1 Million Dahua Devices Exposed To Backdoor

By: Brian Karas, Published on Mar 22, 2017

Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor.

Despite this, Dahua has downplayed the severity and obstructed public access to firmware for most affected devices.

In this report, we highlight how these devices were discovered, and which countries have the most Dahua product exposed to remote attack.

Locations ** ********** *******

**** * ******* ***** devices ****** *** ***** are ********** **** *** public ********, ******** **** to ******* *********, ********* to * ***** *** a ******** **** ****** used ** ***** ******** ** "IoT ****** ******" ******

****** ***** **** ***,*** devices ** **** ***** and *** **, ** well ** ***** ******* in *******, ******, ***** and ***** *********:

**** ****** *** ***** reported *********' ********* ******** ** the ***** **************** *** ********* ** Bashis.

HTTPS, ****** ********* ** ****

* ***** ****** ** the ******* *** **** accessible via *****, ********* ** shodan, ***** ********* ****** or ********** ** ***** devices *** **** ********* to **** ***** ******** precautions:

*******, *** ** *** nature ** **** ********, using *****, ***-******** *****, or ****** ********* **** not **** *** ******* any **** **********. *** device ******** ********** ** able ** ** ********* if ** *** *** had * ******** *******.

Majority ** ******* **********

**** ******** * ****** of ******* **** *** overall **** ** ****** and ****** **** **** Bashis' *****-**-******* ****. *** majority ** ******* ****** all ********* **** **** unpatched *** ********** ** exploit. 

Dahua ******* ******

** ** **** ******, Dahua's **** ****** ** their ** ************* **** [**** no ****** *********] *** ***** ***, 2017 [**** ** ****** available], ***** **** **** a ***** ** ** affected ******. *** ** Dahua's international ***** [**** ** longer *********] ***** ** ******** products. ** *******, ***** are ******, ** *** hundreds, ** ***** ******** (and ****) ********** ** this ********.

*****'* ******** *** ***** reporting *** ****** ** affected ********, **** ******** updates ***** ******** ** a ********** **** ****. Additionally, ***** ********, **** as ****, ** *** yet **** ******* ******** for ***** *** ********. The ****** ** * large ****** ** ********* still ** ****, **** minimal ******* ** ******* themselves.

Danger ** * ******* **********

**** * ******* ******* vulnerable, **** ** * very ***** ****** *** a ****** ******** ** other ********* ***** **** wants ** ******* ******* or ****** *******. *** example, *** ***** ******, ***** significantly ********* *** ******** ** Fall **** **** * similar ****** ** *******. 

No *** ** ** **-******** *** ********* *** *****

****** *** ******* *** to **-******* *** ***** of ******* ********** ********* for ***** *, ****, citing *** **** ** so **** ******* **********. However, ******* ****** ****** online *** ******* ******* *** to ******* ***** ******* based ** **** ************* so ** ** ****** only * ****** ** time ****** ***** ***** attacks **** **. 

***************

** **** ****** ** on *** ********** ***** list ** ******** **** updated ********, ** ********* an ********* ******* *** those *******.

*** ***** **** **** not ******** ** ****** from *****, ** *** of ***** ****, *** best ****** *** *** is ** ******* ****** access ** *** ****, or ******** ****** ****** only ** *** ***** or ****** *** ** whitelisted ** ********* *** those ********* ******.

Comments (21)

hrmmmmmmm.

1080p @ 30fps using h264 =~2Mbps

2Mbps * 1,000,000 = 2,000,000Mbps = 2Tbps

~2Tbps can really mess up some major services in the internet sphere including Netflix.

Right now there's a black hat in a basement with a really big smile thinking about this.

Uh, but these cameras may be already streaming on to the Internet without impact,no?  And are likely limited by their upstream speed in any event.

Who are the clients requesting the new streams, other bots?

IMHO, the most damaging use is DDNS. It doesn't try to saturate the bandwidth of the internet, it just overwhelms DNS server capacity.

Yes right now (Hopefully) they are streaming to multiple points as intended.

But if you had total control over all of them you could route them though specific  routers( like home routers business routers and ISP routers) going to other places effectively blocking all other traffic trying to pass though those points.

how many routers have you seen that could handle 2Tbps passing though it?

I doubt many ISP routers could handle it even one for small cities could cause internet traffic to come to a crawl.

 

of course I am talking about a worse case scenario, but possible none the less.

Any idea how many of these devices using port forwarding? Certainly quite a lot.

Does this help anyone to change their mind on the wisdom / danger of using port forwarding? Related: Should You Use Port Forwarding?

It is my understanding that devices connected by P2P only are safe from this exploit since there is no way they can be directly connected to.  Would that assumption be correct?

I wouldn't assume anything, better to try verify that they are not. And also turn off uPnP on routers and Dahua devices.

Are you sure those http and https numbers are not mostly the same hosts?  The numbers of 80/443 hosts are suspiciously close.

Some of the hosts had only HTTP, some had HTTPS only, and some had both.

There may be some overlap there, but I think they are primarily distinct. 

Wow John. Thanks for making my point for me. You are making a lot of claims here about 'too slow', hundreds of proucts, blah blah blah. Cite your sources.

could someone please explain what is the difference between any other vendor's exposure and vulnerability to these kind of attempts . all of the vendors allow external access by remote , using apple and android aps and of course pc remote clients access platforms using http , https  to their devices .

so what is so called Backdoor issue . everyone within his organization/ home should protect his own network by changing ports numbers ,default credentials ( user and pass ), firewall rules and maybe to use other remote access methods than port forwarding  using VPN :ipsec, gre ,ssl …

Is there actually any difference between hikvison and Dahuwa to other vendors in the aspect of the remote access methods given to the end users ?

I understand the Backdoor as a cyber attempt from the first place related to these companies ( Hik and Dah - sounds nice (: ) , but what is the special attempt from the aspect of the network that is a general "network issues" for any other IP device in the world using http and https... all  IP devices around  the world in this case has the same vulnerability .

So why mentioning these two all the time speaking of general network issues ?

Thanks,

 

 

 

 

 

 

 

Koby, the Dahua backdoor is so significant because:

  • It allows getting admin access regardless of how strong the device's admin password is. You mentioned changing default credentials. With this backdoor, even if you do change the defaults, an attacker can still get admin access to the device.
  • It is simple for an attacker to execute.
  • It works across numerous Dahua devices, both current and older.

A VPN would certainly be beneficial but the point of this 1 million figure is that the devices showing up on Shodan are not using a VPN and are publicly accessible.

More details in our original post / test results here - Dahua Backdoor Uncovered

I'm not clear on something.  Upon setup, if the admin logs into a camera and changes the ports (80 to 1080 for example), then sets up port forwarding, could the vulnerability be used via the Internet to expose the camera's credentials?

I understand that cameras set to the default ports are vulnerable, as well as port forwarding schemes involving a custom port being forwarded to a default port (WAN port 1080 to LAN port 80 for example), but am not certain if the backdoor can be reached if the ports are changed on the actual camera.

To test a theory, we found that the new Dahua wifi NVR could not automatically detect a Dahua wifi camera via LAN or wifi after changing the camera's ports.  Was the backdoor vulnerability restricted to cameras set to port 80 as well?

Thanks in advance.

If your Dahua camera or NVR's web interface is remotely accessible on ANY port, and it is not running patched firmware it is vulnerable.

Using non-standard ports may make the camera harder for a random IP scanner to find, but it does not remove the vulnerability from being there.

 

am i correct in my understanding that Tyco cameras are OEM from Dahua?

if so - are they infected?

 

Yes, Tyco does OEM at least some cameras from Dahua. Those cameras are likely vulnerable as well (infected implies they have non-manufacturer code installed, which is not the case with this backdoor, the code is Dahua's).

 

Still, after more than two years, there is more than 1 million devices vulnerable....

More than 1 million according Shodan

https://www.shodan.io/search?query=P3P%3A+CP%3DCAO+PSA+OUR

More than 4 million according Zoomeye

https://www.zoomeye.org/searchResult?q=%22P3P%3A%20CP%3DCAO%20PSA%20OUR%22

[sigh]

 

It's a slippery slope but wouldn't it be nice if we could legally "vaccinate" the internet and push out patches to fix insecure devices like this without the risk of imprisonment? Maybe some ISP's could identify broadly known vulnerabilities and if present on their subscriber's networks, block ports or at least notify the subscriber?

I'm reminded of the recent story where the government of Japan is planning to scan networks for vulnerabilities and notify owners of problems found.

I do not really agree to to "vaccinate" the Internet, since then we would invade private property without permission.

This is more the result of lacking of proper information to the public from the manufacture...

 

I agree that to actually patch publicly accessible devices without notice/permission is crossing a line. But I can also see how having an infected, or easily infected device publicly accessible is making it easier for those devices to be used in nefarious ways which can potentially have negative effects on broad ranges of Internet users.

ISP's could help by having policies outlining the responsibility of the subscriber to maintain the security/integrity of the devices they expose to the internet through their service, and then blocking specific traffic to/from those customers identified as suffering a known vulnerability after first notifying them of the issue.

Just a thought - it's irritating that there can be such an incredible number of vulnerable devices out there (not just in our industry of course) and there's nothing to be done about it.

Totally agree with you...

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate...
Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...