Dahua was hardcoding all of their major OEMs "cloud" DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this.
This is the most insane thing to me. It's one thing if their cloud team has prioritized other things than updating the retired DES and 3DES hashing algorithms which is bad but understandable, but hardcoding the encryption keys in the executable for all their customers has never been and never will be acceptable in terms of security.
Dahua's cloud solution is used for Dahua branded equipment as well as 22 OEMs and has hardcoded cloud keys stored within an executable that was distributed to users and available for download via the web.
It would be bad if they only distributed the executable with the keys internally at Dahua, but it's a catastrophe that these executables have been out in the public with the encryption keys.
EDIT: It also surprises me that none of the OEMs has had a requirement that they want to use a encryption key that they have generated themselves rather than one that was supplied to them. I'd assume that someone who set up the system for the OEMs would have realized that this was kind of strange, or maybe Dahua set up the cloud instance for them?
Not really, OEM has their own Cloud keys and entry IP/FQDN to their Cloud. (My PoC has only exposed Dahua/IMOU IP/FQDN, I found OEM's IP/FQDN in same executable too, but didn't find it necessary to expose them in the PoC description, OEM cloud keys where enough)
When it comes to 3DES credential leaks via DVRIP and DHP2P, yes - they share same PSK.
3DES and hardcoded PSK are within the NetSDK, so anything compiled with the Dahua NetSDK (clients/devices) share same PSK, pretty natural since one side needs to encrypt and other side need to decrypt - but the thing is that these credentials are sent to remote for requesting REALM/Random for DVRIP/DHP2P, and not only while login with 3DES.
I did an update on my Dahua Debug Console script with 3DES login as well, (however w/o credential leaks), but at least you can try that out if you want.
Update: This report has been updated to reflect that,despite it being 9 months since the press release, there is no progress to speak of with regards to the Dahua / Pepper relationship. Dahua has not responded to our request and Pepper responded stating:
After checking internally, we do not have updates on the IMOU devices to share at this time.