Dahua Hard-Coded Credentials Vulnerability

By IPVM Team, Published on Nov 20, 2017

A newly discovered Dahua backdoor is described by the researcher discovering it as:

not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor

This comes after other recent cyber security issues involving Dahua, including:

A group of ex-NSA researchers found these hard-coded credentials in Dahua products. The finding was picked up by The Washington Post and Fortune, but those publications failed to analyze the true extent of Dahua's most recent vulnerability.

IPVM spoke with Terry Dunlap [link no longer available], the CEO of ReFirm, the research company that discovered the vulnerability, as well as representatives from Dahua, to analyze its potential for impact. Will it be the next Mirai? Details are in this note.

*******

* ****-***** ******** *** password *** ** **** to ****** ***** ******** to ******** *******, ********* standard ************** ******* **** control ******** ********. **** allows ** ******** ** embed ***** *** **** (e.g., *****-***** ****** ****) into ********** ******** *** load ** ******** **** Dahua *******. *** ************* is **** **** ** exploit, ****** ** ****** on * ******** **** being ******** ********** (**** 3800), ***** *** **** limit ******* ******.

***** *** ******** ******* firmware, ****** *** *** is ******** ** *** research *******.

Vulnerability ********

****-***** *********** (********/******** ** dahua/dahua) **** ***** ** a ******* ****** "********", which ******* ** **** 3800 *** ** **** to ******** ****** ******** updates. *** ************* *** found ** ***** ******** version *.***.****, ****** ** is *** ******* ** only **** *******. **** details ** *** ************* are ******** ** ******'* ******** **** ************* Report, ******** ** **** 40.

*** ***** ***** ** a ********** ****** ******** from ***** ******** ***** shows ***** *** ****-***** credentials ****** ** *** code:

********* ** *****, *** vulnerability *** **** ** used *** ******** ******* processes, *** *** *** be **** ** **** remote ****** ** ******** devices ** ******** *** user ****.

Exploit ********* ****

****** ****** ** **** developed * ***** ** concept *******, ***** **** were **** ** ****** a ***** ******** ***** that ******* ** *************** telnet *******, ******** **** access **** * ***** shell ** *** ******. From **** ***** ** attacker ***** **** **** reign ** *** ******, allowing **** ** ****** a *** *****-***** ******, access ** ***** ***** data ** *** ******, or ********* **** *** operation. ********* ***** **** upload ******** ******** **** already *** ****** ********** installed, ****** * ****** that ********* ****** *******, something *** ******** ***** lacked.

Affected *******

***** ****** * ******** Notification [**** ** ****** available], ***** **** ***** 2 ******** ********, ********* 1 ** ****** (***-********) and * *** (*******, which ***** **** **** in *****). ***** ** updated ******** *** **** contained ** *** ******** notification.

****** *** ****: ***** has ******* ***** ******** notification [**** ** ****** available], ****** * ** cameras *** * **** NVR.

****** **** ****** ** have ***** *** ************* in * ***** ***** of ********,  ******* "******** of ******* ***** ******** images **** ******** ***** camera ****** ******** **** many ***** ****** ******** contain **** ***** **** upgraded *******, ********* *** “dahua” ****-***** ******** ***********."

***** ****** "*** ******** shipped ***** **** **** are *** ********", *** also ********* **** *** still ********* ******** **** older ********. ***** ** this, ** ***** ********** the **** ** ******** products ***** ******* ** Dahua ********* ** *********** affected *******.

Overall **** ******

***** *** ****** ******* of **** ******* ** port ****, ******* ** would ** ******** ** have ****-********** ***** ***** for ****** ****** (****** users ****** *** ****** in * ***), ******** attacks ********* ** ***** LAN ****. *****, **** presents * **** ** insider *******, ** ********* gaining ****** ** *** LAN ******* ***** ***** (open ****, ***** *********** devices, ***.), *** **** vulnerability ****** *** ** considered ****** ****** ******* it ***** ********* ** used *******. 

Fix ********

****** ****** **** ********** and ****** ******** **** the **** ***** ********, and ***** *** ****-***** dahua/dahua *********** ***** *******, as **** **** **** to ****** * ******** upgrade ** * ****** running *** ********** ******* firmware. ***** ****** **** **** been ****** ** ********* ReFirm's ********, *** **** the ****-***** **** **** has **** ******* **** latest ********. ** ** the **** ** **** publication, ***** ** ********** to ******* ****** ** get **** ******* ** their ***** ** *** vulnerability ***** ******** ** the ********* ***** ********.

Dahua ******** *********

*****'* ******** ** **** vulnerability ****** *** **** handled ****** **** ******* vulnerabilities ** *** ****. They **** **** ********** to ********* **** **** for *******, *** **** updated ***** ******** ************ as **** **** ********** through ********** *** *************. To ***** ******, **** also ******** ****** ******* after *** ************* *** published, ** ****** **** notified ***** * **** in ******* ** ***** release, ****** **** *********** where ******* *** ***** 30-45 **** ******* ****** of *********** ** ******* a ********.

ReFirm **** ******** *******

****** ** * *********, MD ***** ******** ******** company ******* ** **-*** security ********. *** ******* recently******** $*.** ** ******* funding, *** **** *********** from **** ** ******* their ***** ******** ****** to ******* ***** *******, such ** ******* *** The ********** ****.

*** ******* *** ********* a ******* ****** "**********", which **** ***** *** evaluate ******** *** ******* IoT ******* ************* ** detect *************** **** ** back *****. ****** **** license *** ********** ******** in * **** ***** to ********** ** ***-***** who **** ** *** it *** ********* ************* analysis.

****** **** ******* *** to **** ******** *** coverage ** ******* ** the *******, ***** ** delayed ***** ** ***** get ******** **** *****.

Comments (16)

I would love to hear Dahua's explanation for the 'intentional backdoor placed in to the product by the vendor' conclusion...

It is in their security notice linked in the report:

Summary:

Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution.

 

Credible sources from Dahua claim this is all a guise by ReFirm in order to garner free press, and that no Dahua North America products are affected.  So that’s their REAL take on this matter.

In communicating with Dahua on this, they confirmed the vulnerability found by ReFirm, so I do not think it is fair to call it a "guise" when Dahua did not dispute the vulnerability.

While Dahua did say the vulnerable NVR that they found was a China-only model, they did not state that the IPC-HDW4300S camera was limited only to specific markets. They also do not state this on their security notice. If it is true, Dahua should provide that information as part of their release, not through a second-hand comment on IPVM

ReFirm listed several vulnerable devices in their report where this Dahua vulnerability was published. The report certainly seemed to call attention to their company, and the media contacts they were doing were, at least in part, a desire to get publicity. Still, that does not detract from the fact that they found a vulnerability that Dahua admitted to. 

 

Had to give the "funny" upvote just for the "Credible sources from Dahua" part.  Almost did a spit take from that.  Go ahead and give an "Unhelpful" to this if you must.

“Credible sources from Dahua”

Maybe he meant “Incredible”.

"It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution."

+1 pts for Dahua for at least admitting that they put this backdoor in themselves - unlike Hikvision (EDIT: who continue to deny the obvious.)

-1 pts for Dahua for focusing on their own 'non-responsibility' by defending their inclusion of the back door as 'innocent'. (ignoring, of course, that the existence of the back door itself is what makes their device potentially dangerous - and vulnerable to exploits from 3rd party bad actors)

Have checked and seen this in some of my "laying around" FW, but not so many I could expect.

Edit: Still, I think this is serious, as it actually allow you to upload new tampered FW as 'anonymous', so the PoC they saying have done is real.

Something bothers me about the date of the "fix" and the date range they claim is affected.

Wouldn't they brag a little bit about the firmware having already been available and that this problem didn't affect models that had the most recent firmware from 2 year ago?

Don't bother, Dahua always release a fix from 2015 for a vulnerability from 2016 and reported in 2017.

They have awesome time-travel program!

 

Except we've had that exact same firmware since that date. So why is this vulnerability reported now?

Did they recompile the same firmware with the fix without changing the date? Am I going to have to request them again?

Questions should be redirected to Dahua and not me, as I don't get the "logic" either...

Update: Dahua has updated their security notification, adding 7 IP cameras and 1 more NVR, excerpt:

Dahua says they will "provide update information if additional affected products are identified."

Kudos to Dahua for publishing more information and proactively sharing it with us. However, it is somewhat worrisome that they cannot more easily, systematically and quickly detect what is in the firmware for various products. Anyone particularly agree or disagree on that?

Well, it seems that they squashed this way before the press release cause we've had this firmware and we didn't particularly get told why.

The version numbers they claim are affected are merely from older baselines. The Adreia one still bothers me though.

In reality this feels more like a case of, "we got caught for an old vulnerability again, but at least this time we already had it taken care of, otherwise we would have never had to say anything about it to anyone."

Basically, their fix seems to have been to close port 3800 altogether (which actually has been closed on new firmware from late 2016-2017 onward). However, I see no real mention of the removal of the backdoor account/credentials, so how good is this "fix"?

Port 3800 was the upgrade daemon and is certainly applicable and necessary for a lot of units that refuse to upgrade or got stalled midway through a firmware upgrade and can still be pinged. I think sometimes the port still works under non-full boot conditions, but I haven't soft-bricked enough units recently to test.

However, I see no real mention of the removal of the backdoor account/credentials...

It would seem that “dahua”,“dahua” are not credentials but rather conditional code.

 

Read this IPVM report for free.

This article is part of IPVM's 6,604 reports, 890 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Briefcam Responsible Use Examined on Aug 24, 2020
While mega-companies Amazon, IBM, and Microsoft have been criticized for...
Temperature Tablet Shootout - Dahua, Hikvision, ZKTeco, TVT + 5 More on Sep 30, 2020
Temperature tablets, aka terminal or stations, have emerged as a 'low-cost...
Avigilon Now Available At ADI In EMEA, Not Americas on Jul 21, 2020
ADI, the home for Dahua and Hikvision flash sales, is now selling Motorola...

Recent Reports

Motorola Solutions Total Revenue Down, Video Revenue Up on Oct 30, 2020
Motorola Solutions' total revenue is down, but video (both fixed and...
Recruiters Show 2020 On-Demand Recordings on Oct 30, 2020
Recordings from the 12 recruiter presentations are now available...
Consultants Show 2020 On-Demand Recording on Oct 29, 2020
Recordings from the consultant show are available on-demand at the end of...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...