Dahua Wiretapping Vulnerability
**** *** *********, **** *******, *** from *****, **** **** ***** ******* have * *********** *************. **** ** the ******'* ***** *** **** ********, an ******** *** ***** ****** ** unauthenticated.
****** **** ******, ** ******* *** it *****, *** ** *** ********** found ** ** *** *******'* *******, what ***** *** **** *** ***, to ****, ** *** **.
Executive *******
**** ** **** ** **** ********** so ***:
- ***** *** ******* ***** **** ** some ** ***** ****** (** * June **** ******* ** ******) ***** a ********** ******** **.
- *******, ***** *** *** ******** *** public ***** **** ************* *** ** can **** ** ****** **** ***** online (*.*., *** ************* *** ************* ****** ********** ** ******** *** **** ** of ****** *, ****).
- ***** *** ************ *** ** *** vulnerabilities ***** ****** *** **** **** models *** *** ** ***** *** either. ** *** ******** ******* ******* about **** ****** **** ********, ***** have **** ***** *** ***** *** not *** *****.
- ***** ******* **** **** ***** ******* by *******. **** ** ** ** or *** ******** ********, *** ************* still ******.
- ******: ***** *** ****** * ******** advisory ***** ****** *, **** -********* ******** ** **** ***** ******** have ******** *****, ** ***** **** *** **** knew ***** **** ** **** *** never ********* ****.
** **** *** ********** **** ** the****** ** ***** *** *********** ********, ******* ** *******, ***** this *** ********** *****, *** ***** that ******* *** ***** ******* ******* are ********, ** ** ****** **** many ****** **** **** ************* ** well.
Statement **** *****
***** *************** ************ **** ********* ** ****:
***** ******** **** *** *&* **** have ********* ** ********* *************, *** the *********** ******* *** ** *******:
- ***** **** ************ ******** ************* - Due ** *** ******** ********** ******* have **** **** **********, **** ************* does *** ***** ***** ***********.Some *** ******** *** **** ******** *****. ** **** * **** to repair the related products.
- ****** ****** *************:This ************* ** * ***** ********** and it does affect some Dahua products. We are still investigating the scope of impact.
***** **** *** ****** ***** ************** method “******” ** *******, *** ** order ** ** ********** **** ***** devices, ** **** ****** ******* *** the ***** ************** ****** **** ************ security. **** ************* **** ******** ***** insecure ***** ************** *******.
************* ** * ****** ******* ***** by ************* ** *** ********, *** we *** ******* **** ** ***** this *******. [******** *****]
Dahua ************* *********
*** ************* *** ************* ** ***** ** *** ****. ******** ************* ************************ ************** ****** ** *******(***** ***) ******'* ******** (*** ***** ****,***-****-****), ***** ****** *************** ****** ** the ***** ******. *** ********, /*********, can ** ******** ***************.
****** ************* ***** ************ *** *******:
***** ** ****, **** ***** *********** Dahua ****** *** ************ ****** ************ access ** *** ***** ****** ***** three ******** *******.
*****, ** ******** * ***** ****** (specifically *** ** ********* *** ******,***-******* ****** ****) **** *** ****** **** ** exploit *** ******* ******. *** *** below ************ ********** *** ** *** endpoint *** *** ******** ******.
*** ****** **** *** ******* *** to ****** * **** ** *** original *** ** ******/******** ******** ******* Amcrest (****) *** *****.
*** **** ****** *** ***** *** media ****** ** **** *** ******, again ******* ***** ******** *** ***********. It ******* **** *** ** *** playing *** *****, ******* ***** ********* shows *** **** ****** *********** **** the ******* *** *** *******. *** test *********** ** ***.**.***.***, *** *** camera ** ***.**.***.*** *****.
**** ** **** **** ****** **** to *** *** /********* ******** ** a ******* *** ********* *** ***** stream / ********.
Disabling ***** **** *** *******
**** ********** ****** *** ****** ***** factory ********** ** (***** ** ********* on) *** *** **** ** **** unauthorized ******. *******, **** ***** ********* audio ****** *** ******'* *** *********, we **** ***** **** ** *** access *** *** ** *** ******* outlined *****.
June **** ******** ***** ** ***** ******
***** ******** ** ******** *.***.*******.*.*, ***** Date: ****-**-** *** ******** ** ********* with * ******** / ******** ****** box ** ***** ***** *** *** attacks ********* ***** ******.
***** *** ** ******* ***** ********* with *** ******** ********** **** * known ************* *** *****, *** ** there *** ******** **** **** *** communicated ** *** ***** ***.
Problematic ******** **** ******* ********* *******
*******'* ******** *** **** *********** *** confusing. *** ********** ******** ** * higher ******** (*.***) **** *** ******* firmware ******* (*.***), ***** ** ********, to *** *** *****.
** *** ***** ****, ** ********* the ************* *** ********* ***** *** firmware ******* *** *** ****** ** verify **** *********** ** ********. ******* hung ** ** **. ** *** second ****, ** **** **** **** the ******** ********* ************* **** ****** and ***** ******** ************, *** *** nothing ** ** **** *****. *** release ***** ******* ***** "********** ******** enhancements." *** ** ******* ***** *** specific ************* ** ****.
Risks ****** **** *****
***** ***** *************** **** ********** ********* in ********* *** *********, ***** ** even **** ********* ** **** **** to ** ******** ***** ***** ***** recorded ******* *******. ***** ***** *************** enable ***********. ********* ** ****** ***** ** *** use *****, **** **** *** ** ********* without *** **** *** ** **** if ********** ********, ****** **** ********.
Problems **** ***** ********
** *********** ** *****'* **** ** response *** **********. ***** *** ***** about **** *** ****** * ****** (reported ** *** ***, ***** ** August ***). *** ******* ****, **** have *** ****** * ****** ************ nor ***** *** ******* ***** **** specific ****** *** ** *** *** impacted ***, ** ***** *** *********, still **** ******* ************* ** ***.
**** ** *** * *** ******* for *****. ** ****, **** **** had ************ ********, **** ************ **** ****** ** ******** *** clearly *********** *** *** **** *** vulnerable.
***** ***** ** ********** ***, ***** may ** ************** ******** ** **** attention ** *** ***************. *******, ** they ** *** *** *** ******, as **** *** ****, ** ******* decreases *****.
******
******: ***** *** ****** * ******** advisory ***** ****** *, **** - "********* ******** ** **** ***** ******** have ******** *****", ** ***** **** *** **** knew ***** **** ** **** *** never ********* ****.
*** ****** ****** ********* ***** ***** wiretapping ** * ************ ******? ** they **, **** *** ** **** have ***** ****** *** ***** **** around ***** *****. *** *** ***** listened ** *** *** **** ****** you *** ***** * ********** *** don't **** ******** ** ****. ***** me **** *** ********* ****** *** with *** ****** ****** **** ******* wiretapping **** ****** ******* *******. ** I ****** ** ******* **** ****** I ***** ****** *** ******** **** in *** ***** ** ***** ******** in * ******* **** *** ******** it * *** **** *****.
*** ***** ****** *********** *** ** not **** **** *** ***** **** MAC ************** ** *** ******* ********. Are ***** *********** *** ***'* **** what * ******* ****** **? **** are *** *******, *** *** *************. If ******* *****'* **** *** ** use *** ****** ** ***** *** is **** ****'* ***** ** **** run **** * ***** ****? ************ is *** **** ***** ** ***** security.
*** ****** ****** ********* ***** ***** wiretapping ** * ************ ******?
***, ****** *** ********** *********. *** uproar **** ****'* ****** ********** ***** this **** ** *** ***** *******, e.g. ****** **** ****’* ****** ********** *** ‘never ******** ** ** * ******’
*** *** ***** ******** ** *** the **** ****** *** *** ***** a ********** *** ***'* **** ******** at ****.
*** *** ***** **** *** **** people ** *** ****** **** ************ are ********** ***** ************* '*** *** time'. *** *** ******* ** *** uproar *****.
*** ***** *********** *** ***'* **** what * ******* ****** **? **** are *** *******, *** *** *************.
** ***** ***** * ************* **** integrators *** **** **** * **** and **'* *** **********'* *****? ** you ***** ***** ****** **** ********* this **** *****? *** ** *** not?
*** ***** ****** *********** *** ** not **** **** *** ***** **** MAC ************** ** *** ******* ********. Are ***** *********** *** ***'* **** what * ******* ****** **? **** are *** *******, *** *** *************. If ******* *****'* **** *** ** use *** ****** ** ***** *** is **** ****'* ***** ** **** run **** * ***** ****? ************ is *** **** ***** ** ***** security.
**** ** * ***** ***********. ** are *** ****** ** ******'* ******** what ****** **. **** ********* product ** **** ******* **** ** installed ** ***** ***** **** ********* IP ** ********* ** ******** ** government *****. ***** **** **** ***** be ** ***** ********* **** *** pressing *** ******, ***** *** **** covered ** *** *** **** *****'* manual. DId ***** ******** ** *** *** easily ********* ****-******* ************ ** ***** devices ** *** ******* ******?
* ** ****** **** *** ***** paragraph **** *** ***** ** ** satire *** **** ** *** ** the ****** ******** ******** *** ****** said. *** **** **** ******* ***** even ******* ** ****** ** ******* this ************* ** ********** ****-******* ** me...
**** ***'* **** *** ******, ** is ***** ****** ** ********.
**** ** **** ******* *** **** the ******* ******* ** **** *** can ** ******** ** *** **** there ** * ****** ******. ***, you ***** *** **** *** ** a ****** *** *** **** ****** would **** ** *** ** **** garage *****, *** *** ***** ****** the ***'* ******* ****** ** ** secure.
* ***** ** ********** ** *** how **** **** *** ******** ** this. ***** *** **** **** ******* names ** ***** **** ** *********** - *****, *********, ***.
*** **** **** *** ******** ** this. ***** *** **** **** ******* names ** ***** **** ** *********** - *****, *********, ***.
*** **** *** ***** *** *********...
**'* * **** ********. ******* ******** is *** **** ** ***** **** have **** **** **** ** ***** that ***** *************** *****?
*** **** *** ***** *** *********...
********* *****'* ****** **** ** ** my *****.
* ** ***** **** ** * serious ***** **** ** *** ***** covered. ** *** ******** *** *********** this *********** ** **** **** **** large, **** ******* ****** **** ***** themselves ** **** ********. ***** *** their **** **************, ********* *** ****** security, ***. *********, **** *** ****** truckloads ** *********** ******* ** **** their **** ****.
*** ****. ** *****, ********* **** ********* ******* ***** in ******* **** *** *** ********* ******* camera, **** ***** *** ***** *** their ******* ****.
**** ****, ************ *-******, *.*. *** **** *** in *** ********** ***** ****. *** ********* *** not ****** ****** *****, **** **** us **** **** **** ******** ** the **.
** ******, **** ***** *** **** was *********, ********** ******** ** ************. However ** *** ** ****, *** of ****.
*** **** '** ****', *** ** more ** ****** ** * *** to ******* **** ********* *** ********* to *** ***** ** ********* ***** of *** ***** **** **** *** even ***** *****.
** **** * **** ** *** many ****** **** ******* **. **** based ** *** *******, ** ******* to ** ***** *** *******, **************, and ***** **-** ****. ******/****** ****** a *** ** ****** ** *****'* mid-range, ***** **** **** "***-*****" ******** and "***" ** "****" ****.
******* *** ******* ***** *** **** likely ** ******* *****-** ****, ****** the ************* ********** ****** *** ***** models. *******, *** ******** ** ******** models** ********** *****-** ****, *** ******* ******* mic/line ******. ***** *** ****** ** audio ***, **'* ******** ******** ** connected ** **** ** *** *****.
************, *****'* ******** ** *** ****** North ******** **** ******* ***** **** checking *** ************* **** **** ********* for ***** ** *** ** *** Canada. **** **** *** ******** * list ** ***** ******** ****** ******** and ** *** **** * ******** available ***** *********. ** ****** ***** of **** * ****, *** ** know.
******* **** ****** ***, ******** ***** not *** *** ***** ******* ** Kali ** ******. *** ***** ** that **** ** ***** ** ** head. * **** *** *** *** undisclosed *** ***** **** **** ** save ***** *** **** ** ****** Dahua ******* ********* ** ********* ********** rooms. * **** ***** ******* * Dahua ****** ** ** **** *** if *** ****** **** ******* ** this ******* * **** *** *** just ********* *** **** *** **** the **** ********* ** ******* *****.
** *** ***'* *** *** **** repeating *** **** ****, ****** ** the ****** *** **** *******! :-) Enjoy
***'* **** *** **** *********** ***'* get ** ***** ***** ********** ****. Can *** ******* *** **** ******** issues **** ***** **** ** *** real *****?
...***** ** **** **** ********* ** laws **** ** ** ******** ***** audio ***** ******** ******* *******. ***** Dahua *************** ****** ***********.
*********** ** *** ***, ******* ******** with *****-** **** *** ***** ********* enabled ** ******* *** *************** ********* conversations ********.
******* ******** .... *************** ********* ************* everyday
** *** **** ***** *** ** least * ** * ******* ** a ***** ******, ****. **** *********** is **** **** ** **** **********. What ******** ** ****** ** *** have ****** ****?
* ** ***** **** **** ******** point **** ***** ****** ** ******** on ** *******, ** *******. *******, most *****, ** *** **********, ******* audio ********* *** ****** *** ** cameras ** *** ****** ******** ** default, ** ******* **'* ***** ******* to ************ ****** ***** ** ***** surveillance *******.
*******, **** *****, ** *** **********, disable ***** ********* *** ****** *** IP ******* ** *** ****** ******** by *******...
*** *** *** ** ** ****, I’m ******************* ***** ***. *’** **** *** other ********.
**** ** ************ ******* ***** ********* audio ** ******* ** ********* **** configured ****** * ******; * ******* our ********* ******* *****, *** ***** most ** **** ******* * ************* to ****** ***** *** *** *******/*******, I *** *** **** ** **** one **** ** ******* ******* ***** recording.
*******, * ** ********* ** "** default" ** *** "***-**-***-***" *******, ******* unless ** ************* ******* *** ****** it ** ********** ** ***.
** ** ** *******, ******* *** an ****** ** ****** "****** *****" as *** ****** ******* *******, ***** can ** ******* *** *** ******* during *** ************ ******, ** ********* in *** ****** ****, *** *** installation ******* ******* ** ***:
* *** **** **** ** ***** 6 ***** *** ****** ******* ** notes ** * *** ***** ***** tests *** ******* **** ** ** recording ***** "**" ** *** ***-**-***-*** setting.
* *** **** **** ** ***** 6 *****...
*** ****’* **********! ****** *** *** clarification.
* ******** ******* ** ********** ** audio ***** *********** ***** ******** ** any **** ** ********** *******.
*************, ******** ***** ********* ***** ******* ** ******* ** *********, **************,***** ***** **** *** *** ** eavesdropping ** ***** ********* ** *** default ******, **** ** ********** * live **** ** *** ******.
(**#* ***)..................***** ** ***** ** **** old ***** ***** *****.....
**,*********** ******** ** * **** **?
**** ******* @ **#* /***
**,*********** ******** ** * **** **?
***** *********, *** **** ** * child **. - ****
** *** ********* ******** ********, *** need ** ******** ****** *********** *** speakers, **** *** ** ******* ******** for ***** ***** *******.
**** *** ******** ************* ****** ******* 2019 ** :
**, ***'** ***** ***** *** *** versions ?
* ******* ** **** ******* ***** the *** ****-********, ********* ****** *** Corporate, **** ***** *** **** ******** and ****** ***********.
* ******* ** **** ******* ***** the *** ****-********, ********* ****** *** Corporate...
****, *** **** ***** ***** **** you ****:
************** ******** ********, *** **** ** manually ****** *********** *** ********...
** *** *****, **** ****** **** is **** **** *** ***** ***** R1, ** ***** ******. ** **** have ******* ** ** *** **** 6 ******, **** *** ****.
* ****** ***** ******* * ******** camera ** *** ****** *** ******* it ********** **** ***** *** ******* by *******. * ******* **** *** careless ** *** ************ ***** *** audio ** ******* ** **** ***** of *** *****.
*** ** *** ***** * ******** stream ** ***** ****? *****’* *.*** allow ********* ** *****?
*** **** **** ***** *** ***** with *****?
****...********:
*** ***** **** ** **** ***** are ****** ***** ******** *** ******** think **'* * **** **** ** buy ***** ******* *** **** ** things **** ******** *** **********.... **** are *** ****** ** ******** ** that *** **'* *** **** ** counter **** ***** ** ******.
***** ***** ****** **** ******* ********. A ****** ***** **** ** ********** damage *** *** ** **** ** from ******* ** *****.
* ************ ***** ******* **** * Dahua *** **** ****, ******* ******** it *****, *** **** ****** **** ended **'* *************.
** ****** **** **** *** ** their ********* **** ******* *** **** so **** *** **** ** *****......
**** ***** ******* ***** ** ********:
*** **'* ******** ***** *** **** of ***-*** ***** *** *** ***** is *** *****'* ******-******* ******** *** aims ******** ** ** ** ********** provider, ***** ***** *** *** **********, much **** ***** **** ********.
** *** **** ** *********** **** about * *********** ********* ******* *** should ** *********** **** ********** ************ registry ** ** *** ********. **** Tenable **** * ********* - ***-****-****. Otherwise *** **** ***** ******* **** a ********* ******** *** **** ****** up ** * ******* ******** ** get ** **** ****** *** *** other ******-***'*. *** **** *** ******** here ****** **** *** ****** ******** around ** *****.
(***'** *** *** ***** **** ****. we're ***** ********* *** ******** ****** whether *** **-****** ******** *** ****** the ************* ******* *** ****** *** or *** *** ********** ** ****** job...)
********* *** **** ***** ******* **** a ********* ******** *** **** ****** up ** * ******* ******** ** get ** **** ****** *** *** other ******-***'*
** ****** ** *** ** *** multiple ********** **** *** ************, ***** is *** *** **** **** **** listing * ********* ******. *'** ***** the ********* ****** *** **'* * bit ***** ** ********* ** **** we ***** ***** ********* ** *********.
** **** *** *** *** **** to *** "*********" ********* ** **** the *********. **** *** ***** ** the ******* ******* *** ***** *** your **** ********** *** *** (***) saw **** *****. ****'* *** ***. When ** *** ***** ****** *** have ** ****** **** ***** ** new *******/****** ** **** ** **** through *** ********'* ******** ** ** that. **** ** *******. * ** giving *** *** **** ***** ** feedback * **** ** ***** ***** or *** ***** ** *** ******** since *** *** ***** ** * legitimate **** ****** ** **** **** of *****. **'* ******. ** *** known. *** ****** ** ******** ************. Of **** *** ****** ****** ** your ******* ** ******** *** *** vendor's *** ********. ******** *** ** us ******* **** **** ** ****** out ** ** *** ** **** and ****** ****.
******** *** ** ** ******* **** have ** ****** *** ** ** can ** **** *** ****** ****.
* **?
**** ** **** *********. *** **** I **** **** ****, ** ***** me ****** ***** * *** ****** I **** ******* **** ***** *******. 1. ** ** *** ******** ** set ** *****, **** *** ***** camera **** **** ** **'* ***** stream. * *** **** ** *** in *** ******, *** ** **** right **** ** ***** **. **** doesn't ****** ** * *** *** Dahua ******. *** . . . I **** **** ** ****** **** the *** *****'* **** *** ****** password, ** *** *** ***** ****** login ***********. ***** ****** ** ** number *. * **** ******* *** default **** *** ******** ** * Dahua ****** *** **** ***** **** able ** ***** ******* *** *** with *****/*****, *** **** ******* *****.
*.***** ** ********* ***** ***** ** with *** ****. * *** *** a ***** ******'* **** *** **** look **** * *** ******* ***** and ** *** *** ****** ** a ********* ****, ******** ** **** off. * **** ***** ***** *******. I **** ***** ****** ** **** servers. *** ******* *** *** **** server. * **** *** *** **** manually **** ** ** **** * few ******* ***** ** **** **** it *** *** ****** **** ** hour. **** ***** ********* ** * disconnect *** ******** ******* **** *** internet. *****. *.*. ***** ****?
** *** *** *** * ********* trace? *** *** ***** *** **'* doing *** ******* ****? ** **'* got * ********* *** ****** ** could ** ****. **** ******* ******** after ******* ** ***** *** ********* NTP ****** **** **** ****** ** helpful ** ******* **** ** **** NTP ****** **** ****. ******* ****** do **** ** ****** ** **** an *** ****** ** *****. (** they *** **** *** **'* *** reported **** ******* * *** ******...)
*** *** **** **** *** **** phoning **** ** *** ***** ****** or ********. **** ****** **** ******* the *****.
***** ******* - * ** ************ interested ** **** ** *** ********* branded ******* (*** *******) *** ******** by ****....
******* **** *** *** ********* ***** today. * ****** ** **** ** to ******* *** ***** *************.
**** ****** ********,
** **** ******** * *** ********* security *** ******* *********** ******** ****** for *** ********* ******* ****** ******:
WiFi ******:
****-****
****-****
****-*****
*** ****** *** *** ********.
*. *** *** ******* *** ********* that *** ****** ** *** *** file ********* ** *** ** ***
****** ** ****** ** ********, ***** to ******** ********, ** *** *** structure **** ** **** ** ********* them. Otherwise *** ******* ******** ** *** or *** **** ** *******.
*******.***/*****************
*********,
******* ****
* **** ***** ** "******* ** default ********" **** ** ******** ** delete *** *** ****** **** *** enable *** *** ********.
****, ****** *** *******. **** ** super ********. *** ***** **** * manufacturer ******* ********** * ******* ** upgrade **? **'** ***** ***** **** is ***** ** **** *** **** update ** **** *******.
**** *** *'* *** *********** *** significance ** **** *****, *** ***'* it **** **** *** ***** ** be ** *** ***** ******* ** order ** ******** **** *****? ****** the ****** ****** ** ****-********* ** the ******* *****, ***** ** *** smart *** *** ***** ****.
** ****** ** ***** **** ******* is * *** **** *** ** old *******, ****** **. ********** *** they **** *****.
*** ************, ****** *** * ******* of ***** *******, ****** ** *****, if *********, **** ** ***** **** a ******* *************, ******** ********* *** ****** ****** ** ****.
**** *****, *** ******* ** ****** Foscam’s ****** ** **** ******* *****:
**** ** *** **** **** ** their **** *******, *********** ****’* **** ***** of **** *** **** **** ** the ***** *****. *****!
***** ******** ********** **** **** ******* of *** ************* **** ***** ** 2018:
**** ******* ******** ** *** **** determined **** ****** ******* ***** ** 2018 ********* ** ***** ************* **** Dahua *** ********** ******* **. **** vulnerability *** ***** ** **** ** code ************ ** *** *******. ******* Dahua *** ******* *** ************* *******, the ********* *** ** ** *** also ******* ** *** ****. ** a ****** ** **** ****’* ******** issue ***** *** *** ********** **** all ****** ******** ***** *** **** optimization ** ****** ******* *** *************, and ***** ** ******* ** ******* all ***** ****** ***** ********.
** ******** ** ****** *** **** did *** ******** ** **** ** July ***** **** *** ******** ** them.
***** ******** ********** **** **** ******* of *** ************* **** ***** ** 2018:
** **** ************ ***** **? ****** like ***** ** **...
***** *** **** *** **** ******** to ***** *******:
**** ** **********. **** ** **** did *** **** ***** ** ** 2018, **** ********* **** ***** ** by *** **** ******* *** ********** Jacob ****** ******** ** ****. ***** is ***** *** ********** *** **** waited ***** ****.
Code ************ *******: How’s it coming?
Code *********: So, this week I finished converting a ***** **** ** *** *****, *** *** ********** ***** ***** before *** *********** ****, ** **’** saving * *** ***** ****** ***** time *** **** ***** ** (!), and ** ************* ***** ****** **’** ever ****. *** ***** *** *******, worldwide, ****** **** **!
Code ************ *******: Good, but what about that new audio stream code fragment that had you perplexed?
Code *********: No luck, so far. I’m not sure I can do anything with it, the thing is already optimized to the max - there’s no user authentication or policy check or endpoint verification, it doesn’t even write to the logs! It’s just pure data on demand on a fat pipe... The guy who wrote it must have been a genius!
******: ***** *** ****** * ******** advisory ***** ****** *, **** -********* ******** ** **** ***** ******** have ******** *****, * ******* ********* ** ** show ****** ******** *****:
***** ** ********* **** **** ***** this *** **** **** * ****, fixed **, ********* ** **** ** 2018, *** ***** ********* ** ***** today: