Dahua Wiretapping Vulnerability

By John Honovich and John Scanlan, Published on Aug 02, 2019

IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been disabled, an attacker can still listen in unauthenticated.

IPVM Image

Inside this report, we examine how it works, how it was originally found in an OEM partner's product, what Dahua has done and not, to date, to fix it.

Executive Summary

Here is what we have determined so far:

  • Dahua has quietly fixed this in some of their models (in a June 2019 release we tested) after a researcher reported it.
  • However, Dahua had not notified the public about this vulnerability and we can find no notice from Dahua online (e.g., the official Dahua USA cybersecurity update section has no listings for 2019 as of August 2, 2019).
  • Dahua has acknowledged one of two vulnerabilities still exists and that some models may not be fixed for either. We are awaiting further clarity about what models were affected, which have been fixed and which are not yet fixed.
  • Dahua cameras ship with audio enabled by default. Even if it is or was manually disabled, the vulnerability still worked.
  • UPDATE: Dahua has issued a security advisory today August 2, 2019 - VideoTalk function of some Dahua products have security risks, in which they say they knew about this in 2018 yet never disclosed this.

We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest, where this was originally found, but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well.

Statement From Dahua

Dahua spokesperson Tim Shen provided this statement to IPVM:

Dahua Security Team and R&D Team have conducted an emergency investigation, and the preliminary results are as follows:

  1. Video talk unauthorized download vulnerability - Due to the relevant functional modules have been code refactored, this vulnerability does not exist after refactoring. Some EOL products may have security risks. We have a plan to repair the related products.
  1. Replay attack vulnerability: This vulnerability is a newly discovered and it does affect some Dahua products. We are still investigating the scope of impact.

Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Compatibility is a common problem faced by manufacturers in the industry, and we are working hard to solve this problem. [emphasis added]

Dahua Vulnerability Explained

The vulnerability was first reported to Dahua in May 2019. Research Engineer Jacob Baines of Tenable uncovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC found here, CVE-2019-3948), which allows unauthenticated access to the audio stream. The endpoint, /videotalk, can be accessed unauthenticated.

Baines video embedded below demonstrates the exploit:

Based on that, IPVM began researching Dahua models and successfully gained unauthorized access to the audio stream using three separate methods.

First, we targeted a Dahua camera (specifically the 4K Starlight box camera, IPC-HF8835F tested here) with the script used to exploit the Amcrest camera. The gif below demonstrates connecting the to the endpoint and the download starts.

Dahua-Unauthorized-Audio-Connection

The output file not created due to either a flaw in the original PoC or format/protocol mismatch between Amcrest (alaw) and Dahua.

The next method was using VLC media player to open the stream, again without being prompted for credentials. It appears that VLC is not playing the audio, however using wireshark shows the data stream immediately upon the sending the VLC command. Our test workstation is 172.20.128.117, and the camera is 172.20.129.132 below.

Dahua-Audio-Stream-Shown-in-Wireshark

Then we were more simply able to hit the /videotalk endpoint in a browser and initiated the audio stream / download.

Dahua-Vulnerability-Accessed-via-Browser

Disabling Audio Does Not Resolve

IPVM originally tested the camera after factory defaulting it (audio is defaulted on) and was able to gain unauthorized access. However, even after disabling audio within the camera's web interface, we were still able to get access via all of the methods outlined above.

June 2019 Firmware Fixes In Model Tested

After updating to firmware 2.622.0000000.7.R, Build Date: 2019-06-19 the endpoint is protected with a username / password dialog box as shown below and the attacks described above failed.

IPVM Image

There are no release notes available with the firmware explaining that a known vulnerability was fixed, nor is there any evidence that this was communicated in any other way.

Problematic Response From Amcrest Technical Support

Amcrest's response was also problematic and confusing. The vulnerable firmware is a higher revision (2.5xx) than the patched firmware version (2.4xx), which is atypical, to say the least.

On our first call, we explained the vulnerability and confusion about the firmware release and our desire to verify that information is accurate. Amcrest hung up on us. On our second call, we were told that the firmware addressed compatibility with chrome and email alerting improvements, but had nothing to do with audio. The release notes mention vague "Additional security enhancements." but no clarity about the specific vulnerability at risk.

Risks Higher With Audio

While video vulnerabilities have definitely increased in awareness and attention, audio is even more sensitive as laws tend to be stricter about audio being recorded without consent. These Dahua vulnerabilities enable wiretapping. While most IP camera users do not use audio, that this can be exploited without any such use or even if explicitly disabled, raises real concerns.

Problems With Dahua Response

As problematic is Dahua's lack of response and disclosure. Dahua has known about this for nearly 3 months (reported on May 8th, today is August 2nd). Yet despite that, they have not issued a public notification nor given any clarity about what specific models are or are not impacted and, by their own admission, still have another vulnerability to fix.

This is not a new problem for Dahua. In 2017, when they had their massive backdoor, they struggled for many months to properly and clearly communicate and fix what was vulnerable.

Given their US government ban, Dahua may be understandably reticent to call attention to new vulnerabilities. However, if they do not and are caught, as they are here, it further decreases trust.

UPDATE

UPDATE: Dahua has issued a security advisory today August 2, 2019 - "VideoTalk function of some Dahua products have security risks", in which they say they knew about this in 2018 yet never disclosed this.

8 reports cite this report:

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing...
Dahua OEM Directory on Aug 16, 2019
This directory includes US Government banned Dahua OEMs for dozens of...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Comments (52) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Camect Presents Residential Market Smart NVR with AI Analytics on Aug 19, 2020
Camect presented its AI video analytics enhanced NVR at the May 2020 IPVM...
Avigilon Social Distancing Analytics Tested on Aug 26, 2020
Avigilon released its social distancing analytics in response to the...
Temperature Tablet Shootout - Dahua, Hikvision, ZKTeco, TVT + 5 More on Sep 30, 2020
Temperature tablets, aka terminal or stations, have emerged as a 'low-cost...

Recent Reports

GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...