Dahua Backdoor Uncovered

By IPVM Team, Published on Mar 06, 2017

A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.

Upgrade Immediately

A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua [link no longer available], so far they are listing 11 models [link no longer available] but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.

Firmware updates are available for the first 11 models listed [link no longer available], more should come later this week. When they are, we urge you to immediately upgrade firmware.

[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]

Severe

This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement [link no longer available] does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.

Dahua Says Error

Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

UPDATE: DHS Advisory Released

DHS issued an advisory on this backdoor in May 2017.

Vote / Poll

Script Status

A proof of concept script has been developed by the researcher. The script was shared on Github and IPVM (see here) for a short period of time over the weekend. It was then removed after Dahua spoke with the researcher. The researcher plans to re-release it on April 5th. However, prudence dictates not waiting to upgrade given the severity and simplicity of conducting it.

UPDATE: The researcher has decided not to re-release it due to the large number of devices at risk and that third parties have already validated it. However, knowledge of how to exploit the backdoor is growing and impacted devices should certainly be upgraded / patched.

Thanks To Researcher Bashis

Thanks and credit should be given to the anonymous researcher Bashis who discovered this vulnerability. This is the 3rd one impacting video surveillance in the past year. He also discovered the Axis critical security vulnerability and QNAP critical security vulnerability. He has done it to improve his own skills, he says, but he has surely helped the industry overall by forcing major manufacturers to take cyber security seriously.

Test Results / Market Impact

Inside we share test results of the script, demonstrating how it works and the impact on Dahua and the industry.

Key Backdoor Element

The affected Dahua devices allow a configuration file containing usernames and passwords (among other info) to be downloaded without authentication. The URL is not published and not easily determined from the standard web interface, making it effectively hidden. However, once known, it is simple for anyone to do. [Note: for security reasons, we are not sharing the exact URL.]

The loop below shows the requesting the file from our Dahua test cam, and then scrolling through the contents to show the accounts/passwords:

This file is the "Backdoor", given that it contains a hashed value of the admin account password, which can be used to login to the device via a script or program.

Why Is All Of This Info In A Text File?

Usernames, passwords, and other config info are viewable/editable in the browser interface, but also need to be readable, and sometimes editable, by operating system processes. This scenario is common to embedded devices, and a simple text file is often used to store this information. The text file keeps the information in-tact if the device is rebooted, and makes it easily available to multiple programs/processes, however those files are often secured in such a way that makes them unable to be served up as webpages (even to authenticated users).

Other methods, such as a database, could be used to store these values, however, simply using a more complex storage mechanism does not inherently make the data more secure if other parts of the software allow this information to be exposed.

Downloading / Taking the User Info

Once the file is obtained, the script then proceeds to find and take the key information out (admin / name / password), as the segment below shows:

Using / Logging In

This Proof of Concept script only logs into the device, proving that it is able to gain access to the admin account. The following excerpt of the script shows the login attempt, followed immediately by a logout (the lines with a "#" symbol are comments and do not perform any actions).

Backdoor Demo

The proof-of-concept code released by Bashis automated the process of downloading the config file, extracting the admin password hash, and then using that to compute the string the device would expect from a client sending a valid password that could be used to login. To execute the code you simply specify an IP address or hostname of a Dahua product you want to attack with the "--rhost" parameter:

The "200 OK" response after the script attempts to login is the Dahua camera in our test showing that it accepted the backdoor login request.

Though this proof-of-concept code does not attempt to alter the device in any way, it could easily be modified to access any info or execute any commands available to the admin account.

Discovery of Backdoor

Similar to the researcher who cracked security of 70+ DVR brands, this backdoor was discovered by analyzing firmware files and looking for vulnerabilities or poorly implemented security methods. Once the directory/filename that stored the device configuration was discovered in the code, it was easy to test to see if that file could be accessed remotely from a browser.

Engineering Problems

Assuming this was not intentional / malicious, this is even further proof of Dahua's overall dysfunction. Unlike the Axis exploit, which was incredibly difficult, this was straightforward and should not have been missed by any company with engineering management, a Q/A organization, cyber security testers, etc. expected in a company like Dahua that claims 3,000 'engineers'. This is not simply 'one' 'engineer's' mistake since in professional software development firms, especially at the scale of Dahua, various and rigorous coding reviews, QA testing, etc. is the norm.

Error Skepticism

The researcher, Bashis, has expressed skepticism of Dahua's claim that this is an error, noting:

  • Why make a customized user database, and not protect it?
  • Why not using separate protected folder, and not store the user database in public readable folder?
  • Why encrypt the password hash in browser's Javascript in the same format as stored in the device? <username>:<realm>:<password>?

Bashis concludes that the combination of these elements points to a backdoor rather than a mistake, though Bashis notes that only Dahua truly knows what their intent / 'error' was here.

Previous Cyber Issues

Dahua has had two relatively recent major security issues, in our vulnerabilities list. The most recent being the Mirai botnet that impacted Dahua and called the integrity of their device security into question. The previous one, which impacted Dahua DVRs, was very similar to this backdoor: authentication could be bypassed for admin-level commands.

Improved Communication

On the positive side for Dahua, they have vastly improved their communication since the Mirai botnet disaster when they claimed they were victims and refused to provide any details on what happened, what models were impacted, etc. The new head of marketing Janet Fenner has been much more proactive and clear about what they plan to and how they are working on resolving

OEM Problems

This is a major problem for Dahua OEMs as (1) they try to avoid being associated with Dahua and (2) they are exposed to the same severe risks. Dahua OEMs will be forced to do the same updates, otherwise like Hikvision OEMs on the recent default device hacking, they will certainly be targeted / hit. This backdoor adds to Dahua OEMs having to fight against Dahua aggressively expanding its own sales force against the OEMs.

USA Expansion Harm

Dahua has been aggressively expanding its USA organization, planning for 200 employees by the end of the year. However, expansion will certainly become second to simply dealing with the damage of the backdoor, facilitating upgrades and convincing partners to trust them. Dahua already had poor favorability based on security / trust fears and this will only increase with this announcement. Security issues like this can also make it difficult to attract quality people, as they will rightly be wary of the additional challenges representing a company known for poor security.

Dahua Corporate Issues

Overall for Dahua, and especially outside North America and Europe, the impact could be less / limited unless the eventual exploits of Dahua deployed products become severe. Dahua is still willing to sell at very low prices and spend significantly on staff, two key desirable factors that often overweight cybersecurity concerns especially for most cost conscious buyers and verticals.

Cybersecurity Bad Milestone

However, for those concerned about cybersecurity this is a milestone and a particularly bad one. Many people argued that default or bad passwords were the big deal and once those were eliminated, the issues went away. To the contrary, this backdoor of current products, which can be so simply executed across potentially millions of devices shows that significant risks remain.

And for the industry, just days after Hikvision admitted its defaulted devices are being targeted / locked out by hackers, now Dahua's backdoor adds to the turbulence of a market that has been heavily impacted by these companies race to the bottom. And what other backdoors are out there?

58 reports cite this report:

