Dahua ‘Duplicitous’ Says Botnet Victim

Author: Brian Karas, Published on Oct 11, 2016

The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should bear more responsibility for enabling this botnet and that they are more at fault, for making poorly secured devices, than the unsuspecting users who purchased them.

We examine the validity of Dahua's statements, and Krebs' position on IoT device security.

Krebs Background

Brian Krebs is a well-known journalist within the cybersecurity community. Ironically, he first gained an interest in cyber security after having his home PC attacked by a Chinese hacker group in 2001. 15 years later, his website, Krebs On Security was attacked by a network of Chinese cameras.

Dahua's Statements

Dahua has been attempting to deflect the blame for this botnet to their customers, issuing statements to multiple publications, with 3 key points:

The devices were using firmware dating prior to January 2015.
The devices were using the default user name and password.
The devices were exposed to the internet without the protection of an effective network firewall.

Also, Dahua has claimed:

To the best of our knowledge, the DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

Krebs' Analysis

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Krebs calls Dahua's statements duplicitous because Dahua chide's users for not changing usernames/passwords, yet hard-codes those credentials in its products:

Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

In addition, Krebs points to a Flashpoint statistic that shows a large number of the infected Dahua devices were in fact in North America.

Dahua's Twisted Reality

When Dahua says Dahua-branded devices were not affected they mean only those sold through Dahua's official USA entity, which has only existed since early 2015, after firmware had been updated to remove telnet capabilities. In this statement, Dahua is selectively ignoring hundreds of thousands of devices carrying the Dahua brand sold into the US through channels like Amazon or Ali-Express. That these devices were not sold through official distributors does not make their poor security excusable.

The devices with hard-coded passwords that Krebs refers to are Dahua products sold through OEM's under OEM brands. These are not "Dahua-branded", but they were sold through Dahua-authorized distributors, and they contained hard-coded passwords that these distributors may not have initially been aware of, and that users were unable to change.

Ultimate Responsibility Lies With Dahua

This botnet exists because Dahua shipped a product with horrible security by any modern standard. While owners of infected Dahua-manufactured cameras could have potentially better secured their devices, hard-coded credentials and back-door console access via telnet or SSH has been considered flawed security for over a decade. Including these weaknesses, and not disclosing them to customers, shows poor decision making on Dahua's part.

Hopefully other security manufacturers are learning from this incident and moving to eliminate these product flaws if they still exist.

Is Dahua Being Duplicitous About The Attack?

1 report cite this report:

Chinese Company Xiongmai Threatens Legal Action Against Western Accusers on Oct 24, 2016
The Chinese video surveillance manufacturer, Xiongmai, whose equipment numerous sources blame for driving massive Internet attacks over the past...
Comments (19): PRO Members only. Login. or Join.

Related Reports

Deceptive ASIS Attendance on Oct 06, 2017
ASIS is being deceptive with its conference reporting, effectively inflating the event's real actual attendance. What they try, but struggle to...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision USA Misleads Dealers On Backdoor on Oct 03, 2017
Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year. Misleading Unfortunately, they...
FLIR Thermal Camera Multiple Vulnerabilities, Patch Released on Oct 03, 2017
Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. In this note,...
Hackers Globally Attacking Dahua Recorders on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...
September IP Networking Course on Sep 14, 2017
LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...
The 3 Most Outstanding Security Manufacturers (OSPAs) Make No Sense on Sep 08, 2017
The Outstanding Security Manufacturer finalists (US edition) are here: And if you are wondering, "How did those 3 get chosen?" then you are...
Dahua and Hikvision Entering Access Control on Sep 05, 2017
Until now, Chinese video giants Hikvision and Dahua have held back releasing access internationally. Both companies have now pulled the trigger,...

Most Recent Industry Reports

Cisco Falling - Favorite Network Switches 2017 on Oct 20, 2017
1 major manufacturer fell and 1 outsider manufacturer gained as integrator favorites for network switches from more than 140 votes / explanations...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Hikvision Access Control Tested on Oct 19, 2017
Hikvision aggressive pricing and marketing combined with generally reliable hardware and free software has made them a major player in video...
Verkada, Silicon Valley VSaaS Startup, Targets Enterprise on Oct 19, 2017
Verkada says they are building an enterprise-class VSaaS offering, calling it "The new platform for video security". This is a departure from the...
Exacq Unbreaks Avigilon Integration on Oct 18, 2017
For nearly 4 years, Exacq had broken and effectively blocked use with Avigilon cameras, as IPVM reported in January 2014. Now, Exacq has...
Search More Important Than Live Monitoring - Statistics on Oct 18, 2017
Search is overall more important than live monitoring to integrators, according to new IPVM statistics.  The key themes found in integrator...
Axis 'Sold Out' P3707-PVE Multi-Imager Tested on Oct 18, 2017
Axis faced significant product shortages over the summer. Perhaps the most notorious and significantly sold out model was the Axis P3707-PE 8MP...
Dahua Removes Auto Rebooting on Oct 17, 2017
For years, Dahua has automatically programmed its IP cameras to reboot weekly, a highly atypical and questionable practice. Following IPVM...
Deep Learning Tutorial For Video Surveillance on Oct 17, 2017
Deep learning is a growing buzzword within physical security and video surveillance. But what is 'deep learning'? In this tutorial, we explain...
Multipoint Lock Access Control Tutorial on Oct 17, 2017
Doors are notoriously weak at stopping entry, and money can be misspent on wrong locks that leave doors quite vulnerable. While closed and locked...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact