Dahua Wiretapping Vulnerability

By: John Honovich and John Scanlan, Published on Aug 02, 2019

IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been disabled, an attacker can still listen in unauthenticated.

dahua wiretapping vulnerability

Inside this report, we examine how it works, how it was originally found in an OEM partner's product, what Dahua has done and not, to date, to fix it.

Executive Summary

Here is what we have determined so far:

  • Dahua has quietly fixed this in some of their models (in a June 2019 release we tested) after a researcher reported it.
  • However, Dahua had not notified the public about this vulnerability and we can find no notice from Dahua online (e.g., the official Dahua USA cybersecurity update section has no listings for 2019 as of August 2, 2019).
  • Dahua has acknowledged one of two vulnerabilities still exists and that some models may not be fixed for either. We are awaiting further clarity about what models were affected, which have been fixed and which are not yet fixed.
  • Dahua cameras ship with audio enabled by default. Even if it is or was manually disabled, the vulnerability still worked.
  • UPDATE: Dahua has issued a security advisory today August 2, 2019 - VideoTalk function of some Dahua products have security risks, in which they say they knew about this in 2018 yet never disclosed this.

We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest, where this was originally found, but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well.

Statement From Dahua

Dahua spokesperson Tim Shen provided this statement to IPVM:

Dahua Security Team and R&D Team have conducted an emergency investigation, and the preliminary results are as follows:

  1. Video talk unauthorized download vulnerability - Due to the relevant functional modules have been code refactored, this vulnerability does not exist after refactoring. Some EOL products may have security risks. We have a plan to repair the related products.
  1. Replay attack vulnerability: This vulnerability is a newly discovered and it does affect some Dahua products. We are still investigating the scope of impact.

Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Compatibility is a common problem faced by manufacturers in the industry, and we are working hard to solve this problem. [emphasis added]

Dahua Vulnerability Explained

The vulnerability was first reported to Dahua in May 2019. Research Engineer Jacob Baines of Tenable uncovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC found here, CVE-2019-3948), which allows unauthenticated access to the audio stream. The endpoint, /videotalk, can be accessed unauthenticated.

Baines video embedded below demonstrates the exploit:

Based on that, IPVM began researching Dahua models and successfully gained unauthorized access to the audio stream using three separate methods.

First, we targeted a Dahua camera (specifically the 4K Starlight box camera, IPC-HF8835F tested here) with the script used to exploit the Amcrest camera. The gif below demonstrates connecting the to the endpoint and the download starts.

Dahua-Unauthorized-Audio-Connection

The output file not created due to either a flaw in the original PoC or format/protocol mismatch between Amcrest (alaw) and Dahua.

The next method was using VLC media player to open the stream, again without being prompted for credentials. It appears that VLC is not playing the audio, however using wireshark shows the data stream immediately upon the sending the VLC command. Our test workstation is 172.20.128.117, and the camera is 172.20.129.132 below.

Dahua-Audio-Stream-Shown-in-Wireshark

Then we were more simply able to hit the /videotalk endpoint in a browser and initiated the audio stream / download.

Dahua-Vulnerability-Accessed-via-Browser

Disabling Audio Does Not Resolve

IPVM originally tested the camera after factory defaulting it (audio is defaulted on) and was able to gain unauthorized access. However, even after disabling audio within the camera's web interface, we were still able to get access via all of the methods outlined above.

June 2019 Firmware Fixes In Model Tested

After updating to firmware 2.622.0000000.7.R, Build Date: 2019-06-19 the endpoint is protected with a username / password dialog box as shown below and the attacks described above failed.

Updated Dahua Firmware Password Protected

There are no release notes available with the firmware explaining that a known vulnerability was fixed, nor is there any evidence that this was communicated in any other way.

Problematic Response From Amcrest Technical Support

Amcrest's response was also problematic and confusing. The vulnerable firmware is a higher revision (2.5xx) than the patched firmware version (2.4xx), which is atypical, to say the least.

On our first call, we explained the vulnerability and confusion about the firmware release and our desire to verify that information is accurate. Amcrest hung up on us. On our second call, we were told that the firmware addressed compatibility with chrome and email alerting improvements, but had nothing to do with audio. The release notes mention vague "Additional security enhancements." but no clarity about the specific vulnerability at risk.

Risks Higher With Audio

While video vulnerabilities have definitely increased in awareness and attention, audio is even more sensitive as laws tend to be stricter about audio being recorded without consent. These Dahua vulnerabilities enable wiretapping. While most IP camera users do not use audio, that this can be exploited without any such use or even if explicitly disabled, raises real concerns.

Problems With Dahua Response

As problematic is Dahua's lack of response and disclosure. Dahua has known about this for nearly 3 months (reported on May 8th, today is August 2nd). Yet despite that, they have not issued a public notification nor given any clarity about what specific models are or are not impacted and, by their own admission, still have another vulnerability to fix.

This is not a new problem for Dahua. In 2017, when they had their massive backdoor, they struggled for many months to properly and clearly communicate and fix what was vulnerable.

Given their US government ban, Dahua may be understandably reticent to call attention to new vulnerabilities. However, if they do not and are caught, as they are here, it further decreases trust.

UPDATE

UPDATE: Dahua has issued a security advisory today August 2, 2019 - "VideoTalk function of some Dahua products have security risks", in which they say they knew about this in 2018 yet never disclosed this.

6 reports cite this report:

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Comments (52) : PRO Members only. Login. or Join.

Related Reports

Hikvision DS 2nd Gen Intercom Tested on Dec 12, 2019
With its newest IP intercom, Hikvision proclaims users can 'get full control over an entrance' regardless of where it is installed, home or office...
Avigilon H4 Intercom Tested on Nov 20, 2019
Avigilon is well-known for video surveillance and access, but how well does the company's intercom work? We purchased and tested Avigilon's H4...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Commend ID5 Intercom Tested on Sep 12, 2019
Commend touts the new ID5 intercom as 'timelessly elegant' and the slim body, glass front touchscreen indeed looks better than common, but ugly,...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Axis Door Station A8207-VE Tested on Aug 07, 2019
Axis newest door station, the A8207-VE, claims to deliver "video surveillance, two-way communication, and access control" in a single device. But...
"Stats Don't Lie" Says Deceptive IFSEC on Jul 30, 2019
While IFSEC has declared #statsdontlie and trumpeted seemingly skyrocketing visitor numbers, they are decieving about their show's problems. On...
HD Analog vs IP Guide on Jul 16, 2019
For years, HD resolution and single cable signal/power were IP camera advantages, with analog cameras limited to much lower resolution and...

Most Recent Industry Reports

Video Surveillance 101 Course Opened on Dec 12, 2019
IPVM is adding a Video Surveillance 101 course, designed to help those new to the industry to quickly understand the most important terms,...
Verkada Notification Outage on Dec 12, 2019
Verkada is suffering an event notification outage and analytic search failures. Inside, we examine what the issues are, what Verkada told IPVM...
Hikvision DS 2nd Gen Intercom Tested on Dec 12, 2019
With its newest IP intercom, Hikvision proclaims users can 'get full control over an entrance' regardless of where it is installed, home or office...
Honeywell 30 Series Cameras Tested Vs Dahua and Hikvision on Dec 11, 2019
Honeywell has infamously OEMed Dahua and Hikvision for years, but now they have introduced an NDAA-compliant line, the 30 Series, claiming "lower...
"Good Market, Bad Business Models" - Residential Security on Dec 11, 2019
Industry banker John Mack, at his company's annual event, took aim squarely at the problems in the residential security...
IP Camera Browser Support: Who's Broken / Who Works on Dec 10, 2019
For many years, IP cameras depended on ActiveX control, whose security flaws have been known for more than a decade. The good news is that this is...
Acquisitions - Winners and Losers on Dec 10, 2019
Most major manufacturers have been acquired over the last decade. But which have been good deals or not? In this report, we analyze the...
IP Camera Installability Shootout 2019 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Dec 09, 2019
What are the best and worst cameras to install? Which manufacturers make it the hardest or easiest to install their cameras? We tested 35 total...
Viisights Raises $10 Million, Behavior Analytics Company Profile on Dec 09, 2019
Viisights, an Israeli AI analytics startup marketing "Behavioral Understanding Systems", announced $10 million Series A funding. We spoke to...
Disruptor Wyze Releases Undisruptive Smartlock on Dec 06, 2019
While Wyze has disrupted the consumer IP camera market with ~$20 cameras, its entrance into smart locks is entirely undisruptive. We have...