*********
***** ********* ******* *********:
********* * ********* *******, ** ******** to ***** ** **** ******, ********:
** ** * ************* ** * vulnerability ** * ***** ******.
Simplicity *** ******** ** ***** ********
*****'* ******** ** *** **** ****** and ******* ** ******* **** *** ************* seen ****** ** ********** ***** ************ products. **** ** *** ******, *** researcher *** ********** **,*********:
**** ** **** * **** ********* hack, ***** ** *** ****** *** you *** **...
*****, ***** *************** *** **** ** execute. *** *******, ********* ********** **** ********************* * *********** ** **** **** steps ** *** ** ********. ** ********, the ***** *** ***** ****** *** board ** ****** *********** *********** *********** from *** ****** *** *********** ******* them ** *** ***** ******.
Implication - *** ***** **** ********
** ********* ******* ** **** ******* is **** ** ******** *********** *** 'back **** *******' **** ** *** should **** ********** ********* ***** *** has *********. ********* *** *********** * commodity - ******** '******' ****. *** focus ****** **** **** ** *** ** offering ***** **** ******** - **** ***** and *********.
**** **** **** *****. **** ** effectively *** ******** ** ***** *******, i.e., **** ***** *** *********'* ***** quality ** ********* *** **** ** Axis ** ********, ** **** *** the ******* ***. *** *** ******* manufacturers **** **** **** ******* ** that *****. ** **** *** ******** turn *** ************* ***** **** * general *****, **** ***** ****** *** lower **** ******* ***** *****.
Dahua *** ********* ****** *** ** ** *** **** ** *************
******* ** *********** *** ****** ** normalize *********, ***** *** ********* ***** do ****** ** ***** ** ***** *** 'best' ** *************. **** ***, ** far, *** *** ******* **** ****** video ************ ********* ***** ******* *** most ****** ** **** ** '***********' on *** ****** ********. *** *******, the* ******* ***** ******* ******* ** the ********. ******* ** ****, *** ************* discovered **** *** **** *** ******* because ** *** ***** ** *** devices **** *** **** ** ***********. Indeed, ******* *** **** ****** ** target ***** *** ********* *** *** same ****** **** **** ************ ******** Microsoft, ***** ***** ********* **** *** more ******* **** *** ** ******** than ***** **** ***** ******.
Comments (16)
Undisclosed Distributor #1
Interesting, this doesn't even broach the topic of these devices utilizing decade or more utilities (Telnet and FTP) which broadcast usernames and passwords in plain text format. It's okay, everyone's doing it.
Create New Topic
Undisclosed End User #2
There is big difference between vulnerability and backdoor.
I'll try to make it short;
Statement:
True vulnerability over a wide range products and firmware versions have always some unexpected anomalies, which is expected, and should therefore not be treated as backdoor, unless there is distinct pattern.
Conclusion:
Dahua backdoor lacking all above, except distinct pattern, even with different hashing techniques for more than three times, and besides - it's undocumented.
Create New Topic
Jack Sink
Perhaps I can put this in perspective: China has a well deserved reputation for state sponsored cyber efforts to gather competitive technology advantage or to conduct espionage against Western nations. They are also the majority owner of the world's largest video manufacturer. Phone Home and other potential exploitable means to penetrate video systems worldwide do not seem uncalculated. In a country where the State has express and final say upon manufacturers it just seems prudent to be concerned about vulnerabilities and also what appear to be intentional backdoors.
As to unintentional vulnerabilities to exploit, my iPhone, my Android, my operating systems and my web browsers seem to release security upgrades and patches weekly to speedily address vulnerabilities when discovered. That seems in sharp contrast to the "Everybody has vulnerabilities, don't worry" response.
In the legal setting ask 'what actions would a reasonable & prudent individual make?'
Create New Topic
Undisclosed End User #2
Side note:
I agree with Dahua Manager, there is backdoors implemented in all products, some are local and some are remote, but they are there for sure.
Example between Vulnerability and Backdoor:
Axis Communications Remote Format String, shows very distinct pattern over wide range of products and firmware versions, but there is to many unexpected anomalies for it could be categorised as backdoor.
I would love to categorise the Axis as backdoor, since in my opinion it would be genius one, but I can't due to the anomalies while exploiting.
However, it is fully possible to use Format String as technique for backdoors, but with this comes also very distinct patterns.
Create New Topic
Undisclosed End User #2
I was looking for the post made by "Dahua Manager", but it seems to be gone?
Create New Topic
Undisclosed Manufacturer #4
In most Chinese IP products there exists a password backdoor, or a means which to recover the password with little effort.
The domestic market products are so keen on low prices, even the existence of a reset button on the device adds to the cost.
So now the simple choice is using a software one. It's common and the security consideration is no relevance.
Only thanks to IPVM to highlight the true picture can we really see how such a poor job has been done on what is meant to be a security product.
A million+ devices having some basic issues is a sad thing to see.
Create New Topic
Undisclosed Integrator #5
Someone commented to me that the Backdoor issue isn't a problem on the dahau cameras if they are connected to an NVR rather than directly to the internet as the NVR will "handle the security" of a remote connection.
Is this correct?
Create New Topic