the excitement of advancing deep learning offers. But what are actually integrator's...
Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...