Dahua ‘Duplicitous’ Says Botnet Victim
The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should bear more responsibility for enabling this botnet and that they are more at fault, for making poorly secured devices, than the unsuspecting users who purchased them.
We examine the validity of Dahua's statements, and Krebs' position on IoT device security.
Brian Krebs is a well-known journalist within the cybersecurity community. Ironically, he first gained an interest in cyber security after having his home PC attacked by a Chinese hacker group in 2001. 15 years later, his website, Krebs On Security was attacked by a network of Chinese cameras.
Dahua has been attempting to deflect the blame for this botnet to their customers, issuing statements to multiple publications, with 3 key points:
The devices were using firmware dating prior to January 2015.
The devices were using the default user name and password.
The devices were exposed to the internet without the protection of an effective network firewall.
Also, Dahua has claimed:
To the best of our knowledge, the DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.
Krebs calls Dahua's statements duplicitous because Dahua chide's users for not changing usernames/passwords, yet hard-codes those credentials in its products:
Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.
In addition, Krebs points to a Flashpoint [link no longer available] statistic that shows a large number of the infected Dahua devices were in fact in North America.
Dahua's Twisted Reality
When Dahua says Dahua-branded devices were not affected they mean only those sold through Dahua's official USA entity, which has only existed since early 2015, after firmware had been updated to remove telnet capabilities. In this statement, Dahua is selectively ignoring hundreds of thousands of devices carrying the Dahua brand sold into the US through channels like Amazon or Ali-Express. That these devices were not sold through official distributors does not make their poor security excusable.
The devices with hard-coded passwords that Krebs refers to are Dahua products sold through OEM's under OEM brands. These are not "Dahua-branded", but they were sold through Dahua-authorized distributors, and they contained hard-coded passwords that these distributors may not have initially been aware of, and that users were unable to change.
Ultimate Responsibility Lies With Dahua
This botnet exists because Dahua shipped a product with horrible security by any modern standard. While owners of infected Dahua-manufactured cameras could have potentially better secured their devices, hard-coded credentials and back-door console access via telnet or SSH has been considered flawed security for over a decade. Including these weaknesses, and not disclosing them to customers, shows poor decision making on Dahua's part.
Hopefully other security manufacturers are learning from this incident and moving to eliminate these product flaws if they still exist.
Is Dahua Being Duplicitous About The Attack?