A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.
A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.
Firmware updates are available for the first 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware.
[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]
This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.
Dahua Says Error
Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.
UPDATE: DHS Advisory Released
DHS issued an advisory on this backdoor in May 2017.
Vote / Poll
A proof of concept script has been developed by the researcher. The script was shared on Github and IPVM (see here) for a short period of time over the weekend. It was then removed after Dahua spoke with the researcher. The researcher plans to re-release it on April 5th. However, prudence dictates not waiting to upgrade given the severity and simplicity of conducting it.
UPDATE: The researcher has decided not to re-release it due to the large number of devices at risk and that third parties have already validated it. However, knowledge of how to exploit the backdoor is growing and impacted devices should certainly be upgraded / patched.
Thanks To Researcher Bashis
Thanks and credit should be given to the anonymous researcher Bashis who discovered this vulnerability. This is the 3rd one impacting video surveillance in the past year. He also discovered the Axis critical security vulnerability and QNAP critical security vulnerability. He has done it to improve his own skills, he says, but he has surely helped the industry overall by forcing major manufacturers to take cyber security seriously.
Test Results / Market Impact
Inside we share test results of the script, demonstrating how it works and the impact on Dahua and the industry.