Dahua Backdoor UncoveredBy IPVM Team, Published on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.
A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua [link no longer available], so far they are listing 11 models [link no longer available] but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.
Firmware updates are available for the first 11 models listed [link no longer available], more should come later this week. When they are, we urge you to immediately upgrade firmware.
[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]
This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement [link no longer available] does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.
Dahua Says Error
Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.
UPDATE: DHS Advisory Released
Vote / Poll
A proof of concept script has been developed by the researcher. The script was shared on Github and IPVM (see here) for a short period of time over the weekend. It was then removed after Dahua spoke with the researcher. The researcher plans to re-release it on April 5th. However, prudence dictates not waiting to upgrade given the severity and simplicity of conducting it.
UPDATE: The researcher has decided not to re-release it due to the large number of devices at risk and that third parties have already validated it. However, knowledge of how to exploit the backdoor is growing and impacted devices should certainly be upgraded / patched.
Thanks To Researcher Bashis
Thanks and credit should be given to the anonymous researcher Bashis who discovered this vulnerability. This is the 3rd one impacting video surveillance in the past year. He also discovered the Axis critical security vulnerability and QNAP critical security vulnerability. He has done it to improve his own skills, he says, but he has surely helped the industry overall by forcing major manufacturers to take cyber security seriously.
Test Results / Market Impact
Inside we share test results of the script, demonstrating how it works and the impact on Dahua and the industry.
Key Backdoor Element
The affected Dahua devices allow a configuration file containing usernames and passwords (among other info) to be downloaded without authentication. The URL is not published and not easily determined from the standard web interface, making it effectively hidden. However, once known, it is simple for anyone to do. [Note: for security reasons, we are not sharing the exact URL.]
The loop below shows the requesting the file from our Dahua test cam, and then scrolling through the contents to show the accounts/passwords:
This file is the "Backdoor", given that it contains a hashed value of the admin account password, which can be used to login to the device via a script or program.
Why Is All Of This Info In A Text File?
Usernames, passwords, and other config info are viewable/editable in the browser interface, but also need to be readable, and sometimes editable, by operating system processes. This scenario is common to embedded devices, and a simple text file is often used to store this information. The text file keeps the information in-tact if the device is rebooted, and makes it easily available to multiple programs/processes, however those files are often secured in such a way that makes them unable to be served up as webpages (even to authenticated users).
Other methods, such as a database, could be used to store these values, however, simply using a more complex storage mechanism does not inherently make the data more secure if other parts of the software allow this information to be exposed.
Downloading / Taking the User Info
Once the file is obtained, the script then proceeds to find and take the key information out (admin / name / password), as the segment below shows:
Using / Logging In
This Proof of Concept script only logs into the device, proving that it is able to gain access to the admin account. The following excerpt of the script shows the login attempt, followed immediately by a logout (the lines with a "#" symbol are comments and do not perform any actions).
The proof-of-concept code released by Bashis automated the process of downloading the config file, extracting the admin password hash, and then using that to compute the string the device would expect from a client sending a valid password that could be used to login. To execute the code you simply specify an IP address or hostname of a Dahua product you want to attack with the "--rhost" parameter:
The "200 OK" response after the script attempts to login is the Dahua camera in our test showing that it accepted the backdoor login request.
Though this proof-of-concept code does not attempt to alter the device in any way, it could easily be modified to access any info or execute any commands available to the admin account.
Discovery of Backdoor
Similar to the researcher who cracked security of 70+ DVR brands, this backdoor was discovered by analyzing firmware files and looking for vulnerabilities or poorly implemented security methods. Once the directory/filename that stored the device configuration was discovered in the code, it was easy to test to see if that file could be accessed remotely from a browser.
Assuming this was not intentional / malicious, this is even further proof of Dahua's overall dysfunction. Unlike the Axis exploit, which was incredibly difficult, this was straightforward and should not have been missed by any company with engineering management, a Q/A organization, cyber security testers, etc. expected in a company like Dahua that claims 3,000 'engineers'. This is not simply 'one' 'engineer's' mistake since in professional software development firms, especially at the scale of Dahua, various and rigorous coding reviews, QA testing, etc. is the norm.
The researcher, Bashis, has expressed skepticism of Dahua's claim that this is an error, noting:
- Why make a customized user database, and not protect it?
- Why not using separate protected folder, and not store the user database in public readable folder?
Bashis concludes that the combination of these elements points to a backdoor rather than a mistake, though Bashis notes that only Dahua truly knows what their intent / 'error' was here.
Previous Cyber Issues
Dahua has had two relatively recent major security issues, in our vulnerabilities list. The most recent being the Mirai botnet that impacted Dahua and called the integrity of their device security into question. The previous one, which impacted Dahua DVRs, was very similar to this backdoor: authentication could be bypassed for admin-level commands.
On the positive side for Dahua, they have vastly improved their communication since the Mirai botnet disaster when they claimed they were victims and refused to provide any details on what happened, what models were impacted, etc. The new head of marketing Janet Fenner has been much more proactive and clear about what they plan to and how they are working on resolving
This is a major problem for Dahua OEMs as (1) they try to avoid being associated with Dahua and (2) they are exposed to the same severe risks. Dahua OEMs will be forced to do the same updates, otherwise like Hikvision OEMs on the recent default device hacking, they will certainly be targeted / hit. This backdoor adds to Dahua OEMs having to fight against Dahua aggressively expanding its own sales force against the OEMs.
USA Expansion Harm
Dahua has been aggressively expanding its USA organization, planning for 200 employees by the end of the year. However, expansion will certainly become second to simply dealing with the damage of the backdoor, facilitating upgrades and convincing partners to trust them. Dahua already had poor favorability based on security / trust fears and this will only increase with this announcement. Security issues like this can also make it difficult to attract quality people, as they will rightly be wary of the additional challenges representing a company known for poor security.
Dahua Corporate Issues
Overall for Dahua, and especially outside North America and Europe, the impact could be less / limited unless the eventual exploits of Dahua deployed products become severe. Dahua is still willing to sell at very low prices and spend significantly on staff, two key desirable factors that often overweight cybersecurity concerns especially for most cost conscious buyers and verticals.
Cybersecurity Bad Milestone
However, for those concerned about cybersecurity this is a milestone and a particularly bad one. Many people argued that default or bad passwords were the big deal and once those were eliminated, the issues went away. To the contrary, this backdoor of current products, which can be so simply executed across potentially millions of devices shows that significant risks remain.
And for the industry, just days after Hikvision admitted its defaulted devices are being targeted / locked out by hackers, now Dahua's backdoor adds to the turbulence of a market that has been heavily impacted by these companies race to the bottom. And what other backdoors are out there?