Dahua ‘Duplicitous’ Says Botnet Victim

Author: Brian Karas, Published on Oct 11, 2016

The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should bear more responsibility for enabling this botnet and that they are more at fault, for making poorly secured devices, than the unsuspecting users who purchased them.

We examine the validity of Dahua's statements, and Krebs' position on IoT device security.

Krebs Background

Brian Krebs is a well-known journalist within the cybersecurity community. Ironically, he first gained an interest in cyber security after having his home PC attacked by a Chinese hacker group in 2001. 15 years later, his website, Krebs On Security was attacked by a network of Chinese cameras.

Dahua's Statements

Dahua has been attempting to deflect the blame for this botnet to their customers, issuing statements to multiple publications, with 3 key points:

The devices were using firmware dating prior to January 2015.
The devices were using the default user name and password.
The devices were exposed to the internet without the protection of an effective network firewall.

Also, Dahua has claimed:

To the best of our knowledge, the DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

Krebs' Analysis

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Krebs calls Dahua's statements duplicitous because Dahua chide's users for not changing usernames/passwords, yet hard-codes those credentials in its products:

Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

In addition, Krebs points to a Flashpoint statistic that shows a large number of the infected Dahua devices were in fact in North America.

Dahua's Twisted Reality

When Dahua says Dahua-branded devices were not affected they mean only those sold through Dahua's official USA entity, which has only existed since early 2015, after firmware had been updated to remove telnet capabilities. In this statement, Dahua is selectively ignoring hundreds of thousands of devices carrying the Dahua brand sold into the US through channels like Amazon or Ali-Express. That these devices were not sold through official distributors does not make their poor security excusable.

The devices with hard-coded passwords that Krebs refers to are Dahua products sold through OEM's under OEM brands. These are not "Dahua-branded", but they were sold through Dahua-authorized distributors, and they contained hard-coded passwords that these distributors may not have initially been aware of, and that users were unable to change.

Ultimate Responsibility Lies With Dahua

This botnet exists because Dahua shipped a product with horrible security by any modern standard. While owners of infected Dahua-manufactured cameras could have potentially better secured their devices, hard-coded credentials and back-door console access via telnet or SSH has been considered flawed security for over a decade. Including these weaknesses, and not disclosing them to customers, shows poor decision making on Dahua's part.

Hopefully other security manufacturers are learning from this incident and moving to eliminate these product flaws if they still exist.

Is Dahua Being Duplicitous About The Attack?

1 report cite this report:

Chinese Company Xiongmai Threatens Legal Action Against Western Accusers on Oct 24, 2016
The Chinese video surveillance manufacturer, Xiongmai, whose equipment numerous sources blame for driving massive Internet attacks over the past...
Comments (19): PRO Members only. Login. or Join.

Related Reports

No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined to fail.' This is the 3rd anti-IPVM Hikvision post in 2 weeks,...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains...
China Direct / Aliexpress Favorability on Jun 02, 2017
A source for incredible deals, or too good to be true? In our Distributor Favorability Survey integrated shared their experiences and opinions on...
How To Hack Your Company's Hikvision Recorder on May 29, 2017
Here's how easy it is to hack your company's Hikvision recorder: It does not matter how hard or secret the admin password is. Hikvision will...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big priority, especially since cheaper copiers can hack details easily. Multiple...
Most Respected Manufacturer Competitors on May 25, 2017
Manufacturers told IPVM what competitor they most respected. In terms of total revenue, Hikvision, Dahua and Axis are certainly tops but would...
Hikvision Marketer Caught Spamming, Fails at Coverup, Fired on May 23, 2017
A Hikvision marketing employee was caught by IPCamTalk trying to surreptitiously disparage IPVM and IPCamTalk. This is an outgrowth of Hikvision's...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some other company's product. The same goes for easily 100 different...
Hackable 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are easily copied and insecure as we showed in our test results, video...

Most Recent Industry Reports

Importance of Sales To Integrators - Statistics on Jun 23, 2017
One of the top trends in the industry over the past few years has been the rise of across-the-board sales (e.g.: Hikvision Sales, Dahua Sale,...
Deep Learning Surveillance Startups Deep Problem on Jun 23, 2017
The undeniably good news for the video surveillance market is that we are seeing the rise of more startups than in many years. The cause of this...
Avigilon Announces RADAR-Based Presence Detector on Jun 22, 2017
RADAR is gaining momentum within physical security. Two months after Axis announced a network radar detector, Avigilon has announced a RADAR-Based...
Covert Cloud Camera Service Launching (KJB) on Jun 22, 2017
Cloud IP cameras, for consumers, has become increasingly commonplace. However, covert cameras, lag there, with few options. Now, North America's...
Manufacturers Shipping Unlicensed H.265 Products on Jun 22, 2017
While H.265 support in video surveillance is growing, IPVM's research shows that most surveillance manufacturers are shipping H.265 products with...
Uniview Low-Cost Bullet PTZ Tested on Jun 21, 2017
Uniview is offering a HD zoom bullet camera, the IPC742SR9-PZ30-32G, with an integrated pan / tilt positioner, for the price of a low-cost...
QSR Video Surveillance Best Practices on Jun 21, 2017
Fast food restaurants or QSRs (quick service restaurants), are frequent victims of crime and fraud. Because they are open late, deal with cash, and...
45 Drives 'Lowest Cost' Enterprise Storage Company Profile on Jun 21, 2017
45 Drives claims the "lowest cost per Hard Drive Slot in the industry." But who or what is '45 Drives'? What started as a product design to...
No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
Resolver / PPM 2000 Incident Management Platform Profile on Jun 20, 2017
You might have seen the company whose employees wear hockey jerseys at trade shows and wondered "what do they do?" PPM 2000 has been active in...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact