Dahua Wiretapping Vulnerability

By: John Honovich and John Scanlan, Published on Aug 02, 2019

IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been disabled, an attacker can still listen in unauthenticated.

dahua wiretapping vulnerability

Inside this report, we examine how it works, how it was originally found in an OEM partner's product, what Dahua has done and not, to date, to fix it.

Executive Summary

Here is what we have determined so far:

  • Dahua has quietly fixed this in some of their models (in a June 2019 release we tested) after a researcher reported it.
  • However, Dahua had not notified the public about this vulnerability and we can find no notice from Dahua online (e.g., the official Dahua USA cybersecurity update section has no listings for 2019 as of August 2, 2019).
  • Dahua has acknowledged one of two vulnerabilities still exists and that some models may not be fixed for either. We are awaiting further clarity about what models were affected, which have been fixed and which are not yet fixed.
  • Dahua cameras ship with audio enabled by default. Even if it is or was manually disabled, the vulnerability still worked.
  • UPDATE: Dahua has issued a security advisory today August 2, 2019 - VideoTalk function of some Dahua products have security risks, in which they say they knew about this in 2018 yet never disclosed this.

We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest, where this was originally found, but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well. 

Statement From Dahua

Dahua spokesperson Tim Shen provided this statement to IPVM:

Dahua Security Team and R&D Team have conducted an emergency investigation, and the preliminary results are as follows:

  1. Video talk unauthorized download vulnerability - Due to the relevant functional modules have been code refactored, this vulnerability does not exist after refactoring. Some EOL products may have security risks. We have a plan to repair the related products.
  1. Replay attack vulnerability: This vulnerability is a newly discovered and it does affect some Dahua products. We are still investigating the scope of impact.

Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Compatibility is a common problem faced by manufacturers in the industry, and we are working hard to solve this problem. [emphasis added]

Dahua Vulnerability Explained

The vulnerability was first reported to Dahua in May 2019. Research Engineer Jacob Baines of Tenable uncovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC found here, CVE-2019-3948), which allows unauthenticated access to the audio stream. The endpoint, /videotalk, can be accessed unauthenticated.

Baines video embedded below demonstrates the exploit:

Based on that, IPVM began researching Dahua models and successfully gained unauthorized access to the audio stream using three separate methods.

First, we targeted a Dahua camera (specifically the 4K Starlight box camera, IPC-HF8835F tested here) with the script used to exploit the Amcrest camera. The gif below demonstrates connecting the to the endpoint and the download starts.

Dahua-Unauthorized-Audio-Connection

The output file not created due to either a flaw in the original PoC or format/protocol mismatch between Amcrest (alaw) and Dahua.

The next method was using VLC media player to open the stream, again without being prompted for credentials. It appears that VLC is not playing the audio, however using wireshark shows the data  stream immediately upon the sending the VLC command.  Our test workstation is 172.20.128.117, and the camera is 172.20.129.132 below. 

Dahua-Audio-Stream-Shown-in-Wireshark

Then we were more simply able to hit the /videotalk endpoint in a browser and initiated the audio stream / download.

Dahua-Vulnerability-Accessed-via-Browser

Disabling Audio Does Not Resolve

IPVM originally tested the camera after factory defaulting it (audio is defaulted on) and was able to gain unauthorized access. However, even after disabling audio within the camera's web interface, we were still able to get access via all of the methods outlined above. 

June 2019 Firmware Fixes In Model Tested

After updating to firmware 2.622.0000000.7.R, Build Date: 2019-06-19 the endpoint is protected with a username / password dialog box as shown below and the attacks described above failed.

Updated Dahua Firmware Password Protected

There are no release notes available with the firmware explaining that a known vulnerability was fixed, nor is there any evidence that this was communicated in any other way.

Problematic Response From Amcrest Technical Support

Amcrest's response was also problematic and confusing. The vulnerable firmware is a higher revision (2.5xx) than the patched firmware version (2.4xx), which is atypical, to say the least.

On our first call, we explained the vulnerability and confusion about the firmware release and our desire to verify that information is accurate. Amcrest hung up on us. On our second call, we were told that the firmware addressed compatibility with chrome and email alerting improvements, but had nothing to do with audio. The release notes mention vague "Additional security enhancements." but no clarity about the specific vulnerability at risk.

Risks Higher With Audio

While video vulnerabilities have definitely increased in awareness and attention, audio is even more sensitive as laws tend to be stricter about audio being recorded without consent. These Dahua vulnerabilities enable wiretapping. While most IP camera users do not use audio, that this can be exploited without any such use or even if explicitly disabled, raises real concerns.

Problems With Dahua Response

As problematic is Dahua's lack of response and disclosure. Dahua has known about this for nearly 3 months (reported on May 8th, today is August 2nd). Yet despite that, they have not issued a public notification nor given any clarity about what specific models are or are not impacted and, by their own admission, still have another vulnerability to fix.

This is not a new problem for Dahua. In 2017, when they had their massive backdoor, they struggled for many months to properly and clearly communicate and fix what was vulnerable.

Given their US government ban, Dahua may be understandably reticent to call attention to new vulnerabilities. However, if they do not and are caught, as they are here, it further decreases trust.

UPDATE

UPDATE: Dahua has issued a security advisory today August 2, 2019 - "VideoTalk function of some Dahua products have security risks", in which they say they knew about this in 2018 yet never disclosed this.

3 reports cite this report:

Dahua OEM Directory 2019 on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Comments (52) : PRO Members only. Login. or Join.

Related Reports

Dahua OEM Directory 2019 on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Axis Door Station A8207-VE Tested on Aug 07, 2019
Axis newest door station, the A8207-VE, claims to deliver "video surveillance, two-way communication, and access control" in a single device. But...
"Stats Don't Lie" Says Deceptive IFSEC on Jul 30, 2019
While IFSEC has declared #statsdontlie and trumpeted seemingly skyrocketing visitor numbers, they are decieving about their show's problems. On...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...
China PRC Government New National Video Surveillance Standards on May 14, 2019
The People's Republic of China (PRC) government has released a new set of overarching standards for authorities to follow when they install video...
Verkada False Allegations Against Avigilon Exposed on May 08, 2019
Verkada has leveled false allegations against Avigilon, as part of their aggressive marketing tactics against the 'dinosaurs' in the 'ancient'...
Register Now - Fall 2019 IP Networking Course on May 02, 2019
Register for the Fall 2019 IP Networking Course. For early registration save $50 off the course's normal $299 price. This is the only networking...
Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...

Most Recent Industry Reports

China Dahua Replaces Their Software With US Pepper on Aug 22, 2019
What does a US government banned company do to improve its security positioning in the US? Well, Dahua is unveiling a novel solution, partnering...
Security Integrators Outlook On Remaining Integrators In 2025 on Aug 22, 2019
The industry has changed substantially in the last decade, with the rise of IP cameras and the race to the bottom. Indeed, more changes may be...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
Dahua 4K Camera Shootout on Aug 20, 2019
Dahua's new Pro Series 4K N85CL5Z claims to "deliver superior images in all lighting and environmental conditions", but how does this compare to...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Verkada People And Face Analytics Tested on Aug 16, 2019
This week, Verkada released "People Analytics", including face analytics that they describe is a "game-changing feature" that "pushes the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact