Dahua Backdoor Uncovered

By: IPVM Team, Published on Mar 06, 2017

A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua.

Upgrade Immediately

A 'number' of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua [link no longer available], so far they are listing 11 models [link no longer available] but the total will certainly be much higher as they continue to test / confirm. Current firmware Dahua products are vulnerable to this.

Firmware updates are available for the first 11 models listed [link no longer available], more should come later this week. When they are, we urge you to immediately upgrade firmware.

[UPDATE: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted.]

Severe

This backdoor allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua's statement [link no longer available] does not acknowledge this at all. Moreover, our testing shows the exploit is simple to execute.

Dahua Says Error

Dahua says this was an error ('coding issue') and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure. Moreover, the researcher expresses skepticism of the error claim, examined further below.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

UPDATE: DHS Advisory Released

DHS issued an advisory on this backdoor in May 2017.

Vote / Poll

Script Status

A proof of concept script has been developed by the researcher. The script was shared on Github and IPVM (see here) for a short period of time over the weekend. It was then removed after Dahua spoke with the researcher. The researcher plans to re-release it on April 5th. However, prudence dictates not waiting to upgrade given the severity and simplicity of conducting it.

UPDATE: The researcher has decided not to re-release it due to the large number of devices at risk and that third parties have already validated it. However, knowledge of how to exploit the backdoor is growing and impacted devices should certainly be upgraded / patched.

Thanks To Researcher Bashis

Thanks and credit should be given to the anonymous researcher Bashis who discovered this vulnerability. This is the 3rd one impacting video surveillance in the past year. He also discovered the Axis critical security vulnerability and QNAP critical security vulnerability. He has done it to improve his own skills, he says, but he has surely helped the industry overall by forcing major manufacturers to take cyber security seriously.

Test Results / Market Impact

Inside we share test results of the script, demonstrating how it works and the impact on Dahua and the industry.

Key Backdoor Element

The affected Dahua devices allow a configuration file containing usernames and passwords (among other info) to be downloaded without authentication. The URL is not published and not easily determined from the standard web interface, making it effectively hidden. However, once known, it is simple for anyone to do. [Note: for security reasons, we are not sharing the exact URL.]

The loop below shows the requesting the file from our Dahua test cam, and then scrolling through the contents to show the accounts/passwords:

This file is the "Backdoor", given that it contains a hashed value of the admin account password, which can be used to login to the device via a script or program. 

Why Is All Of This Info In A Text File?

Usernames, passwords, and other config info are viewable/editable in the browser interface, but also need to be readable, and sometimes editable, by operating system processes. This scenario is common to embedded devices, and a simple text file is often used to store this information. The text file keeps the information in-tact if the device is rebooted, and makes it easily available to multiple programs/processes, however those files are often secured in such a way that makes them unable to be served up as webpages (even to authenticated users).

Other methods, such as a database, could be used to store these values, however, simply using a more complex storage mechanism does not inherently make the data more secure if other parts of the software allow this information to be exposed.

Downloading / Taking the User Info

Once the file is obtained, the script then proceeds to find and take the key information out (admin / name / password), as the segment below shows:

Using / Logging In

This Proof of Concept script only logs into the device, proving that it is able to gain access to the admin account. The following excerpt of the script shows the login attempt, followed immediately by a logout (the lines with a "#" symbol are comments and do not perform any actions).

Backdoor Demo

The proof-of-concept code released by Bashis automated the process of downloading the config file, extracting the admin password hash, and then using that to compute the string the device would expect from a client sending a valid password that could be used to login. To execute the code you simply specify an IP address or hostname of a Dahua product you want to attack with the "--rhost" parameter:

 

The "200 OK" response after the script attempts to login is the Dahua camera in our test showing that it accepted the backdoor login request.

Though this proof-of-concept code does not attempt to alter the device in any way, it could easily be modified to access any info or execute any commands available to the admin account.

Discovery of Backdoor

Similar to the researcher who cracked security of 70+ DVR brands, this backdoor was discovered by analyzing firmware files and looking for vulnerabilities or poorly implemented security methods. Once the directory/filename that stored the device configuration was discovered in the code, it was easy to test to see if that file could be accessed remotely from a browser.

Engineering Problems

Assuming this was not intentional / malicious, this is even further proof of Dahua's overall dysfunction. Unlike the Axis exploit, which was incredibly difficult, this was straightforward and should not have been missed by any company with engineering management, a Q/A organization, cyber security testers, etc. expected in a company like Dahua that claims 3,000 'engineers'. This is not simply 'one' 'engineer's' mistake since in professional software development firms, especially at the scale of Dahua, various and rigorous coding reviews, QA testing, etc. is the norm.

Error Skepticism

The researcher, Bashis, has expressed skepticism of Dahua's claim that this is an error, noting:

  • Why make a customized user database, and not protect it?
  • Why not using separate protected folder, and not store the user database in public readable folder?
  • Why encrypt the password hash in browser's Javascript in the same format as stored in the device? <username>:<realm>:<password>?

Bashis concludes that the combination of these elements points to a backdoor rather than a mistake, though Bashis notes that only Dahua truly knows what their intent / 'error' was here.

Previous Cyber Issues

Dahua has had two relatively recent major security issues, in our vulnerabilities list. The most recent being the Mirai botnet that impacted Dahua and called the integrity of their device security into question. The previous one, which impacted Dahua DVRs, was very similar to this backdoor: authentication could be bypassed for admin-level commands.

Improved Communication

On the positive side for Dahua, they have vastly improved their communication since the Mirai botnet disaster when they claimed they were victims and refused to provide any details on what happened, what models were impacted, etc. The new head of marketing Janet Fenner has been much more proactive and clear about what they plan to and how they are working on resolving

OEM Problems

This is a major problem for Dahua OEMs as (1) they try to avoid being associated with Dahua and (2) they are exposed to the same severe risks. Dahua OEMs will be forced to do the same updates, otherwise like Hikvision OEMs on the recent default device hacking, they will certainly be targeted / hit. This backdoor adds to Dahua OEMs having to fight against Dahua aggressively expanding its own sales force against the OEMs.

USA Expansion Harm

Dahua has been aggressively expanding its USA organization, planning for 200 employees by the end of the year. However, expansion will certainly become second to simply dealing with the damage of the backdoor, facilitating upgrades and convincing partners to trust them. Dahua already had poor favorability based on security / trust fears and this will only increase with this announcement. Security issues like this can also make it difficult to attract quality people, as they will rightly be wary of the additional challenges representing a company known for poor security.

Dahua Corporate Issues

Overall for Dahua, and especially outside North America and Europe, the impact could be less / limited unless the eventual exploits of Dahua deployed products become severe. Dahua is still willing to sell at very low prices and spend significantly on staff, two key desirable factors that often overweight cybersecurity concerns especially for most cost conscious buyers and verticals.

Cybersecurity Bad Milestone 

However, for those concerned about cybersecurity this is a milestone and a particularly bad one. Many people argued that default or bad passwords were the big deal and once those were eliminated, the issues went away. To the contrary, this backdoor of current products, which can be so simply executed across potentially millions of devices shows that significant risks remain.

And for the industry, just days after Hikvision admitted its defaulted devices are being targeted / locked out by hackers, now Dahua's backdoor adds to the turbulence of a market that has been heavily impacted by these companies race to the bottom. And what other backdoors are out there?

56 reports cite this report:

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
History of Video Surveillance on Jul 19, 2019
The video surveillance market has changed significantly since 2000, going from VCRs to ab emerging AI cloud era.  The goal of this history is to...
Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback. Voting plus in-depth comments revealed insights on which brands were...
Dahua Favorability Results 2019 on Apr 01, 2019
Dahua favorability declined, in IPVM's 2019 integrator favorability series, driven by their backdoors, resulting in mass hacking and US government...
Dahua Car Startup Raises $290 Million But Questions Abound on Dec 03, 2018
Dahua’s electronic car startup LeapMotor raised $290 million in funding this year, it said in an announcement [link no longer available]. However,...
Chinese Government Blocks IPVM on Oct 22, 2018
IPVM has been blocked by the Chinese government without any notice or explanation. This means IPVM.com is no longer officially accessible anywhere...
Honeywell Hides Selling US Gov Banned Chinese Video Surveillance on Oct 10, 2018
Honeywell hides selling US government banned Chinese video surveillance as their own 'Honeywell' products, deceiving buyers and putting US security...
Ban of Dahua and Hikvision Is Now US Gov Law on Aug 13, 2018
The US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US...
IPVM Vulnerability Scanner Released / Deprecated on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity vulnerability scanner. This tool allows quickly and simply...
Dahua's Terrible Cybersecurity, Buys Credibility From PSA And SIA on Jun 04, 2018
Dahua has a terrible cybersecurity track record. But American organizations, like the Security Industry Association (SIA) and the PSA Security...
Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of them being hacked in Japan (e.g., Hackers disable scores of Canon-made...
Dahua Products Are Not GDPR Compliant, No Products Can Be on May 29, 2018
Dahua products are neither GDPR-compliant nor certified, contrary to their marketing. The reason is that no products can be, as the EU does not...
US House Passes Bill Banning Gov Use of Dahua and Hikvision on May 24, 2018
UPDATE August 2018: The bill has now been signed into law. The US House of Representatives has passed H.R. 5515, a bill that includes a ban on the...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...
Worst Camera Manufacturers 2018 on Feb 26, 2018
Who is the camera manufacturer integrators have had the worst experience within the past year? 200+ integrators told us. Here are some...
Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018
Cybersecurity vulnerabilities have plagued the video surveillance market. Now, Bashis, discover of the Dahua backdoor, has discovered 15...
Chinese Government Backdoor Spies on African Union Revealed on Jan 29, 2018
For 5 years, a Chinese government backdoor was used to spy on the African Union, according to a Le Monde investigative report. As is their...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical...
The Race To The Bottom Is Over on Nov 28, 2017
The race to the bottom in video surveillance is over. After 3 years of aggressive price cuts and heavy sales and marketing expenditures, the...
Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering it as: not the result of an accidental logic error or poor...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics are: Cyber Security Video Analytics This is a change from 2016...
Bubble: Dahua Doubles Market Capitalization on Nov 07, 2017
Dahua's stock is in a bubble. Those of you in the industry know how bad of a year Dahua has had - the zero-day backdoor, the massive hacking...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Dahua Access Control Tested on Oct 10, 2017
Can Dahua become a major force in access control? We bought Dahua's ASC1202B [link no longer available] to find out. We tested Dahua access and...
Bosch Divar NVR Tested vs Dahua on Oct 05, 2017
Bosch has a partnership with Dahua. But what type of partnership is it? How much is Bosch's own vs taken from embattled mega-OEM Dahua? We bought...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision Europe Warns Of "A Wave of Cyberattacks" on Sep 28, 2017
Hikvision Europe has issued a "Hikvision Security Advisory" press release [link no longer available] and emailed an e-newsletter with the advisory...
Dahua Recorders Mass Hacked on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days...
The 3 Most Outstanding Security Manufacturers (OSPAs) Make No Sense on Sep 08, 2017
The Outstanding Security Manufacturer finalists (US edition) are here: And if you are wondering, "How did those 3 get chosen?" then you are...
Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017
A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP due to cyber security concerns, IPVM has confirmed with the...
Dahua Suffers Second Major Vulnerability, Silent [Finally Acknowledges] on Jul 25, 2017
Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for their backdoor. Now, Dahua has received another 10.0 score for a new...
Dahua Demotes USA CEO on Jun 19, 2017
Dahua has demoted their USA CEO Tim Wang. Inside this note, we examine the move, Dahua's challenges and what lies ahead for the...
Mirai-like Botnet Persirai Attacks IP Cameras - Impact Analyzed on Jun 14, 2017
Mirai made headlines in 2016, exploiting weaknesses in cameras, including those from Dahua and XiongMai to create a massive botnet that was used to...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some other company's product. The same goes for easily 100 different...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for...
Panasonic OEM Dahua Camera Tested on May 03, 2017
Panasonic is now OEMing a series of cameras from Dahua, known for their backdoor, various other problems and their rapid expansion of direct sales...
Chinese 'Attacking Us From Every Direction', Says US FBI on Apr 25, 2017
"Chinese eating our lunch. Attacking us from every direction" said the US FBI's Deputy Director Andrew McCabe at the ASIS 2017 CSO Summit [link no...
Manufacturers Cheer ISC West 2017 Performance on Apr 11, 2017
ISC West 2017 showed strong satisfaction results from manufacturers, similar to 2016's ISC West. 100 manufacturers rated their impressions of ISC...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the video surveillance market. Cybersecurity Rising Cybersecurity, once...
DDNS vs P2P vs VPN Usage Statistics on Mar 30, 2017
Cyber security concerns are escalating, even in the video surveillance industry which has historically lagged in its attention here. A key...
Dahua Manager: Lots of Backdoors Beyond Dahua or Hikvision on Mar 29, 2017
A Dahua technical manager has fired back at criticisms of Dahua's backdoor, posting publicly what many at Dahua have privately been saying for the...
Everbridge Mass Notification Service Profile on Mar 24, 2017
Everbridge is expanding in the security space. In January 2017 Everbridge acquired PSIM platform IDV, and have also begun integrating with other...
Axis Camera Vulnerabilities From Google Researcher Analyzed on Mar 23, 2017
A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions. In this report, we...
1 Million Dahua Devices Exposed To Backdoor on Mar 22, 2017
Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor. Despite this, Dahua has downplayed the...
Honeywell Dahua Backdoor Statement on Mar 14, 2017
Honeywell OEMs Dahua video surveillance products and has been affected by the Dahua backdoor, confirmed by Honeywell and IPVM testing. Here is...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...
FLIR Responds to Dahua Backdoor on Mar 10, 2017
FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure: Certain FLIR and Lorex branded products that...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents. In this report, we overview...
OEMs, Dump Dahua on Mar 08, 2017
OEMs, get smart and dump Dahua. Dahua OEMs to many companies including some big brands (e.g. FLIR, Honeywell and Tyco). Dahua has proven to be a...
Dahua $550 Million West China Gov Project on Mar 08, 2017
How does Dahua continue to invest in global expansion despite its many mistakes?  Where can they get the money and strength to overcome the...
Comments (169) : PRO Members only. Login. or Join.

Related Reports on Hacking

Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...

Most Recent Industry Reports

Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...
Hikvision Dissolves North American Business Unit, Splits Canada and USA on Oct 15, 2019
Hikvision has dissolved its North American Business Unit, splitting up US and Canada operations as the PRC-government owned manufacturer faces...
Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
"UL Has Blood On Their Hands" Alleges The Interceptor / Keith Jentoft on Oct 14, 2019
"UL has blood on their hands" alleges Keith Jentoft of "The Interceptor Project". We examined The Interceptor in-depth last year, see: The...
Access Control Course Fall 2019 - Save $50 Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Save $50 through October 10th. Thursday, October 17th is the last day to register. IPVM offers...
Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...
Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party hammer and sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...