Dahua ‘Duplicitous’ Says Botnet Victim

Author: Brian Karas, Published on Oct 11, 2016

The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should bear more responsibility for enabling this botnet and that they are more at fault, for making poorly secured devices, than the unsuspecting users who purchased them.

We examine the validity of Dahua's statements, and Krebs' position on IoT device security.

Krebs Background

Brian Krebs is a well-known journalist within the cybersecurity community. Ironically, he first gained an interest in cyber security after having his home PC attacked by a Chinese hacker group in 2001. 15 years later, his website, Krebs On Security was attacked by a network of Chinese cameras.

Dahua's Statements

Dahua has been attempting to deflect the blame for this botnet to their customers, issuing statements to multiple publications, with 3 key points:

The devices were using firmware dating prior to January 2015.
The devices were using the default user name and password.
The devices were exposed to the internet without the protection of an effective network firewall.

Also, Dahua has claimed:

To the best of our knowledge, the DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

Krebs' Analysis

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Krebs calls Dahua's statements duplicitous because Dahua chide's users for not changing usernames/passwords, yet hard-codes those credentials in its products:

Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

In addition, Krebs points to a Flashpoint statistic that shows a large number of the infected Dahua devices were in fact in North America.

Dahua's Twisted Reality

When Dahua says Dahua-branded devices were not affected they mean only those sold through Dahua's official USA entity, which has only existed since early 2015, after firmware had been updated to remove telnet capabilities. In this statement, Dahua is selectively ignoring hundreds of thousands of devices carrying the Dahua brand sold into the US through channels like Amazon or Ali-Express. That these devices were not sold through official distributors does not make their poor security excusable.

The devices with hard-coded passwords that Krebs refers to are Dahua products sold through OEM's under OEM brands. These are not "Dahua-branded", but they were sold through Dahua-authorized distributors, and they contained hard-coded passwords that these distributors may not have initially been aware of, and that users were unable to change.

Ultimate Responsibility Lies With Dahua

This botnet exists because Dahua shipped a product with horrible security by any modern standard. While owners of infected Dahua-manufactured cameras could have potentially better secured their devices, hard-coded credentials and back-door console access via telnet or SSH has been considered flawed security for over a decade. Including these weaknesses, and not disclosing them to customers, shows poor decision making on Dahua's part.

Hopefully other security manufacturers are learning from this incident and moving to eliminate these product flaws if they still exist.

Is Dahua Being Duplicitous About The Attack?

Comments (19): PRO Members only. Login. or Join.

Related Reports

XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Distributor Offers Local Job Site Delivery on Nov 30, 2016
Local distribution branches are a big differentiator for many integrators, as they facilitate quickly picking up supplies locally without having to...
Hikvision 'Phone Home' Raises Security Fears on Nov 10, 2016
The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has...
Genetec Expels Hikvision on Nov 08, 2016
Genetec has removed support for Hikvision devices, deeming them 'untrustworthy', citing customer concerns about Chinese government ownership /...
Now Knocking A Country Offline - The Video Surveillance Driven Botnet Wreaks Havok on Nov 03, 2016
The video surveillance driven botnet is now attacking an entire country. The Mirai malware that took advantage of poor security in Xiongmai, Dahua...
Anixter Sales People Selling To End Users on Nov 03, 2016
Anixter's most frequently heard defense of selling to end users is that they used to do it, but not anymore. However, this was undermined by...
Shakeup of Milestone NA Distribution Team on Nov 03, 2016
Milestone built up their NA distribution sales team in the past year, following building up their manufacturer rep network and then terminating...
Dahua Says They Are Botnet Attack 'Victims' on Oct 26, 2016
'Victim' or 'accomplice'? Dahua has issued a new press release, referring to their products as 'victims' of the massive botnet attacks hitting the...
The Xiongmai Botnet 'Recall' Will Not Work on Oct 25, 2016
The Xiongmai 'recall' has been the topic of global news, following the unprecedented bot net attacks that use their equipment, among...

Most Recent Industry Reports

Sony IP Camera Backdoor Uncovered on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root,...
Milestone Favorability Results on Dec 06, 2016
In our second installment of manufacturer favorability results (first was Pelco), we turn to Milestone. 100+ integrators rated and explained what...
XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Door Operators Access Control Tutorial on Dec 05, 2016
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...
Hikvision CEO Declares 'We Do Not Cut Rates" on Dec 02, 2016
Hikvision has led another press trip to China, and this time Hikvision's CEO is sharing insights into their competitive strategy, including...
Network Security Audit App (March Networks) Examined on Dec 01, 2016
Verifying one's video surveillance devices are locked down against common cybersecurity vulnerabilities is increasing important, as hacks using...
FLIR Acquires Drone Manufacturer For $134M on Dec 01, 2016
FLIR has acquired Prox Dynamics, a Norwegian maker of small military-grade drones, for $134M.  FLIR president Andy Teich provided additional...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact