Dahua Critical Cloud Vulnerabilities

By John Scanlan, Published May 12, 2020, 12:14pm EDT

Dahua has acknowledged a series of cloud vulnerabilities that researcher Bashis discovered. Additionally, and separately, researcher Thomas Vogt found a separate vulnerability.

IPVM Image

Dahua has had numerous vulnerabilities over the past few years including the 2019 critical vulnerabilities that Vogt's team found and the 2017 backdoor that Bashis found. The company is moreover banned for US federal use (NDAA) based on cybersecurity risks.

Inside this report:

  • A summary of the vulnerabilities
  • The vulnerabilities explained
  • A statement from Dahua
  • OEMs Impacted
  • Response from bashis
  • Analysis from Refirm Labs
  • Continued cybersecurity issues
  • IPVM recommendations

Long **** *************** *** *****

***** *** ****** **** confirmed **** ***** *** now (*********) ***** ***** issues, *******, **** ******* for * **** ****, indeed****** ***** ****** * warning ** **** ** IPVM ** ********:

IPVM Image

********, ****** *** **** to **** **** **** still ******* **** *** cloud ****:

****, **’* *** ** easy ** **** ****** cloud **** ** *** devices ****** *** *****, so **** **** **** for **** **** ***** ** *** ***** working ***.

****** **** ********* ***** potential *****:

******* ** **** ******* will ** ********* *** registered ** *** ***** by *** *******, **** if ****** *** ********** them ** ***** *** account.

**, **** ** *******,

*) ***** *** ****** to ******* – **** they ****** ***** **** that ***?

*) ****** **** ***** could **** ********* ** them *** ******** ** their ******* (******** **** I ***** ***** ***** sniffing).

*** ******** ********:

  • ***** *** ** ****, including ********* *** *******, using ***** ***** ******** were **********.
  • ***** ********* *** ***** keys/passwords *** *** **** (including ********* *** *******) then ******** *** **** in ** ********** **** was *********** ** ***.
  • ********* ***** *** ***** cloud **** ** ******* credentials ***** * ******* listening ****** ** ******* monitoring.
  • ***** **** ***/**** ** encrypt ********* / ***** security ********* ******* ** a ****** ******** **** TLS.
  • ***** *** ******* ****** of ******** *** ***** confirmed ***** ******.
  • ********* ***** **** **** access ** ********* *** cloud ****** ** ******* by ******* ** *** Dahua ********.

Dahua ***** ************* *********

****** ****** * ***** of ******* *** *** vulnerabilities. *****'* ***** ******** is **** *** ***** branded ********* ** **** as ** **** *** has ********* ***** **** stored ****** ** ********** that *** *********** ** users *** ********* *** download *** *** ***.

***** *************** ****** ********* to **** **** ****** to *** ********* *********.

*** ***** ************* ****** by *********** ***** ****** via *** ***** ******, which ********* *** ****** the ***** * ********** of *********. ***** *** two ******* *************** ********* this ******* **** ********* methods ** ******* *** data.

*** ***** ************* ** a ****-********** **** ** the ***** ******** **** IMOU ***** ********* ***** keys/password *** ***** ******* details *** ***** *** 22 ****.

Statement **** *****

********** ****** * ******** advisory ************** ** *** ***************, they *** *** ****** our ********* ***** *** they **** ** **** these ******* ***************. **** the *****, **** **** made ******* *******, ********* back ** ****, ***** the ********,******:

“************** **** ******* **** a ***** ****** ** disruption *** ***********, ********** and *********** *****-****,” ********* Ms. ******, **** ** Marketing, ***** *******, ***** Technology ***. “** ********* in *** *********** ** improved ************* *********** *** new ******* ******** **** higher ********** ** *****-*******, Dahua’s ******* **** **** to ****** ******* ***** customers ******* ***** ******* and **** ******* ****** protection *** *** ****** global ********* *********.”

