Dahua Wiretapping Vulnerability

IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been disabled, an attacker can still listen in unauthenticated.

Inside this report, we examine how it works, how it was originally found in an OEM partner's product, what Dahua has done and not, to date, to fix it.

Executive Summary

Here is what we have determined so far:

• Dahua has quietly fixed this in some of their models (in a June 2019 release we tested) after a researcher reported it.
• However, Dahua had not notified the public about this vulnerability and we can find no notice from Dahua online (e.g., the official Dahua USA cybersecurity update section has no listings for 2019 as of August 2, 2019).
• Dahua has acknowledged one of two vulnerabilities still exists and that some models may not be fixed for either. We are awaiting further clarity about what models were affected, which have been fixed and which are not yet fixed.
• Dahua cameras ship with audio enabled by default. Even if it is or was manually disabled, the vulnerability still worked.
• UPDATE: Dahua has issued a security advisory today August 2, 2019 - VideoTalk function of some Dahua products have security risks, in which they say they knew about this in 2018 yet never disclosed this.

We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest, where this was originally found, but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well.

Statement From Dahua

Dahua spokesperson Tim Shen provided this statement to IPVM:

Dahua Security Team and R&D Team have conducted an emergency investigation, and the preliminary results are as follows:

1. Video talk unauthorized download vulnerability - Due to the relevant functional modules have been code refactored, this vulnerability does not exist after refactoring. Some EOL products may have security risks. We have a plan to repair the related products.

2. Replay attack vulnerability: This vulnerability is a newly discovered and it does affect some Dahua products. We are still investigating the scope of impact.

Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods.

Compatibility is a common problem faced by manufacturers in the industry, and we are working hard to solve this problem. [emphasis added]

Dahua Vulnerability Explained

The vulnerability was first reported to Dahua in May 2019. Research Engineer Jacob Baines of Tenable uncovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC found here, CVE-2019-3948), which allows unauthenticated access to the audio stream. The endpoint, /videotalk, can be accessed unauthenticated.

Baines video embedded below demonstrates the exploit:

Based on that, IPVM began researching Dahua models and successfully gained unauthorized access to the audio stream using three separate methods.

First, we targeted a Dahua camera (specifically the 4K Starlight box camera, IPC-HF8835F tested here) with the script used to exploit the Amcrest camera. The gif below demonstrates connecting the to the endpoint and the download starts.

The output file not created due to either a flaw in the original PoC or format/protocol mismatch between Amcrest (alaw) and Dahua.

The next method was using VLC media player to open the stream, again without being prompted for credentials. It appears that VLC is not playing the audio, however using wireshark shows the data stream immediately upon the sending the VLC command. Our test workstation is 172.20.128.117, and the camera is 172.20.129.132 below.

Then we were more simply able to hit the /videotalk endpoint in a browser and initiated the audio stream / download.

Disabling Audio Does Not Resolve

IPVM originally tested the camera after factory defaulting it (audio is defaulted on) and was able to gain unauthorized access. However, even after disabling audio within the camera's web interface, we were still able to get access via all of the methods outlined above.

June 2019 Firmware Fixes In Model Tested

After updating to firmware 2.622.0000000.7.R, Build Date: 2019-06-19 the endpoint is protected with a username / password dialog box as shown below and the attacks described above failed.

There are no release notes available with the firmware explaining that a known vulnerability was fixed, nor is there any evidence that this was communicated in any other way.

Problematic Response From Amcrest Technical Support

Amcrest's response was also problematic and confusing. The vulnerable firmware is a higher revision (2.5xx) than the patched firmware version (2.4xx), which is atypical, to say the least.

On our first call, we explained the vulnerability and confusion about the firmware release and our desire to verify that information is accurate. Amcrest hung up on us. On our second call, we were told that the firmware addressed compatibility with chrome and email alerting improvements, but had nothing to do with audio. The release notes mention vague "Additional security enhancements." but no clarity about the specific vulnerability at risk.

Risks Higher With Audio

While video vulnerabilities have definitely increased in awareness and attention, audio is even more sensitive as laws tend to be stricter about audio being recorded without consent. These Dahua vulnerabilities enable wiretapping. While most IP camera users do not use audio, that this can be exploited without any such use or even if explicitly disabled, raises real concerns.

Problems With Dahua Response

As problematic is Dahua's lack of response and disclosure. Dahua has known about this for nearly 3 months (reported on May 8th, today is August 2nd). Yet despite that, they have not issued a public notification nor given any clarity about what specific models are or are not impacted and, by their own admission, still have another vulnerability to fix.

This is not a new problem for Dahua. In 2017, when they had their massive backdoor, they struggled for many months to properly and clearly communicate and fix what was vulnerable.

Given their US government ban, Dahua may be understandably reticent to call attention to new vulnerabilities. However, if they do not and are caught, as they are here, it further decreases trust.

UPDATE

UPDATE: Dahua has issued a security advisory today August 2, 2019 - "VideoTalk function of some Dahua products have security risks", in which they say they knew about this in 2018 yet never disclosed this.