Dahua Critical Cloud Vulnerabilities

By John Scanlan, Published May 12, 2020, 12:14pm EDT (Info+)

Dahua has acknowledged a series of cloud vulnerabilities that researcher Bashis discovered. Additionally, and separately, researcher Thomas Vogt found a separate vulnerability.

IPVM Image

Dahua has had numerous vulnerabilities over the past few years including the 2019 critical vulnerabilities that Vogt's team found and the 2017 backdoor that Bashis found. The company is moreover banned for US federal use (NDAA) based on cybersecurity risks.

Inside this report:

  • A summary of the vulnerabilities
  • The vulnerabilities explained
  • A statement from Dahua
  • OEMs Impacted
  • Response from bashis
  • Analysis from Refirm Labs
  • Continued cybersecurity issues
  • IPVM recommendations

Long **** *************** *** *****

***** *** ****** **** ********* **** Dahua *** *** (*********) ***** ***** issues, *******, **** ******* *** * long ****, ************ ***** ****** * ******* ** this ** **** ** ********:

IPVM Image

********, ****** *** **** ** **** that **** ***** ******* **** *** cloud ****:

****, **’* *** ** **** ** just ****** ***** **** ** *** devices ****** *** *****, ** **** will **** *** **** **** ***** ** *** ***** ******* ***.

****** **** ********* ***** ********* *****:

******* ** **** ******* **** ** connected *** ********** ** *** ***** by *** *******, **** ** ****** has ********** **** ** ***** *** account.

**, **** ** *******,

*) ***** *** ****** ** ******* **** **** ****** ***** **** that ***?

*) ****** **** ***** ***** **** ownership ** **** *** ******** ** their ******* (******** **** * ***** above ***** ********).

*** ******** ********:

  • ***** *** ** ****, ********* ********* and *******, ***** ***** ***** ******** were **********.
  • ***** ********* *** ***** ****/********* *** all **** (********* ********* *** *******) then ******** *** **** ** ** executable **** *** *********** ** ***.
  • ********* ***** *** ***** ***** **** to ******* *********** ***** * ******* listening ****** ** ******* **********.
  • ***** **** ***/**** ** ******* ********* / ***** ******** ********* ******* ** a ****** ******** **** ***.
  • ***** *** ******* ****** ** ******** and ***** ********* ***** ******.
  • ********* ***** **** **** ****** ** equipment *** ***** ****** ** ******* by ******* ** *** ***** ********.

Dahua ***** ************* *********

****** ****** * ***** ** ******* for *** ***************. *****'* ***** ******** ** **** for ***** ******* ********* ** **** as ** **** *** *** ********* cloud **** ****** ****** ** ********** that *** *********** ** ***** *** available *** ******** *** *** ***.

***** *************** ****** ********* ** **** full ****** ** *** ********* *********.

*** ***** ************* ****** ** *********** being ****** *** *** ***** ******, which ********* *** ****** *** ***** 8 ********** ** *********. ***** *** two ******* *************** ********* **** ******* with ********* ******* ** ******* *** data.

*** ***** ************* ** * ****-********** file ** *** ***** ******** **** IMOU ***** ********* ***** ****/******** *** other ******* ******* *** ***** *** 22 ****.

Statement **** *****

********** ****** * ******** ******** ************** ** *** ***************, **** *** not ****** *** ********* ***** *** they **** ** **** ***** ******* vulnerabilities. **** *** *****, **** **** made ******* *******, ********* **** ** 2017, ***** *** ********,******:

“************** **** ******* **** * ***** source ** ********** *** ***********, ********** and *********** *****-****,” ********* **. ******, Head ** *********, ***** *******, ***** Technology ***. “** ********* ** *** development ** ******** ************* *********** *** new ******* ******** **** ****** ********** to *****-*******, *****’* ******* **** **** to ****** ******* ***** ********* ******* cyber ******* *** **** ******* ****** protection *** *** ****** ****** ********* community.”

OEM's ********

***** *** ** **** ****** ******* notables **** ********* *** *******. **** reached *** ** ********* *** *******.

***** ** * ********** **** *** PoC ******* *** ***** **** *** Panasonic, *******, *** ******:

IPVM Image

********* ********* ******* **** **** **** continue ** ******** **** *** ****** if ***** *** **** ** ***** customers.

Refirm **** ********

************* ******* ****** ************ *** *************** *** ******** ** IPVM *********:

*** *** **** ***** ** ***** it *** *********** *** ********* **** either *** ** **** **** **** in *** *****. *** ****** *** Unix-like ******* *** *** ******** ** the *** ** ******** *** **** so *** ******** ****** ** (******) reversed. ***** ** ***** ********* ***/**** keys ** ******* *** ******** ******** on *** ***** ****. **** ** bad *** **** ******* *** ********* if ** ******** ***** *** ********* key *** *** ********* ******* *** network ******* *** ***** ** **** to ********* ******* *** *********** ** the ****. *** ******* ***** **** a ******* ********* ****** ** ******* the ******** *** ******* ********** ***** also ****.

**** ** *** ***** **** ***** the ****. ***** *** ********** *** of ***** ***** **** "*****" ***/**** keys ** ***** ********** **** *** being ***********. **** ********. ** ***** let *** **** ****** ***** *** password *** ****** ** **********? * cannot ***** ** * ********* ****** to ** ****.

** *** *** **** ** *** Dahua ***** **** *** *** *********** remotely ******* *** ****** ********* ** it.

**** ************ ***** **** ** ***** cyber ******** **** *********. *********** ****** always ** ********* ** ** ******** accepted ****** ******** (*.*. ***), ********* keys ****** ***** ** **** ** protect ************** ****, *** ** *** do *** ******** **** ***'* ******* them *** ** * ****** ********** that *** ******* ** *** *****.

Another ***** *** **** *************

***** *********** *** *************** ***** ** were******** ** *** ******* ***** ************************* ****** ****:

IPVM Image

***** *** ****** ********* ******** ***** **** ****, ******:

**** ***** ******** **** ******* ** predictable ***************. ****** ****** **** ******, an ******** *** *** *** ********* Session ** ** ********* * **** packet ** ****** *** ******.

* ******* ** ****** *** ******** is ********, ********* ******** ** ********* the *************.

Continued ************* ******

***** *** **** *** **** ****** vulnerabilities. ***** *** * **** ******* of ************* *************** ***** *** ** them *********** *** *** **** *** ** government *** ** ********** ****** *********. ***** ****** *************** ******* *** are *** ******* ** *** **** below:

What ***** ******?

** ****** ****,***** *** ****** ********* **** **** would ** "******-**", ********* * *************, ******, *** featured ***** ******** *** ****** ****** cloud ********. *** ******* **** **** both *** ** ***** **** **** which ** *********** ** *** ************* findings ** * ***** ** ******* and *** ************ ** ****. **** contacted ***** *** ****** *** ** update. ******* ** ***** * ****** since *** ***** ******* ***** ** no ******** ** ***** **. ***** has *** ********* ** *** ******* and ****** ********* ****:

***** ******** **********, ** ** *** have ******* ** *** **** ******* to ***** ** **** ****.

IPVM ***************

** *** *** ***** ***** ** Dahua *** ********* *** ****** ***** to ****** **** ***** ****** ** disabled. ***** ******* **** ** *******, so **** ** *** *** *** actively ***** ***** ***** ******** ********* can ***** **** ****** ** **** equipment ****** *** ******* **. ** you *** ******** ***** *** ***** solution *** *** ******** ****** ** a **** ************ ****** ****** **** ***.

Poll / ****

Comments (10)

To confirm was the issue reported to Dahua before public disclosure? I don't understand why the cloud would be enabled by default !?

Agree
Disagree
Informative
Unhelpful
Funny

No, Bashis waited 3 months after he got a hold of Dahua. And that was on top of the weeks it took to get a response from Dahua.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Oh dear... That is a very poor show from Dahua :(

Agree
Disagree
Informative
Unhelpful
Funny

Dahua was hardcoding all of their major OEMs "cloud" DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this.

This is the most insane thing to me. It's one thing if their cloud team has prioritized other things than updating the retired DES and 3DES hashing algorithms which is bad but understandable, but hardcoding the encryption keys in the executable for all their customers has never been and never will be acceptable in terms of security.

Dahua's cloud solution is used for Dahua branded equipment as well as 22 OEMs and has hardcoded cloud keys stored within an executable that was distributed to users and available for download via the web.

It would be bad if they only distributed the executable with the keys internally at Dahua, but it's a catastrophe that these executables have been out in the public with the encryption keys.

EDIT: It also surprises me that none of the OEMs has had a requirement that they want to use a encryption key that they have generated themselves rather than one that was supplied to them. I'd assume that someone who set up the system for the OEMs would have realized that this was kind of strange, or maybe Dahua set up the cloud instance for them?

Agree
Disagree
Informative
Unhelpful
Funny

I would assume as you mention, that Dahua simply set up the cloud for the OEMs. Or maybe they don't even use it but it is enabled in the firmware and thus they provisioned it.

The reason for the lack of security is that it is easy. That is why all of these companies go to an OEM.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Not really, OEM has their own Cloud keys and entry IP/FQDN to their Cloud. (My PoC has only exposed Dahua/IMOU IP/FQDN, I found OEM's IP/FQDN in same executable too, but didn't find it necessary to expose them in the PoC description, OEM cloud keys where enough)

When it comes to 3DES credential leaks via DVRIP and DHP2P, yes - they share same PSK.

Edit:

3DES and hardcoded PSK are within the NetSDK, so anything compiled with the Dahua NetSDK (clients/devices) share same PSK, pretty natural since one side needs to encrypt and other side need to decrypt - but the thing is that these credentials are sent to remote for requesting REALM/Random for DVRIP/DHP2P, and not only while login with 3DES.

I did an update on my Dahua Debug Console script with 3DES login as well, (however w/o credential leaks), but at least you can try that out if you want.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Dahua's time has come and gone. It was nice having cheap analog cameras back then, but now that we put them on our networks it is plain stupid to use them. No one ever got fired for NOT using Dahua.

Time to upgrade, and please check your new vendor thoroughly for security before you switch. Have a network security professional review the implementation before you go forward.

Name withheld for security reasons. Now how about Hik?

Agree
Disagree
Informative
Unhelpful
Funny

Update: This report has been updated to reflect that,despite it being 9 months since the press release, there is no progress to speak of with regards to the Dahua / Pepper relationship. Dahua has not responded to our request and Pepper responded stating:

After checking internally, we do not have updates on the IMOU devices to share at this time.

Agree
Disagree
Informative
Unhelpful
Funny

The only people voting STRONG in the poll above are Dahua sales guys. Even their techs would vote WEAK. The honest sales guys said AVERAGE. 🤣

Agree
Disagree
Informative
Unhelpful
Funny

Sad, but probably quite true.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports