Dahua Critical Cloud Vulnerabilities

By John Scanlan, Published May 12, 2020, 12:14pm EDT

Dahua has acknowledged a series of cloud vulnerabilities that researcher Bashis discovered. Additionally, and separately, researcher Thomas Vogt found a separate vulnerability.

IPVM Image

Dahua has had numerous vulnerabilities over the past few years including the 2019 critical vulnerabilities that Vogt's team found and the 2017 backdoor that Bashis found. The company is moreover banned for US federal use (NDAA) based on cybersecurity risks.

Inside this report:

  • A summary of the vulnerabilities
  • The vulnerabilities explained
  • A statement from Dahua
  • OEMs Impacted
  • Response from bashis
  • Analysis from Refirm Labs
  • Continued cybersecurity issues
  • IPVM recommendations

Long Term Vulnerabilities Now Fixed

Dahua and Bashis have confirmed that Dahua has now (generally) fixed these issues, however, they existed for a long time, indeed Bashis first posted a warning of this on IPVM in February:

IPVM Image

Moreover, Bashis did note to IPVM that risk still remains with the cloud keys:

Well, it’s not so easy to just change cloud keys in all devices around the world, so this will work for some time still – my PoC still working now.

Bashis also explained other potential risks:

Notably is that devices will be connected and registered to the cloud by the default, even if nobody has registered them to their own account.

So, from my opinion,

1) Dahua has access to devices – will they change cloud keys that way?

2) Anyone with creds could take ownership of them and register on their account (remember what I wrote above about sniffing).

Key problems included:

  • Dahua and 22 OEMS, including Panasonic and Stanley, using their cloud solution were vulnerable.
  • Dahua hardcoded the cloud keys/passwords for all OEMs (including Panasonic and Stanley) then included the keys in an executable that was distributed to all.
  • Attackers could use those cloud keys to decrypt credentials using a network listening socket or network monitoring.
  • Dahua used DES/3DES to encrypt passwords / older security protocols instead of a secure protocol like TLS.
  • There are working proofs of concepts and Dahua confirmed these issues.
  • Attackers could gain full access to equipment and cloud access is enabled by default in the Dahua firmware.

Dahua Cloud Vulnerability Explained

Bashis issued a proof of concept for the vulnerabilities. Dahua's cloud solution is used for Dahua branded equipment as well as 22 OEMs and has hardcoded cloud keys stored within an executable that was distributed to users and available for download via the web.

These vulnerabilities enable attackers to gain full access to the connected equipment.

The first vulnerability caused by credentials being leaked via the Dahua NetSDK, which attackers can reveal the first 8 characters of passwords. There are two similar vulnerabilities regarding this exploit with different methods of getting the data.

The third vulnerability is a self-extracting file on the cloud solution site IMOU which contained cloud keys/password and other related details for Dahua and 22 OEMs.

Statement From Dahua

While Dahua issued a security advisory addressing part of the vulnerabilities, they did not answer our questions about how they plan to stop these ongoing vulnerabilities. Over the years, they have made various pledges, including back in 2017, after the backdoor, saying:

“Cybercriminals have evolved into a major source of disruption for individuals, businesses and governments world-wide,” continued Ms. Fenner, Head of Marketing, North America, Dahua Technology USA. “By investing in the development of improved cybersecurity initiatives and new systems products with higher resistance to cyber-attacks, Dahua’s efforts will help to better protect their customers against cyber attacks and help further harden protection for the entire global networked community.”

OEM's Impacted

There are 23 OEMs listed include notables like Panasonic and Stanley. IPVM reached out to Panasonic for comment.

Below is a screenshot from the PoC showing the cloud keys for Panasonic, Stanley, and others:

IPVM Image

Panasonic responded stating that they will continue to research this and advise if there any risk to their customers.

Refirm Labs Analysis

Cybersecurity experts ReFirm Labs reviewed the vulnerabilities and comments to IPVM including:

The way that Dahua is using it the credentials are encrypted with either DES or 3DES then sent in the CLEAR. DES hashes for Unix-like systems use the password as the KEY to generate the hash so the function cannot be (easily) reversed. Dahua is using hardcoded DES/3DES keys to encrypt the supplied password on the other side. This is bad for many reasons but primarily if an attacker knows the hardcoded key and can passively observe the network traffic she would be able to trivially decrypt the credentials on the wire. The example given uses a network listening socket to decrypt the password but network monitoring would also work.

This is the issue that takes the cake. Dahua was hardcoding all of their major OEMs "cloud" DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this.

If you can auth to the Dahua cloud then you can effectively remotely control any device connected to it.

This demonstrates total lack of basic cyber security best practices. Credentials should always be protected by an industry accepted secure protocol (i.e. TLS), hardcoded keys should never be used to protect authentication data, and if you do use harcoded keys don't publish them all in a binary executable that you publish to the world.

Another Dahua May 2020 Vulnerability

While researching the vulnerabilities above we were notified of yet another Dahua vulnerability by researcher Thomas Vogt:

IPVM Image

Dahua has issued a security advisory about this here, saying:

Some Dahua products have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.

A variety of series and firmware is impacted, requiring upgrades to eliminate the vulnerability.

Continued Cybersecurity Issues

These are only the most recent vulnerabilities. Dahua has a long history of cybersecurity vulnerabilities which led to them being banned for use with the US government and US government funded contracts. Other recent vulnerabilities include but are not limited to the list below:

What about Pepper?

In August 2019, Dahua and Pepper announced that IMOU would be "pepper-ed", providing a comprehensive, secure, and featured based firmware and highly secure cloud solution. The initial plan from both was to start with IMOU which is highlighted in the vulnerability findings as a proof of concept and was demonstrated on IMOU. IPVM contacted Dahua and Pepper for an update. Despite it being 9 months since the press release there is no progress to speak of. Dahua has not responded to our request and Pepper responded with:

After checking internally, we do not have updates on the IMOU devices to share at this time.

IPVM Recommendations

If you are using Dahua or Dahua OEM equipment you should check to ensure that cloud access is disabled. Dahua enables this by default, so even if you are not actively using their cloud solution attackers can still gain access to your equipment unless you disable it. If you are actively using the cloud solution you may consider moving to a more secure remote access method like VPN.

Poll / Vote

3 reports cite this report:

Milestone Denies Dahua "Joint Value Proposition" on Nov 11, 2020
Just days after Dahua's racist Uyghur tracking was revealed, Dahua ran...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...

Comments (10)

Only IPVM Members may comment. Login or Join.

To confirm was the issue reported to Dahua before public disclosure? I don't understand why the cloud would be enabled by default !?

Agree
Disagree
Informative
Unhelpful
Funny

No, Bashis waited 3 months after he got a hold of Dahua. And that was on top of the weeks it took to get a response from Dahua.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Oh dear... That is a very poor show from Dahua :(

Agree
Disagree
Informative
Unhelpful
Funny

Dahua was hardcoding all of their major OEMs "cloud" DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this.

This is the most insane thing to me. It's one thing if their cloud team has prioritized other things than updating the retired DES and 3DES hashing algorithms which is bad but understandable, but hardcoding the encryption keys in the executable for all their customers has never been and never will be acceptable in terms of security.

Dahua's cloud solution is used for Dahua branded equipment as well as 22 OEMs and has hardcoded cloud keys stored within an executable that was distributed to users and available for download via the web.

It would be bad if they only distributed the executable with the keys internally at Dahua, but it's a catastrophe that these executables have been out in the public with the encryption keys.

EDIT: It also surprises me that none of the OEMs has had a requirement that they want to use a encryption key that they have generated themselves rather than one that was supplied to them. I'd assume that someone who set up the system for the OEMs would have realized that this was kind of strange, or maybe Dahua set up the cloud instance for them?

Agree
Disagree
Informative
Unhelpful
Funny

I would assume as you mention, that Dahua simply set up the cloud for the OEMs. Or maybe they don't even use it but it is enabled in the firmware and thus they provisioned it.

The reason for the lack of security is that it is easy. That is why all of these companies go to an OEM.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Not really, OEM has their own Cloud keys and entry IP/FQDN to their Cloud. (My PoC has only exposed Dahua/IMOU IP/FQDN, I found OEM's IP/FQDN in same executable too, but didn't find it necessary to expose them in the PoC description, OEM cloud keys where enough)

When it comes to 3DES credential leaks via DVRIP and DHP2P, yes - they share same PSK.

Edit:

3DES and hardcoded PSK are within the NetSDK, so anything compiled with the Dahua NetSDK (clients/devices) share same PSK, pretty natural since one side needs to encrypt and other side need to decrypt - but the thing is that these credentials are sent to remote for requesting REALM/Random for DVRIP/DHP2P, and not only while login with 3DES.

I did an update on my Dahua Debug Console script with 3DES login as well, (however w/o credential leaks), but at least you can try that out if you want.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Dahua's time has come and gone. It was nice having cheap analog cameras back then, but now that we put them on our networks it is plain stupid to use them. No one ever got fired for NOT using Dahua.

Time to upgrade, and please check your new vendor thoroughly for security before you switch. Have a network security professional review the implementation before you go forward.

Name withheld for security reasons. Now how about Hik?

Agree
Disagree
Informative
Unhelpful
Funny

Update: This report has been updated to reflect that,despite it being 9 months since the press release, there is no progress to speak of with regards to the Dahua / Pepper relationship. Dahua has not responded to our request and Pepper responded stating:

After checking internally, we do not have updates on the IMOU devices to share at this time.

Agree
Disagree
Informative
Unhelpful
Funny

The only people voting STRONG in the poll above are Dahua sales guys. Even their techs would vote WEAK. The honest sales guys said AVERAGE. 🤣

Agree
Disagree
Informative
Unhelpful
Funny

Sad, but probably quite true.

Agree
Disagree
Informative
Unhelpful
Funny
Loading Related Reports