Dahua Hard-Coded Credentials Vulnerability

By: IPVM Team, Published on Nov 20, 2017

A newly discovered Dahua backdoor is described by the researcher discovering it as:

not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor

This comes after other recent cyber security issues involving Dahua, including:

A group of ex-NSA researchers found these hard-coded credentials in Dahua products. The finding was picked up by The Washington Post and Fortune, but those publications failed to analyze the true extent of Dahua's most recent vulnerability.

IPVM spoke with Terry Dunlap [link no longer available], the CEO of ReFirm, the research company that discovered the vulnerability, as well as representatives from Dahua, to analyze its potential for impact. Will it be the next Mirai? Details are in this note.

* ***** ********** ***** backdoor ** ********* ** *** researcher *********** ** **:

*** *** ****** ** an ********** ***** ***** or **** *********** ********, but ****** ** *********** backdoor ****** **** *** product ** *** ******

**** ***** ***** ***** recent ***** ******** ****** involving *****, *********:

* ***** ** **-*** researchers ***** ***** ****-***** *********** in ***** ********. *** ******* was ****** ** ** *** ********** **** *** *******, *** ***** ************ failed ** ******* *** true ****** ** *****'* most ****** *************.

**** ***** **** ***** Dunlap [**** ** ****** available], *** *** ** ******, *** ******** ******* that ********** *** *************, as **** ** *************** from *****, ** ******* its ********* *** ******. Will ** ** *** next *****? ******* *** in **** ****.

[***************]

*******

* ****-***** ******** *** password *** ** **** to ****** ***** ******** to ******** *******, ********* standard ************** ******* **** control ******** ********. **** allows ** ******** ** embed ***** *** **** (e.g., *****-***** ****** ****) into ********** ******** *** load ** ******** **** Dahua *******. *** ************* is **** **** ** exploit, ****** ** ****** on * ******** **** being ******** ********** (**** 3800), ***** *** **** limit ******* ******.

***** *** ******** ******* firmware, ****** *** *** is ******** ** *** research *******.

Vulnerability ********

****-***** *********** (********/******** ** dahua/dahua) **** ***** ** a ******* ****** "********", which ******* ** **** 3800 *** ** **** to ******** ****** ******** updates. *** ************* *** found ** ***** ******** version *.***.****, ****** ** is *** ******* ** only **** *******. **** details ** *** ************* are ******** ** ******'* ******** **** ************* Report, ******** ** **** 40.

*** ***** ***** ** a ********** ****** ******** from ***** ******** ***** shows ***** *** ****-***** credentials ****** ** *** code:

********* ** *****, *** vulnerability *** **** ** used *** ******** ******* processes, *** *** *** be **** ** **** remote ****** ** ******** devices ** ******** *** user ****.

Exploit ********* ****

****** ****** ** **** developed * ***** ** concept *******, ***** **** were **** ** ****** a ***** ******** ***** that ******* ** *************** telnet *******, ******** **** access **** * ***** shell ** *** ******. From **** ***** ** attacker ***** **** **** reign ** *** ******, allowing **** ** ****** a *** *****-***** ******, access ** ***** ***** data ** *** ******, or ********* **** *** operation. ********* ***** **** upload ******** ******** **** already *** ****** ********** installed, ****** * ****** that ********* ****** *******, something *** ******** ***** lacked.

Affected *******

***** ****** * ******** Notification [**** ** ****** available], ***** **** ***** 2 ******** ********, ********* 1 ** ****** (***-********) and * *** (*******, which ***** **** **** in *****). ***** ** updated ******** *** **** contained ** *** ******** notification.

****** *** ****: ***** has ******* ***** ******** notification [**** ** ****** available], ****** * ** cameras *** * **** NVR.

****** **** ****** ** have ***** *** ************* in * ***** ***** of ********,  ******* "******** of ******* ***** ******** images **** ******** ***** camera ****** ******** **** many ***** ****** ******** contain **** ***** **** upgraded *******, ********* *** “dahua” ****-***** ******** ***********."

***** ****** "*** ******** shipped ***** **** **** are *** ********", *** also ********* **** *** still ********* ******** **** older ********. ***** ** this, ** ***** ********** the **** ** ******** products ***** ******* ** Dahua ********* ** *********** affected *******.

Overall **** ******

***** *** ****** ******* of **** ******* ** port ****, ******* ** would ** ******** ** have ****-********** ***** ***** for ****** ****** (****** users ****** *** ****** in * ***), ******** attacks ********* ** ***** LAN ****. *****, **** presents * **** ** insider *******, ** ********* gaining ****** ** *** LAN ******* ***** ***** (open ****, ***** *********** devices, ***.), *** **** vulnerability ****** *** ** considered ****** ****** ******* it ***** ********* ** used *******. 

Fix ********

****** ****** **** ********** and ****** ******** **** the **** ***** ********, and ***** *** ****-***** dahua/dahua *********** ***** *******, as **** **** **** to ****** * ******** upgrade ** * ****** running *** ********** ******* firmware. ***** ****** **** **** been ****** ** ********* ReFirm's ********, *** **** the ****-***** **** **** has **** ******* **** latest ********. ** ** the **** ** **** publication, ***** ** ********** to ******* ****** ** get **** ******* ** their ***** ** *** vulnerability ***** ******** ** the ********* ***** ********.

Dahua ******** *********

*****'* ******** ** **** vulnerability ****** *** **** handled ****** **** ******* vulnerabilities ** *** ****. They **** **** ********** to ********* **** **** for *******, *** **** updated ***** ******** ************ as **** **** ********** through ********** *** *************. To ***** ******, **** also ******** ****** ******* after *** ************* *** published, ** ****** **** notified ***** * **** in ******* ** ***** release, ****** **** *********** where ******* *** ***** 30-45 **** ******* ****** of *********** ** ******* a ********.

ReFirm **** ******** *******

****** ** * *********, MD ***** ******** ******** company ******* ** **-*** security ********. *** ******* recently******** $*.** ** ******* funding, *** **** *********** from **** ** ******* their ***** ******** ****** to ******* ***** *******, such ** ******* *** The ********** ****.

*** ******* *** ********* a ******* ****** "**********", which **** ***** *** evaluate ******** *** ******* IoT ******* ************* ** detect *************** **** ** back *****. ****** **** license *** ********** ******** in * **** ***** to ********** ** ***-***** who **** ** *** it *** ********* ************* analysis.

****** **** ******* *** to **** ******** *** coverage ** ******* ** the *******, ***** ** delayed ***** ** ***** get ******** **** *****.

Comments (16)

I would love to hear Dahua's explanation for the 'intentional backdoor placed in to the product by the vendor' conclusion...

It is in their security notice linked in the report:

Summary:

Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution.

 

Credible sources from Dahua claim this is all a guise by ReFirm in order to garner free press, and that no Dahua North America products are affected.  So that’s their REAL take on this matter.

In communicating with Dahua on this, they confirmed the vulnerability found by ReFirm, so I do not think it is fair to call it a "guise" when Dahua did not dispute the vulnerability.

While Dahua did say the vulnerable NVR that they found was a China-only model, they did not state that the IPC-HDW4300S camera was limited only to specific markets. They also do not state this on their security notice. If it is true, Dahua should provide that information as part of their release, not through a second-hand comment on IPVM

ReFirm listed several vulnerable devices in their report where this Dahua vulnerability was published. The report certainly seemed to call attention to their company, and the media contacts they were doing were, at least in part, a desire to get publicity. Still, that does not detract from the fact that they found a vulnerability that Dahua admitted to. 

 

Had to give the "funny" upvote just for the "Credible sources from Dahua" part.  Almost did a spit take from that.  Go ahead and give an "Unhelpful" to this if you must.

“Credible sources from Dahua”

Maybe he meant “Incredible”.

"It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution."

+1 pts for Dahua for at least admitting that they put this backdoor in themselves - unlike Hikvision (EDIT: who continue to deny the obvious.)

-1 pts for Dahua for focusing on their own 'non-responsibility' by defending their inclusion of the back door as 'innocent'. (ignoring, of course, that the existence of the back door itself is what makes their device potentially dangerous - and vulnerable to exploits from 3rd party bad actors)

Have checked and seen this in some of my "laying around" FW, but not so many I could expect.

Edit: Still, I think this is serious, as it actually allow you to upload new tampered FW as 'anonymous', so the PoC they saying have done is real.

Something bothers me about the date of the "fix" and the date range they claim is affected.

Wouldn't they brag a little bit about the firmware having already been available and that this problem didn't affect models that had the most recent firmware from 2 year ago?

Don't bother, Dahua always release a fix from 2015 for a vulnerability from 2016 and reported in 2017.

They have awesome time-travel program!

 

Except we've had that exact same firmware since that date. So why is this vulnerability reported now?

Did they recompile the same firmware with the fix without changing the date? Am I going to have to request them again?

Questions should be redirected to Dahua and not me, as I don't get the "logic" either...

Update: Dahua has updated their security notification, adding 7 IP cameras and 1 more NVR, excerpt:

Dahua says they will "provide update information if additional affected products are identified."

Kudos to Dahua for publishing more information and proactively sharing it with us. However, it is somewhat worrisome that they cannot more easily, systematically and quickly detect what is in the firmware for various products. Anyone particularly agree or disagree on that?

Well, it seems that they squashed this way before the press release cause we've had this firmware and we didn't particularly get told why.

The version numbers they claim are affected are merely from older baselines. The Adreia one still bothers me though.

In reality this feels more like a case of, "we got caught for an old vulnerability again, but at least this time we already had it taken care of, otherwise we would have never had to say anything about it to anyone."

Basically, their fix seems to have been to close port 3800 altogether (which actually has been closed on new firmware from late 2016-2017 onward). However, I see no real mention of the removal of the backdoor account/credentials, so how good is this "fix"?

Port 3800 was the upgrade daemon and is certainly applicable and necessary for a lot of units that refuse to upgrade or got stalled midway through a firmware upgrade and can still be pinged. I think sometimes the port still works under non-full boot conditions, but I haven't soft-bricked enough units recently to test.

However, I see no real mention of the removal of the backdoor account/credentials...

It would seem that “dahua”,“dahua” are not credentials but rather conditional code.

 

Login to read this IPVM report.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Don't Deceive. Lessons From Scott Schafer on Mar 20, 2020
Deception is bad. We can learn some important lessons from Scott Schafer, a...
Australia Dahua Faked Advertisement, Government Warns of 'Criminal Offense' for Not Registering As Medical Device on Jun 25, 2020
A full-page advertisement in a national Australia newspaper for Dahua's...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate...
Hikvision USA Refuses [Now In], Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but...

Recent Reports

SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 200 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...