Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

Author: Brian Karas, Published on Nov 16, 2017

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

********* ******** ************* ** ***** ********** *** ** *******, ** **** ********* ** **** ** *** ***** *********.

**** ** ** ******* ** *** *********** *** ************* **, and *** ***** ***** ** ***** **** ********* *******.

**** *** ******** ********* ** * ****** *******, ******* ** bluntly '*** **** *** ******', ********* * ***** ************* ** ** '*****'* ******' ***** hack:

**** *** ********** ****, ******* **** *****, ****** *** *** cybersecurity ******** **** *** ***** **** *************, ******* *********** ******. Inside **** ******, ** ******* *** *************, *** ****** ***** made ** **** ***** *** **** **** ***** *** **** Dahua *** ***** ******** *********.

[***************]

Vulnerability ******

*********** ************ ************, *** ******* **** ********* ******** *** ****** ******** *************, claim ** *** ** **** ** "****** ***" * ***** feed, ******** ********* ** ******* *** **** ****** **** *** camera **** * **** *** ** ***** ********.

**** ** "************" ** *** *****, ****** ** *** **** careful *********, ** ********* *** ***** ** *** ****** ******* of ******* *** *******, *** **** *** ******** ****/******** *** alternate ***** ***** *** ***** *** ***** ****** ***** ***** as ****-***** ******, ** **** *** **** ** ****** ****** running ***** *** ***** **** ****** *** *** ** ******** in * **** ****** *******.

Dahua *******

***** ************* ************' **** **** ** *** *******, ***** ****** **** *** *** *** *** *** ************* named ***** ****** ** **** **** * ****** ** ******* (DoS):

*************, *** ****** ******** ************* *** *** *********** ** ****** code *********. **** ** *** ******* ** *** *********. “…..****** a ******* **** ******* ** *** ********** *** ********* *** gain ********** ****** ********”.

*******, ** *** *** ********** * **** **** ***** ******* this ************* ***********. *** **** ****** ****** ** *** ******* is ***.

Details ********

*********** **** ******** ************ ***** *** ******* ********** ********* ******* beyond **** *** ********* ** *** *****.*****-**** ********, *** ********* *** ******* ** *** ****** ***** ******:

*** ******* **, **** ** **** ***** * *****-**-******* ** an ****** **** ***** ** *********** **** ** * *** system ** ** **-******. *** ** *** *********** ********** **********, we ****** ******** **** ******* ******* ** *** ** *** be ****. ** *** ******* ************* ** ******* **-******* ***************, and **’** **** **** *** ** ****.

**** *****, *** ******** *** ******* ************* *** ********* *** ******* used ** ******** ** *** ****** *****, ******* *** ********* description ** *** *******:

** **** ****** *** **** ***** ***** ******** ******* ** client **** ***** ******. ** ****** *** ***** *************. ** had *** ****** *** *** ** ***** ****** **** **** Linux ******.

******* **** ** ***** ** **** ****** ****/***** ****** ** the ****** ** ****** ******** ********, ***** **** ***** ** expected *** **** ** *******, *** ****** ********* ******* ****** specific *******. ******* ** ****** **** *** ****** ******** ************* (which ****** ** ******* ********* ******* **** **** ********) *** be ********* ** ****/**** ***** ********* ** *** ******, *** then **** *********** ** ** ******** ** * ***** ******.

Forbes ******* ************

***** *** ** ******** *** ********* *********** ** *** *******, the ****** ****** ******** ** ***** ******* *********** ************, ******** the ***********, *** *** *********** ** *** **-**** ********** (***** makes ** ******* ** *** ******* ** ***** ***** *******):

** **** ****, ** ****** ** *** ******* ******** *** watched *** ****** ******* ****, ******* ******** ** *** *********** and *** *********** ******** ** **** *** *** ** **********.

**** ****** ******* *** ************* ** *** ******* ********, ****** responds **** **** ********* ***** *** ** ***** *** ************ of *** ***** ******* ** ****** ********* ******* ** ** how **** ******** *** ******* (*.*., ********* ****** ****, ****** another *********** ******** **** ** ****** ********'* ***** ** *******):

*****, *** *** ******* **** ** ** *********** **** *** on *** *** ***** **** ** ***********? ****'* *********** **********? If *** *** **** ** * ****** *** ********** ********** it, ****** ******** ** ******** ** *** ** *'* *********.

** ********, ** ********* **** ***** **** ** ********** *** exploit ***** ** **** ** "*** ****" ** *** ***** of ******** ****** ** * **** ***** ***** ** ******** could **** ********* ******** *** ******* ******** ** ****. *** exploit *** ******** ***** ******** ** *** ****** ******* ******* as ****, ******* **** *** ******** ****** *** *** ******* would *** ** ****, *** **** *** *** ***** *** full ****-******* ***** ******.