OEM's ********

***** *** ** **** listed ******* ******** **** Panasonic *** *******. **** reached *** ** ********* for *******.

***** ** * ********** from *** *** ******* the ***** **** *** Panasonic, *******, *** ******:

IPVM Image

********* ********* ******* **** they **** ******** ** research **** *** ****** if ***** *** **** to ***** *********.

Refirm **** ********

************* ******* ****** ************ *** *************** *** comments ** **** *********:

*** *** **** ***** is ***** ** *** credentials *** ********* **** either *** ** **** then **** ** *** CLEAR. *** ****** *** Unix-like ******* *** *** password ** *** *** to ******** *** **** so *** ******** ****** be (******) ********. ***** is ***** ********* ***/**** keys ** ******* *** supplied ******** ** *** other ****. **** ** bad *** **** ******* but ********* ** ** attacker ***** *** ********* key *** *** ********* observe *** ******* ******* she ***** ** **** to ********* ******* *** credentials ** *** ****. The ******* ***** **** a ******* ********* ****** to ******* *** ******** but ******* ********** ***** also ****.

**** ** *** ***** that ***** *** ****. Dahua *** ********** *** of ***** ***** **** "cloud" ***/**** **** ** their ********** **** *** being ***********. **** ********. At ***** *** *** OEMs ****** ***** *** password *** ****** ** themselves? * ****** ***** of * ********* ****** to ** ****.

** *** *** **** to *** ***** ***** then *** *** *********** remotely ******* *** ****** connected ** **.

**** ************ ***** **** of ***** ***** ******** best *********. *********** ****** always ** ********* ** an ******** ******** ****** protocol (*.*. ***), ********* keys ****** ***** ** used ** ******* ************** data, *** ** *** do *** ******** **** don't ******* **** *** in * ****** ********** that *** ******* ** the *****.

Another ***** *** **** *************

***** *********** *** *************** above ** ************ ** *** ******* Dahua ************************* ****** ****:

IPVM Image

***** *** ****** ********* ******** ***** **** here, ******:

**** ***** ******** **** Session ** *********** ***************. During ****** **** ******, an ******** *** *** the ********* ******* ** to ********* * **** packet ** ****** *** device.

* ******* ** ****** and ******** ** ********, requiring ******** ** ********* the *************.

Continued ************* ******

***** *** **** *** most ****** ***************. ***** has * **** ******* of ************* *************** ***** led ** **** *********** *** *** **** the ** ********** *** US ********** ****** *********. ***** ****** *************** include *** *** *** limited ** *** **** below:

What ***** ******?

** ****** ****,***** *** ****** ********* that **** ***** ** "pepper-ed", ********* * *************, secure, *** ******** ***** firmware *** ****** ****** cloud ********. *** ******* plan **** **** *** to ***** **** **** which ** *********** ** the ************* ******** ** a ***** ** ******* and *** ************ ** IMOU. **** ********* ***** and ****** *** ** update. ******* ** ***** 9 ****** ***** *** press ******* ***** ** no ******** ** ***** of. ***** *** *** responded ** *** ******* and ****** ********* ****:

***** ******** **********, ** do *** **** ******* on *** **** ******* to ***** ** **** time.

IPVM ***************

** *** *** ***** Dahua ** ***** *** equipment *** ****** ***** to ****** **** ***** access ** ********. ***** enables **** ** *******, so **** ** *** are *** ******** ***** their ***** ******** ********* can ***** **** ****** to **** ********* ****** you ******* **. ** you *** ******** ***** the ***** ******** *** may ******** ****** ** a **** ************ ****** ****** **** VPN.

Poll / ****

Comments (10)

Undisclosed Integrator #1

05/12/20 08:52pm

** ******* *** *** issue ******** ** ***** before ****** **********? * don't ********** *** *** cloud ***** ** ******* by ******* !?

John Honovich

IPVM | In reply to Undisclosed Integrator #1 | 05/12/20 08:59pm

**, ****** ****** * months ***** ** *** a **** ** *****. And **** *** ** top ** *** ***** it **** ** *** a ******** **** *****.

Undisclosed Integrator #1

In reply to John Honovich | 05/12/20 09:01pm

** ****... **** ** a **** **** **** from ***** :(

Undisclosed Manufacturer #2

05/12/20 09:35pm

***** *** ********** *** of ***** ***** **** "cloud" ***/**** **** ** their ********** **** *** being ***********. **** ********. At ***** *** *** OEMs ****** ***** *** password *** ****** ** themselves? * ****** ***** of * ********* ****** to ** ****.

**** ** *** **** insane ***** ** **. It's *** ***** ** their ***** **** *** prioritized ***** ****** **** updating *** ******* *** and **** ******* ********** which ** *** *** understandable, *** ********** *** encryption **** ** *** executable *** *** ***** customers *** ***** **** and ***** **** ** acceptable ** ***** ** security.

*****'* ***** ******** ** used *** ***** ******* equipment ** **** ** 22 **** *** *** hardcoded ***** **** ****** within ** ********** **** was *********** ** ***** and ********* *** ******** via *** ***.

** ***** ** *** if **** **** *********** the ********** **** *** keys ********** ** *****, but **'* * *********** that ***** *********** **** been *** ** *** public **** *** ********** keys.

****:** **** ********* ** that **** ** *** OEMs *** *** * requirement **** **** **** to *** * ********** key **** **** **** generated ********** ****** **** one **** *** ******** to ****. *'* ****** that ******* *** *** up *** ****** *** the **** ***** **** realized **** **** *** kind ** *******, ** maybe ***** *** ** the ***** ******** *** them?

Undisclosed Manufacturer #4

In reply to Undisclosed Manufacturer #2 | 05/13/20 05:28pm

* ***** ****** ** you *******, **** ***** simply *** ** *** cloud *** *** ****. Or ***** **** ***'* even *** ** *** it ** ******* ** the ******** *** **** they *********** **.

*** ****** *** *** lack ** ******** ** that ** ** ****. That ** *** *** of ***** ********* ** to ** ***.

bashis mcw

In reply to Undisclosed Manufacturer #4 | 05/13/20 09:47pm

*** ******, *** *** their *** ***** **** and ***** **/**** ** their *****. (** *** has **** ******* *****/**** IP/FQDN, * ***** ***'* IP/FQDN ** **** ********** too, *** ****'* **** it ********* ** ****** them ** *** *** description, *** ***** **** where ******)

**** ** ***** ** 3DES ********** ***** *** DVRIP *** *****, *** - **** ***** **** PSK.

****:

**** *** ********* *** are ****** *** ******, so ******** ******** **** the ***** ****** (*******/*******) share **** ***, ****** natural ***** *** **** needs ** ******* *** other **** **** ** decrypt - *** *** thing ** **** ***** credentials *** **** ** remote *** ********** *****/****** for *****/*****, *** *** only ***** ***** **** 3DES.

* *** ** ****** on ******* ***** ******* ********** **** ***** ** well, (******* */* ********** leaks), *** ** ***** you *** *** **** out ** *** ****.

Undisclosed Integrator #3

05/13/20 03:40pm

*****'* **** *** **** and ****. ** *** nice ****** ***** ****** cameras **** ****, *** now **** ** *** them ** *** ******** it ** ***** ****** to *** ****. ** one **** *** ***** for *** ***** *****.

**** ** *******, *** please ***** **** *** vendor ********** *** ******** before *** ******. **** a ******* ******** ************ review *** ************** ****** you ** *******.

**** ******** *** ******** reasons. *** *** ***** Hik?

Avatar

John Scanlan

IPVM | IPVMU Certified | 05/13/20 07:35pm

******: **** ****** *** been ******* ** ******* that,despite ** ***** * months ***** *** ***** release, ***** ** ** progress ** ***** ** with ******* ** *** Dahua / ****** ************. Dahua *** *** ********* to *** ******* *** Pepper ********* *******:

***** ******** **********, ** do *** **** ******* on *** **** ******* to ***** ** **** time.

Avatar

Jon Dillabaugh

Pro Focus LLC
05/15/20 06:22pm

*** **** ****** ****** STRONG ** *** **** above *** ***** ***** guys. **** ***** ***** would **** ****. *** honest ***** **** **** AVERAGE. 🤣

Undisclosed Distributor #5

In reply to Jon Dillabaugh | 05/18/20 01:36am

***, *** ******** ***** true.

Read this IPVM report for free.

This article is part of IPVM's 6,728 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports