Dahua Critical Cloud Vulnerabilities

Dahua has acknowledged a series of cloud vulnerabilities that researcher Bashis discovered. Additionally, and separately, researcher Thomas Vogt found a separate vulnerability.

Dahua has had numerous vulnerabilities over the past few years including the 2019 critical vulnerabilities that Vogt's team found and the 2017 backdoor that Bashis found. The company is moreover banned for US federal use (NDAA) based on cybersecurity risks.

Inside this report:

• A summary of the vulnerabilities
• The vulnerabilities explained
• A statement from Dahua
• OEMs Impacted
• Response from bashis
• Analysis from Refirm Labs
• Continued cybersecurity issues
• IPVM recommendations

Long Term Vulnerabilities Now Fixed

Dahua and Bashis have confirmed that Dahua has now (generally) fixed these issues, however, they existed for a long time, indeed Bashis first posted a warning of this on IPVM in February:

Moreover, Bashis did note to IPVM that risk still remains with the cloud keys:

Well, it’s not so easy to just change cloud keys in all devices around the world, so this will work for some time still – my PoC still working now.

Bashis also explained other potential risks:

Notably is that devices will be connected and registered to the cloud by the default, even if nobody has registered them to their own account.

So, from my opinion,

1) Dahua has access to devices – will they change cloud keys that way?

2) Anyone with creds could take ownership of them and register on their account (remember what I wrote above about sniffing).

Key problems included:

• Dahua and 22 OEMS, including Panasonic and Stanley, using their cloud solution were vulnerable.
• Dahua hardcoded the cloud keys/passwords for all OEMs (including Panasonic and Stanley) then included the keys in an executable that was distributed to all.
• Attackers could use those cloud keys to decrypt credentials using a network listening socket or network monitoring.
• Dahua used DES/3DES to encrypt passwords / older security protocols instead of a secure protocol like TLS.
• There are working proofs of concepts and Dahua confirmed these issues.
• Attackers could gain full access to equipment and cloud access is enabled by default in the Dahua firmware.

Dahua Cloud Vulnerability Explained

Bashis issued a proof of concept for the vulnerabilities. Dahua's cloud solution is used for Dahua branded equipment as well as 22 OEMs and has hardcoded cloud keys stored within an executable that was distributed to users and available for download via the web.

These vulnerabilities enable attackers to gain full access to the connected equipment.

The first vulnerability caused by credentials being leaked via the Dahua NetSDK, which attackers can reveal the first 8 characters of passwords. There are two similar vulnerabilities regarding this exploit with different methods of getting the data.

The third vulnerability is a self-extracting file on the cloud solution site IMOU which contained cloud keys/password and other related details for Dahua and 22 OEMs.

Statement From Dahua

While Dahua issued a security advisory addressing part of the vulnerabilities, they did not answer our questions about how they plan to stop these ongoing vulnerabilities. Over the years, they have made various pledges, including back in 2017, after the backdoor, saying:

“Cybercriminals have evolved into a major source of disruption for individuals, businesses and governments world-wide,” continued Ms. Fenner, Head of Marketing, North America, Dahua Technology USA. “By investing in the development of improved cybersecurity initiatives and new systems products with higher resistance to cyber-attacks, Dahua’s efforts will help to better protect their customers against cyber attacks and help further harden protection for the entire global networked community.”

OEM's Impacted

There are 23 OEMs listed include notables like Panasonic and Stanley. IPVM reached out to Panasonic for comment.

Below is a screenshot from the PoC showing the cloud keys for Panasonic, Stanley, and others:

Panasonic responded stating that they will continue to research this and advise if there any risk to their customers.

Refirm Labs Analysis

Cybersecurity experts ReFirm Labs reviewed the vulnerabilities and comments to IPVM including:

The way that Dahua is using it the credentials are encrypted with either DES or 3DES then sent in the CLEAR. DES hashes for Unix-like systems use the password as the KEY to generate the hash so the function cannot be (easily) reversed. Dahua is using hardcoded DES/3DES keys to encrypt the supplied password on the other side. This is bad for many reasons but primarily if an attacker knows the hardcoded key and can passively observe the network traffic she would be able to trivially decrypt the credentials on the wire. The example given uses a network listening socket to decrypt the password but network monitoring would also work.

This is the issue that takes the cake. Dahua was hardcoding all of their major OEMs "cloud" DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this.

If you can auth to the Dahua cloud then you can effectively remotely control any device connected to it.

This demonstrates total lack of basic cyber security best practices. Credentials should always be protected by an industry accepted secure protocol (i.e. TLS), hardcoded keys should never be used to protect authentication data, and if you do use harcoded keys don't publish them all in a binary executable that you publish to the world.

Another Dahua May 2020 Vulnerability

While researching the vulnerabilities above we were notified of yet another Dahua vulnerability by researcher Thomas Vogt:

Dahua has issued a security advisory about this here, saying:

Some Dahua products have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.

A variety of series and firmware is impacted, requiring upgrades to eliminate the vulnerability.

Continued Cybersecurity Issues

These are only the most recent vulnerabilities. Dahua has a long history of cybersecurity vulnerabilities which led to them being banned for use with the US government and US government funded contracts. Other recent vulnerabilities include but are not limited to the list below:

• Dahua Critical Vulnerabilities
• Dahua Wiretapping Vulnerability
• Dahua Hard Coded Credentials Vulnerability
• Dahua Web Interface / Stack Buffer Overflow Vulnerability
• Dahua Backdoor Uncovered
• Dahua Recorders Mass Hacked

What about Pepper?

In August 2019, Dahua and Pepper announced that IMOU would be "pepper-ed", providing a comprehensive, secure, and featured based firmware and highly secure cloud solution. The initial plan from both was to start with IMOU which is highlighted in the vulnerability findings as a proof of concept and was demonstrated on IMOU. IPVM contacted Dahua and Pepper for an update. Despite it being 9 months since the press release there is no progress to speak of. Dahua has not responded to our request and Pepper responded with:

After checking internally, we do not have updates on the IMOU devices to share at this time.

IPVM Recommendations

If you are using Dahua or Dahua OEM equipment you should check to ensure that cloud access is disabled. Dahua enables this by default, so even if you are not actively using their cloud solution attackers can still gain access to your equipment unless you disable it. If you are actively using the cloud solution you may consider moving to a more secure remote access method like VPN.

Poll / Vote