Dahua ‘Duplicitous’ Says Botnet Victim

Author: Brian Karas, Published on Oct 11, 2016

The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should bear more responsibility for enabling this botnet and that they are more at fault, for making poorly secured devices, than the unsuspecting users who purchased them.

We examine the validity of Dahua's statements, and Krebs' position on IoT device security.

Krebs Background

Brian Krebs is a well-known journalist within the cybersecurity community. Ironically, he first gained an interest in cyber security after having his home PC attacked by a Chinese hacker group in 2001. 15 years later, his website, Krebs On Security was attacked by a network of Chinese cameras.

Dahua's Statements

Dahua has been attempting to deflect the blame for this botnet to their customers, issuing statements to multiple publications, with 3 key points:

The devices were using firmware dating prior to January 2015.
The devices were using the default user name and password.
The devices were exposed to the internet without the protection of an effective network firewall.

Also, Dahua has claimed:

To the best of our knowledge, the DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

Krebs' Analysis

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Krebs calls Dahua's statements duplicitous because Dahua chide's users for not changing usernames/passwords, yet hard-codes those credentials in its products:

Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

In addition, Krebs points to a Flashpoint statistic that shows a large number of the infected Dahua devices were in fact in North America.

Dahua's Twisted Reality

When Dahua says Dahua-branded devices were not affected they mean only those sold through Dahua's official USA entity, which has only existed since early 2015, after firmware had been updated to remove telnet capabilities. In this statement, Dahua is selectively ignoring hundreds of thousands of devices carrying the Dahua brand sold into the US through channels like Amazon or Ali-Express. That these devices were not sold through official distributors does not make their poor security excusable.

The devices with hard-coded passwords that Krebs refers to are Dahua products sold through OEM's under OEM brands. These are not "Dahua-branded", but they were sold through Dahua-authorized distributors, and they contained hard-coded passwords that these distributors may not have initially been aware of, and that users were unable to change.

Ultimate Responsibility Lies With Dahua

This botnet exists because Dahua shipped a product with horrible security by any modern standard. While owners of infected Dahua-manufactured cameras could have potentially better secured their devices, hard-coded credentials and back-door console access via telnet or SSH has been considered flawed security for over a decade. Including these weaknesses, and not disclosing them to customers, shows poor decision making on Dahua's part.

Hopefully other security manufacturers are learning from this incident and moving to eliminate these product flaws if they still exist.

Is Dahua Being Duplicitous About The Attack?

1 report cite this report:

Chinese Company Xiongmai Threatens Legal Action Against Western Accusers on Oct 24, 2016
The Chinese video surveillance manufacturer, Xiongmai, whose equipment numerous sources blame for driving massive Internet attacks over the past...
Comments (19): PRO Members only. Login. or Join.

Related Reports

Hikvision Barred From US City Housing Authority Bid on Feb 14, 2017
A US city's housing authority has barred Hikvision products from their bid, due to 'increasing security concerns.' In the past few...
Boycott Anixter, Says 82% Integrators on Feb 05, 2017
82% of 130 145 integrator respondents say integrators should boycott Anixter, in response to Anixter / Bosch Sells Direct to Amazon. This is the...
Hikvision Pledges 'Never' 'Backdoors' on Jan 27, 2017
With criticisms rising, Hikvision has gone on the record publicly declaring: Hikvision never has, does or would intentionally contribute to...
PR Firm Pleads Don't Scrap PR Spending on Jan 20, 2017
PR is not dying, warns pleads PR firm. Take 40+ year old industry PR firm LRG, who recently lamented the 'misconceptions' that: Traditional PR...
Cut in Half, Everfocus Shifts Strategies on Jan 17, 2017
The race to the bottom impact continues. Now, Everfocus, who used to be one of the larger budget providers, is shifting strategies after years of...
Amazon Sales of Hikvision China Cameras on Jan 12, 2017
Hikvision has become widely available in the US, including on popular retail outlets like Amazon, with over 2,600 results: 4MP Hikvision outdoor...
ADI Battles Manufacturer Partners on Jan 11, 2017
ADI is battling their manufacturer partners, building up their own competitive house brand W-Box, while manufacturers still fund ADI's business...
ADI "HD Cameras As Low As $29.99" on Jan 06, 2017
ADI has reached a new low - literally. [premium_content] ADI is making no attempt to sell value or quality here, with their email subject...
Distributor's #1 Challenge on Jan 04, 2017
Manufacturers and integrators are not the only ones challenged in the security market, distributors are also impacted, fighting to maintain margins...
Suffering Criticism, Hikvision Keeps Insecure Online Service Up [Now Down] on Jan 03, 2017
Hikvision suffered severe criticisms for its abrupt plan to discontinue its Hikvision Online service, with 3 core functions to be removed on Dec...

Most Recent Industry Reports

Simplisafe is 'Blowing The Doors Off' on Feb 17, 2017
The company alarm dealers love to hate, Simplisafe, is 'blowing the doors off' according to Michael Barnes, one of the top financial advisors in...
Hikvision OEM DDNS Devices To 'Lose Remote Access' on Feb 17, 2017
The fallout of Hikvision's DDNS discontinuation is expanding, this time hitting OEM partner Supercircuits, who reports that on June 30th: The...
Milestone: "Easy Money Days Are Over" on Feb 17, 2017
Contrary to IPVM's criticisms, Milestone has reaffirmed that glory days remain. But they admit that they 'easy money days are over': Are the...
Directory of Alarm Panel Manufacturers on Feb 16, 2017
Alarm panels are the central controller of intrusion systems. The following is a list of manufacturers of alarm panels. This directory only covers...
Panasonic Favorability Results on Feb 16, 2017
Panasonic is one of the largest brands in the world and a long term provider of both video surveillance imagers and cameras. But, like all...
China Huawei Gives France Free City Surveillance on Feb 16, 2017
China is using its financial resources again, this time in France, just a month after the Chinese government funded a $100 million security /...
Hikvision Silicon Valley and Canada R&D Expansion on Feb 15, 2017
After massive growth in their sales team, Hikvision is now planning to add two new R&D centers in North America. In this report we examine...
Directory Of Wholesale Central Station Monitoring Providers on Feb 15, 2017
Wholesale central stations help smaller and local dealers providing monitoring to their customers. Dozens of options exist.  Below is the first...
Bosch/Genetec Video Cybersecurity Partnership Examined (CHAVE) on Feb 15, 2017
Surveillance products have been relatively weak when it comes to cyber security. Default passwords, open ports, and weak authentication mechanisms...
Security Alarm Industry Trends - Barnes on Feb 14, 2017
This is a review of key security alarm industry trends, taken from Michael Barnes' presentation at the 2017 Barnes Buchanan conference. Key trends...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact