Dahua Manager: Lots of Backdoors Beyond Dahua or Hikvision

By: John Honovich, Published on Mar 29, 2017

A Dahua technical manager has fired back at criticisms of Dahua's backdoor, posting publicly what many at Dahua have privately been saying for the past few weeks that their backdoor is no big deal because lots of companies have backdoors and that Dahua and Hikvision get unfairly criticized for their problems.

* ***** ********* ******* has ***** **** ** criticisms *******'* ********, ******* ******** **** many ** ***** **** privately **** ****** *** the **** *** ***** that ***** ******** ** no *** **** ******* lots ** ********* **** ********* and **** ***** *** Hikvision get unfairly ********** *** ***** problems.

[***************]

*********

***** ********* ******* *********:

********* * ********* *******, in ******** ** ***** vs **** ******, ********:

** ** * ************* is * ************* ** a ***** ******.

Simplicity *** ******** ** ***** ********

*****'* ******** ** *** more ****** *** ******* to ******* **** *** ************* seen ****** ** ********** video ************ ********. **** is *** ******, *** researcher *** ********** **,*********:

**** ** **** * damn ********* ****, ***** on *** ****** *** you *** **...

*****, ***** *************** *** hard ** *******. *** example, ********* ********** **** ********************* * *********** ** very **** ***** ** all ** ********. ** ********, the ***** *** ***** across *** ***** ** simply *********** *********** *********** from *** ****** *** immediately ******* **** ** get ***** ******.

Implication - *** ***** **** ********

** ********* ******* ** this ******* ** **** if ******** *********** *** 'back **** *******' **** no *** ****** **** purchasing ********* ***** *** has *********. ********* *** effectively * ********* - everyone '******' ****. *** focus ****** **** **** to *** ** ******** ***** cost products - **** ***** and *********.

**** **** **** *****. That ** *********** *** argument ** ***** *******, i.e., **** ***** *** Hikvision's ***** ******* ** basically *** **** ** Axis ** ********, ** just *** *** ******* one. *** *** ******* manufacturers **** **** **** selling ** **** *****. If **** *** ******** turn *** ************* ***** into * ******* *****, than ***** ****** *** lower **** ******* ***** *****.

Dahua *** ********* ****** *** ** ** *** **** ** *************

******* ** *********** *** trying ** ********* *********, Dahua *** ********* ***** do ****** ** ***** ** being *** '****' ** cybersecurity. **** ***, ** far, *** *** ******* mass ****** ***** ************ providers ***** ******* *** most ****** ** **** up '***********' ** *** public ********. *** *******, the* ******* ***** ******* exposed ** *** ********. ******* ** ****, any ************* ********** **** hit **** *** ******* because ** *** ***** of *** ******* **** can **** ** ***********. Indeed, ******* *** **** likely ** ****** ***** and ********* *** *** same ****** **** **** historically ******** *********, ***** these ********* **** *** more ******* **** *** be ******** **** ***** more ***** ******.

Comments (16)

Undisclosed Distributor #1

03/29/17 05:29pm

Interesting, this doesn't even broach the topic of these devices utilizing decade or more utilities (Telnet and FTP) which broadcast usernames and passwords in plain text format.  It's okay, everyone's doing it.

Undisclosed End User #2

03/29/17 06:00pm

There is big difference between vulnerability and backdoor.

I'll try to make it short;

Statement:
True vulnerability over a wide range products and firmware versions have always some unexpected anomalies, which is expected, and should therefore not be treated as backdoor, unless there is distinct pattern.

Conclusion:
Dahua backdoor lacking all above, except distinct pattern, even with different hashing techniques for more than three times, and besides - it's undocumented.

 

Undisclosed Distributor #1

In reply to Undisclosed End User #2 | 03/29/17 06:04pm

It's undocumented for us, but for whom is it documented???

Undisclosed End User #2

In reply to Undisclosed Distributor #1 | 03/29/17 06:07pm

Their intended users, would that make sense?

Jack Sink

IPVMU Certified | 03/29/17 06:41pm

Perhaps I can put this in perspective: China has a well deserved reputation for state sponsored cyber efforts to gather competitive technology advantage or to conduct espionage against Western nations. They are also the majority owner of the world's largest video manufacturer. Phone Home and other potential exploitable means to penetrate video systems worldwide do not seem uncalculated. In a country where the State has express and final say upon manufacturers it just seems prudent to be concerned about vulnerabilities and also what appear to be intentional backdoors.

As to unintentional vulnerabilities to exploit, my iPhone, my Android, my operating systems and my web browsers seem to release security upgrades and patches weekly to speedily address vulnerabilities when discovered. That seems in sharp contrast to the "Everybody has vulnerabilities, don't worry" response. 

In the legal setting ask 'what actions would a reasonable & prudent individual make?'

Undisclosed End User #2

In reply to Jack Sink | 03/29/17 08:46pm

Good points, and with P2P, these kind of backdoor implementations will then not be needed, since with P2P you practically giving away your credentials and addresses to your devices! and the connection to P2P, your devices initiates and keeps open. For me, it is similar to reverse shell

Do anyone trust them? thats the question.

 

 

Undisclosed End User #2

03/29/17 06:55pm

Side note:
I agree with Dahua Manager, there is backdoors implemented in all products, some are local and some are remote, but they are there for sure.

Example between Vulnerability and Backdoor:
Axis Communications Remote Format String, shows very distinct pattern over wide range of products and firmware versions, but there is to many unexpected anomalies for it could be categorised as backdoor.

I would love to categorise the Axis as backdoor, since in my opinion it would be genius one, but I can't due to the anomalies while exploiting.

However, it is fully possible to use Format String as technique for backdoors, but with this comes also very distinct patterns. 

Undisclosed Integrator #3

In reply to Undisclosed End User #2 | 03/29/17 09:15pm

UE#2 this isn't directed at you but a direct observation based on your comment.  This may be your first post on IPVM and you make have just joined yesterday from what I can tell.

What keeps being missed by people looking to debunk the Hikvision and Dahua vulnerabilities, whether those vulnerabilities are via willful intent or negligence, is the scale of those vulnerabilities.  IPVM emphasizes this in nearly every article.  A simple search of Axis, Hikvision, and Dahua shows the following quantity of easily identified devices primed to probe for exploits.

Those results are not even looking for any OEMs that change the identifiers of product or having someone more competent than I using the search engine.  Axis could make their cameras listed on Shodan.io require no password or user account at all and still present a less viable target than Hik/Dahua.

Metaphorically, if you went hunting for sustenance purposes would you aim for the gigantic deer or the tiny squirrel?  From the perspective of a hacker their return on time investment is much greater targeting the big unprotected target.

Undisclosed End User #2

In reply to Undisclosed Integrator #3 | 03/29/17 09:25pm

whatever

Not joined yesterday.

Listen, who care if it's giant as Dahua/Hikvision or Axis, I surely don't.

 

/bashis

Undisclosed End User #2

03/29/17 08:38pm

I was looking for the post made by "Dahua Manager", but it seems to be gone?

John Honovich

IPVM | In reply to Undisclosed End User #2 | 03/29/17 11:53pm

I was looking for the post made by "Dahua Manager", but it seems to be gone?

Yes, I believe it has been removed. I do not see it on the LinkedIn thread it was posted in.

Dahua and Hikvision both have a problem with their employees posting on social media. For example, Hikvision Director Mocks Dahua.

Undisclosed Manufacturer #4

03/31/17 03:45am

In most Chinese IP products there exists a password backdoor, or a means which to recover the password with little effort.

The domestic market products are so keen on low prices, even the existence of a reset button on the device adds to the cost.

So now the simple choice is using a software one. It's common and the security consideration is no relevance.

Only thanks to IPVM to highlight the true picture can we really see how such a poor job has been done on what is meant to be a security product.

A million+ devices having some basic issues is a sad thing to see.

 

Undisclosed Distributor #1

In reply to Undisclosed Manufacturer #4 | 03/31/17 02:36pm

I would not characterize the ability to generate a date based master password (which is what most do these days) as a "backdoor".  To me, a backdoor is a means to obtain access to a device that has not been published as part of the product documentation.  Using a master password will allow you to get into a device, but through the normal means of access.  A backdoor is a way of bypassing the normal routes to access a device and gaining access to it in a non-standard manner (such as the telnet console port).

I totally, 100% agree with you that these products have no business being referred to as "security" devices.

Undisclosed Integrator #5

03/31/17 09:07am

Someone commented to me that the Backdoor issue isn't a problem on the dahau cameras if they are connected to an NVR rather than directly to the internet as the NVR will "handle the security" of a remote connection.

Is this correct? 

Undisclosed End User #2

In reply to Undisclosed Integrator #5 | 03/31/17 10:01am

The NVR devices suffer of same stuff...

Robert Shih

IPVM | In reply to Undisclosed End User #2 | 03/31/17 12:46pm

Actually, no. The most recent backdoor/bug/whatever that got patched actually didn't work on most NVRs except the 5xxx series devices. This includes all of the 4xxx (vanilla, 4K, or 4KS2) and the 6xx (intel based, same deal).

Whatever is going on, they don't have a universal code base or true modularity with their APIs and interface protocols.

This was discovered by testing and patching internally and for customers.

In the process though, I have some news about some new NVR firmware features from the latest March release.

Vanilla and 4KS2 4xxx models now can access the web interfaces of individual cameras from inside built in PoE switches! Yay for properly playing catch up, right?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Favorite Camera Manufacturers 2020 on Jan 20, 2020
The past 2 years of US bans and sanctions have shaken the video surveillance industry but what impact would this have on integrators' favorite...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?