Dahua Sues Ex-North American President, Says Legal Typo on Jun 03, 2020
Dahua's former North American President Frank Zhang claims he is owed almost...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Video Surveillance History on May 06, 2020
The video surveillance market has changed significantly since 2000, going...
US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical...
Dahua OEM Directory on Aug 16, 2019
This directory includes US Government banned Dahua OEMs for dozens of...
Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback....
Dahua Favorability Results 2019 on Apr 01, 2019
Dahua favorability declined, in IPVM's 2019 integrator favorability series,...
Dahua Car Startup Raises $290 Million But Questions Abound on Dec 03, 2018
Dahua’s electronic car startup LeapMotor raised $290 million in funding this...
Chinese Government Blocks IPVM on Oct 22, 2018
IPVM has been blocked by the Chinese government without any notice or...
Honeywell Hides Selling US Gov Banned Chinese Video Surveillance on Oct 10, 2018
Honeywell hides selling US government banned Chinese video surveillance as...
Ban of Dahua and Hikvision Is Now US Gov Law on Aug 13, 2018
The US President has signed the 2019 NDAA into law, banning the use of Dahua...
IPVM Vulnerability Scanner Released / Deprecated on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity...
Dahua's Terrible Cybersecurity, Buys Credibility From PSA And SIA on Jun 04, 2018
Dahua has a terrible cybersecurity track record. But American organizations,...
Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of...
Dahua Products Are Not GDPR Compliant, No Products Can Be on May 29, 2018
Dahua products are neither GDPR-compliant nor certified, contrary to their...
US House Passes Bill Banning Gov Use of Dahua and Hikvision on May 24, 2018
UPDATE August 2018: The bill has now been signed into law. The US House of...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video...
Worst Camera Manufacturers 2018 on Feb 26, 2018
Who is the camera manufacturer integrators have had the worst experience...
Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018
Cybersecurity vulnerabilities have plagued the video...
Chinese Government Backdoor Spies on African Union Revealed on Jan 29, 2018
For 5 years, a Chinese government backdoor was used to spy on the African...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who...
The Race To The Bottom Is Over on Nov 28, 2017
The race to the bottom in video surveillance is over. After 3 years of...
Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics...
Bubble: Dahua Doubles Market Capitalization on Nov 07, 2017
Dahua's stock is in a bubble. Those of you in the industry know how bad of a...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders...
Dahua Access Control Tested on Oct 10, 2017
Can Dahua become a major force in access control? We bought Dahua's ASC1202B...
Bosch Divar NVR Tested vs Dahua on Oct 05, 2017
Bosch has a partnership with Dahua. But what type of partnership is it? How...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua...
Hikvision Europe Warns Of "A Wave of Cyberattacks" on Sep 28, 2017
Hikvision Europe has issued a "Hikvision Security Advisory" press release...
Dahua Recorders Mass Hacked on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as...
The 3 Most Outstanding Security Manufacturers (OSPAs) Make No Sense on Sep 08, 2017
The Outstanding Security Manufacturer finalists (US edition) are here: And...
Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017
A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP...
Dahua Suffers Second Major Vulnerability, Silent [Finally Acknowledges] on Jul 25, 2017
Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for...
Dahua Demotes USA CEO on Jun 19, 2017
Dahua has demoted their USA CEO Tim Wang. Inside this note, we examine the...
Mirai-like Botnet Persirai Attacks IP Cameras - Impact Analyzed on Jun 14, 2017
Mirai made headlines in 2016, exploiting weaknesses in cameras, including...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber...
Panasonic OEM Dahua Camera Tested on May 03, 2017
Panasonic is now OEMing a series of cameras from Dahua, known for...
Chinese 'Attacking Us From Every Direction', Says US FBI on Apr 25, 2017
"Chinese eating our lunch. Attacking us from every direction" said the US...
Manufacturers Cheer ISC West 2017 Performance on Apr 11, 2017
ISC West 2017 showed strong satisfaction results from manufacturers, similar...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2017 on Mar 30, 2017
Cyber security concerns are escalating, even in the video surveillance...
Dahua Manager: Lots of Backdoors Beyond Dahua or Hikvision on Mar 29, 2017
A Dahua technical manager has fired back at criticisms of Dahua's backdoor,...
Everbridge Mass Notification Service Profile on Mar 24, 2017
Everbridge is expanding in the security space. In January 2017 Everbridge...
Axis Camera Vulnerabilities From Google Researcher Analyzed on Mar 23, 2017
A Google security researcher has reported 6 vulnerabilities for Axis cameras,...
1 Million Dahua Devices Exposed To Backdoor on Mar 22, 2017
Statistics show that 1 million Dahua devices are publicly exposed and...
Honeywell Dahua Backdoor Statement on Mar 14, 2017
Honeywell OEMs Dahua video surveillance products and has been affected by...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor...
FLIR Responds to Dahua Backdoor on Mar 10, 2017
FLIR is the first Dahua OEM partner to issue a statement following Dahua's...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of...
OEMs, Dump Dahua on Mar 08, 2017
OEMs, get smart and dump Dahua. Dahua OEMs to many companies including some...
Dahua $550 Million West China Gov Project on Mar 08, 2017
How does Dahua continue to invest in global expansion despite its many...
Comments (169) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Temperature Tablet Shootout - Dahua, Hikvision, ZKTeco, TVT + 5 More on Sep 30, 2020
Temperature tablets, aka terminal or stations, have emerged as a 'low-cost...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business...
Dahua Temperature Measurement Station Tested on Jun 17, 2020
Dahua hit the market hard with its original 'fever' camera (tested here)....
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&amp;ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...