Dahua *** ********

** ***** **** ****, ******** ****************** ***** ********** ********** *** "**** ** ***"*** ****** ******** *************. *******, **** ***** ** ** *** contacted ***** **** ******* ** *** ******* ** **** ****** that ***** *** ******** ***** **** (***** ***** *** *** feel **** ** ******* *** *********), ***** *********:

* ****'* **** **** ***** ***** **. * ***'* ***** they *** ****** *** **, ** **** **** **** ** change... **** ****** ** *** *** *** **** ****** **** another *** :)

More ********* ******* *****

***** ** *** ****** *****, ** ******* ** ***** ** cameras ***** **** *** * ******, * **** **** ****** scenario, ****** **** ***** ***** **** ** **** **** **** triggering * ****** ******** *******, ****** ********* ********** **** ** be ******* ****** **** *** ******. ***** ******** **** ** leveraging ** **** ****** ********** ** *** **** ****** ** a ***** *****.

***** ********* ** *****, *** ************* ******* *** ******* *** merely ***** ** ******* * ******. ***** **** **** ***** is *** ******* **** *** **** ********, ** ***** *** be ********* ** "****** ***' * ***** ****** ** **** cases, ****** ********* *** ****** ******** ***** ********* ** ****** done, *** ******* *** **** ****** ** ******** ** **** video ** *** ***** *** ********.

Cyber ******** ****

** ***** ******** *********, *** *** ***** ***** ** ********** insecure ******* ** ********, *****, ** **** *** ********** ** sensationalize ******** ***** **** ******** ********* *** ******* ***** **** omit ******* **** ********** ***** *** *****. **** *** ***** in ******** ***** ******** ************* ******** (*,*,*) **** ** ** ******** ** *********** *************** ** **** that ****** ********** ********* *****.

Comments (2)

***** **** ** **** **** ****** ***’* ******** ** *** likely ** ** **** ***** * ****** ******** ****, **** a ****** ****** ****** *** ** ***** *** ** ********* in **** ******.

**** **** ** *** **** **** ** * ******* ** verify, ***** ** ******* ** *********.

*** **** *** ******* ** ******* ******** ****** ******

# ***** ** *****: *********** ** **** ******* ***** ***** not ***** ********, ** *** ***** ******'* ** ****** ******* real **** **** *****

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

The Embarrassing Story of ISC West's Best New IP Camera on Apr 24, 2019
A sad but simple situation: Only 2 companies paid SIA the thousands of dollars required to compete for the best new 'cameras IP' The judges...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Securadyne CEO: IPVM 'Entertaining For An Ignorant Few' on Apr 16, 2019
Securadyne's CEO Carey Boethel is unhappy with IPVM's report - Failed Integrator Rollup, Securadyne Sells to Guard Giant Allied. Indeed, he...
Spring 2019 IP Networking Course- Register Now on Apr 04, 2019
Register now for the Spring 2019 IP Networking course here. Just $299 for the course. This is the only networking course designed specifically...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
ADT And 'The Defenders' Silent About Massive Complaints on Feb 14, 2019
ADT's largest dealer, "The Defenders" has been the subject of a massive number of complaints over many years and many forums, most recently a CBS...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
Scam Research And The $86 Billion IP Camera Market on Dec 19, 2018
Scam. The most widely cited research numbers in many, if not most, industries come from a growing number of Indian 'market research firms'. We...

Most Recent Industry Reports

Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Hikvision Admits USA Sales Falling on Apr 22, 2019
Hikvision, in a new Chinese financial filing, has admitted that its USA sales are now falling. Less than a year after the US government passed a...
Speco Ultra Intensifier Tested on Apr 22, 2019
While ISC West 2019 named Speco's Ultra Intensifier the best new "Video Surveillance Cameras IP", IPVM testing shows the camera suffers from...
Arecont Favorability Results 2019 on Apr 22, 2019
Arecont's net negativity remained the same in IPVM's 2019 integrator study, though integrator's feeling became relatively more neutral compared to...
H.265 Usage Statistics on Apr 19, 2019
H.265 has been available in IP cameras for more than 5 years and, in the past few years, the number of manufacturers supporting this codec has...
ACRE Acquires RS2, Explains Acquisition Strategy on Apr 19, 2019
ACRE continues to buy, now acquiring RS2, just 5 months after buying Open Options. One is a small access control manufacturer from Texas, the...
Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
 Register for the Spring 2019 Access Control Course----Closed IPVM offers the most comprehensive access control course in the industry. Unlike...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact