Dahua Wiretapping Vulnerability

By: John Honovich and John Scanlan, Published on Aug 02, 2019

IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been disabled, an attacker can still listen in unauthenticated.

dahua wiretapping vulnerability

Inside this report, we examine how it works, how it was originally found in an OEM partner's product, what Dahua has done and not, to date, to fix it.

Executive Summary

Here is what we have determined so far:

  • Dahua has quietly fixed this in some of their models (in a June 2019 release we tested) after a researcher reported it.
  • However, Dahua had not notified the public about this vulnerability and we can find no notice from Dahua online (e.g., the official Dahua USA cybersecurity update section has no listings for 2019 as of August 2, 2019).
  • Dahua has acknowledged one of two vulnerabilities still exists and that some models may not be fixed for either. We are awaiting further clarity about what models were affected, which have been fixed and which are not yet fixed.
  • Dahua cameras ship with audio enabled by default. Even if it is or was manually disabled, the vulnerability still worked.
  • UPDATE: Dahua has issued a security advisory today August 2, 2019 - VideoTalk function of some Dahua products have security risks, in which they say they knew about this in 2018 yet never disclosed this.

We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest, where this was originally found, but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well.

Statement From Dahua

Dahua spokesperson Tim Shen provided this statement to IPVM:

Dahua Security Team and R&D Team have conducted an emergency investigation, and the preliminary results are as follows:

  1. Video talk unauthorized download vulnerability - Due to the relevant functional modules have been code refactored, this vulnerability does not exist after refactoring. Some EOL products may have security risks. We have a plan to repair the related products.
  1. Replay attack vulnerability: This vulnerability is a newly discovered and it does affect some Dahua products. We are still investigating the scope of impact.

Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Compatibility is a common problem faced by manufacturers in the industry, and we are working hard to solve this problem. [emphasis added]

Dahua Vulnerability Explained

The vulnerability was first reported to Dahua in May 2019. Research Engineer Jacob Baines of Tenable uncovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC found here, CVE-2019-3948), which allows unauthenticated access to the audio stream. The endpoint, /videotalk, can be accessed unauthenticated.

Baines video embedded below demonstrates the exploit:

Based on that, IPVM began researching Dahua models and successfully gained unauthorized access to the audio stream using three separate methods.

First, we targeted a Dahua camera (specifically the 4K Starlight box camera, IPC-HF8835F tested here) with the script used to exploit the Amcrest camera. The gif below demonstrates connecting the to the endpoint and the download starts.

Dahua-Unauthorized-Audio-Connection

The output file not created due to either a flaw in the original PoC or format/protocol mismatch between Amcrest (alaw) and Dahua.

The next method was using VLC media player to open the stream, again without being prompted for credentials. It appears that VLC is not playing the audio, however using wireshark shows the data stream immediately upon the sending the VLC command. Our test workstation is 172.20.128.117, and the camera is 172.20.129.132 below.

Dahua-Audio-Stream-Shown-in-Wireshark

Then we were more simply able to hit the /videotalk endpoint in a browser and initiated the audio stream / download.

Dahua-Vulnerability-Accessed-via-Browser

Disabling Audio Does Not Resolve

IPVM originally tested the camera after factory defaulting it (audio is defaulted on) and was able to gain unauthorized access. However, even after disabling audio within the camera's web interface, we were still able to get access via all of the methods outlined above.

June 2019 Firmware Fixes In Model Tested

After updating to firmware 2.622.0000000.7.R, Build Date: 2019-06-19 the endpoint is protected with a username / password dialog box as shown below and the attacks described above failed.

Updated Dahua Firmware Password Protected

There are no release notes available with the firmware explaining that a known vulnerability was fixed, nor is there any evidence that this was communicated in any other way.

Problematic Response From Amcrest Technical Support

Amcrest's response was also problematic and confusing. The vulnerable firmware is a higher revision (2.5xx) than the patched firmware version (2.4xx), which is atypical, to say the least.

On our first call, we explained the vulnerability and confusion about the firmware release and our desire to verify that information is accurate. Amcrest hung up on us. On our second call, we were told that the firmware addressed compatibility with chrome and email alerting improvements, but had nothing to do with audio. The release notes mention vague "Additional security enhancements." but no clarity about the specific vulnerability at risk.

Risks Higher With Audio

While video vulnerabilities have definitely increased in awareness and attention, audio is even more sensitive as laws tend to be stricter about audio being recorded without consent. These Dahua vulnerabilities enable wiretapping. While most IP camera users do not use audio, that this can be exploited without any such use or even if explicitly disabled, raises real concerns.

Problems With Dahua Response

As problematic is Dahua's lack of response and disclosure. Dahua has known about this for nearly 3 months (reported on May 8th, today is August 2nd). Yet despite that, they have not issued a public notification nor given any clarity about what specific models are or are not impacted and, by their own admission, still have another vulnerability to fix.

This is not a new problem for Dahua. In 2017, when they had their massive backdoor, they struggled for many months to properly and clearly communicate and fix what was vulnerable.

Given their US government ban, Dahua may be understandably reticent to call attention to new vulnerabilities. However, if they do not and are caught, as they are here, it further decreases trust.

UPDATE

UPDATE: Dahua has issued a security advisory today August 2, 2019 - "VideoTalk function of some Dahua products have security risks", in which they say they knew about this in 2018 yet never disclosed this.

8 reports cite this report:

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Comments (52) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...