Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored 7.0 - 9.0), found by researchers from the University of Applied Sciences Offenburg who are setting up a startup, IoT Security Systems.
Inside this note, we examine the severity of these vulnerabilities, Dahua's response and impact on dealers and OEMs of Dahua.
That video is cringe-inducing. I know it doesn't say this specifically, but it gives you the impression that a big part of Dahua's cyber security involves homeopathy and eating organic produce while focusing on their chi.
John, your a bit behind the timeline on this one... :)
There has been advice circulating for at least a couple of weeks on mitigating these vulnerabilities. I believe that most of the firmware patches have been released so its just a time thing for SI's to update the deployed devices.
I'm not standing up for Dahua with regards to Cybersecurity, but they do (generally, quickly) fix things that are raised.
So to be clear, the device needs to be fully accessible from the internet... air-gapped, firewalled, P2P connected and VPN accessible sites should all be reasonably safe. Please update firmware and secure the networks properly of course!
Whilst its a reasonably bad vulnerability, its not particularly easy to leverage and a (at least) half decent deployment mitigates this.
If you look at comparables, Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined. Cisco has found something like 13 hard-coded backdoors in their products
Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined.
Assessing cybersecurity based on CVE total counts is silly. But since you made a specific claim about Huawei, CVE Details shows 516:
To be clear, the bigger issue with such comparisons is that company software output and review are not equal. Microsoft releases many orders of magnitude more software than Dahua and is under far more scrutiny than Dahua.
We can certainly reasonably disagree about whether these vulnerabilities matter or who should be responsible (i.e., integrator vs manufacturer, etc.) but using simplistic CVE count for 'ranking' or judging cybersecurity is groundless.
you 'called me out' for not validating my sources on another post so I qualified all of the data before posting... (sorry it's taken me some time to address your reply)
if you go to CVE - Home (Mitre is THE place for recording vulnerabilities)
My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.
For the last 3 years, here are the results by manufacturer:
Hikvision: 2019 = 0, 2018 = 2, 2017 = 4
Dahua: 2019 = 7, 2018 = 0, 2017 = 12
Huawei: 2019 =30, 2018 = 53, 2017 = 237
Total 2019 = 37, 2018 = 55, 2017 = 253
Microsoft: 2019 = 294, 2018 = 479, 2017 = 628
H+D+H as % of Microsoft = 2019 = 12.6%, 2018 = 11.5%, 2017 = 40%
My reference to Microsoft was to put it in popular context. (It would be interesting to see if Microsoft wrote security system firmware and software if they could do a better job!)
To be clear. All vulnerabilities ARE important and need to be addressed. In the security industry, we place a much higher emphasis on having secure products - I did not mean to give any impression to the contrary!!!
Regardless of origin of product, route to market or validation by any body or organisation, we, as responsible installers/designers/maintainers must place a higher focus on deploying equipment in such a way that any future vulnerability is mitigated by the environment we created for it.
A great example of this was the London Underground where various news outlets falsely told the populace of the world that the Chinese government can see everything on the TFL cameras. This cannot be true as the tube network cameras were not all Hikvision and all of the CCTV networks are physically isolated from each other and do not go anywhere near communications service providers (The tube network owns the land the railway lines are on, so if they need connectivity between two sites, they pull in a fibre)
My point being, that IF there was a vulnerability that affected ANY CCTV VENDOR's equipment, it could not not have gained outside access nor could it have been affected by (forgive my use of the most overly used phrase in mainstream cyber journalism) 'Back Doors'
Any manufacture who has self respect and respecting their customers will do their CVE's, no matter if the vulnerability has been found in-house or reported from externally.
Most manufactures do not file any CVE's at all, exceptions to my notifications is actually Cisco and Microsoft. That might explain your results.
Most manufactures do not file any CVE's at all, exceptions to my notifications is actually Cisco and Microsoft
Bashis, good point. I'd add that when a company starts basing its cybersecurity performance on CVE count, they have a massive disincentive to file CVEs.
My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.
Are you joking?
You then say:
Huawei: 2019 =30, 2018 = 53, 2017 = 237
So if by your own calculation Huawei has 237 in the last 3 years, how can you conclude you are 'very correct' to say "There are not even 70 CVE's combined for Dahua, Hik and Huawei combined"??
Again, to be clear, ranking or evaluating vendors based on CVE count is fallacious but even by your own claim, you are wrong. I just want you to be less sloppy and do simple fact-checking.
It would be interesting to see if Microsoft wrote security system firmware and software if they could do a better job!
My point is you should not conclude Microsoft is doing a 'worse' or 'better' job than Dahua based on CVE counts. Microsoft develops 100x or 1000x the amount of code Dahua and is under 10x or 100x, etc. the amount of scrutiny of Dahua.
Maybe Microsoft is worse at software development than Dahua but basing this on CVE counts is foolish since you can't fairly compare the metric across companies.
If you look at comparables, Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined.
Again, why do you keep focusing on CVE counts? Do you really think you can meaningfully and legitimately compare Dahua to Microsoft based on CVE counts? Does any of our points about the companies being vastly different in terms of development and scrutiny make any sense to you?
You are a guy essentially comparing the number of issues found in an aircraft carrier to a car.
"Maybe Microsoft is worse at software development than Dahua but basing this on CVE counts is foolish since you can't fairly compare the metric across companies"
My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.
except that Microsoft is primarily a software company, and the others are primarily hardware companies.
the breadth of Microsoft software is immense:everything from multiple operating systems, internet browsers, to office productivity, to ERP, to gaming, to developer tools, to remote access and so on...
Hikua software is VMSes, embedded firmware, tools, AI, ?
how many more lines of code does Microsoft produce than H+D+H ?
factor that in to your equation
H+D+H as % of Microsoft = 2019 = 12.6%, 2018 = 11.5%, 2017 = 40%
As an all star dealer for Dahua, this is the first time I've heard of these vulnerabilities. Dahua has a history of poor communication and I'm growing tired of it. This combined with the choice to ignore past vulnerabilities with attitude of "it's no big deal" is sad. Their arrogance will eventually lead to their downfall. Shame as they make a solid product, but just can't figure out the software side.
Brian, we have asked Dahua a few times and I know they are checking. It is possible that Dahua USA models are not impacted though it is hard to tell given Dahua's various firmware and model naming conventions. Either way, Dahua USA should clearly inform their partners. If we get any feedback, we will update here.
[1] doesn't work on my "IPC-HDBW1320E-W, Build: 2017-08-31 09:30:50, Version: 2.400.0000000.16.R" as it use Digest and not Basic.
[2] Seems not to be working on above device either.
I must say that [4] & [5] is bit interesting, as they reporting others findings... (Ok, they link my PoC, but I think Dahua is already subscribed w/ obfuscated account and knew about it)
Moreover, I totally agree that the Debug shell/functions should be disabled!
[6], [7] and [8] is widely know, nothing new.
[3] No comments, as I didn't spend time on it, but looks interesting.
Thomas Vogt and Daniel Nussko don't say anything about IoT Security Systems on their LinkedIn profiles. Dennis Barnekow doesn't have a LinkedIn profile.
The domain registration will expire next September.
The site gives a 404 when using HTTP, but sends FIN-ACK in response to client hello to abort TLS connections. If they closed their hosting account, I'm not sure why the server would respond that way, unless the hosting company is trying to preserve things in the background in case the account is reopened.
It's very possible this was a speculative venture, they tried it for a few weeks or months, and then decided it wouldn't work.
I emailed our contact at the group to clarify. The email to that domain name did not bounce, fyi. If or when they respond, I'll update accordingly.
Agree
Disagree
Informative
Unhelpful
Funny
Create New Topic
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Comments (29)
Undisclosed #1
That video is cringe-inducing. I know it doesn't say this specifically, but it gives you the impression that a big part of Dahua's cyber security involves homeopathy and eating organic produce while focusing on their chi.
Create New Topic
Undisclosed Manufacturer #2
I can easily see this transition into the perfect cctv-themed porno...
”Hey baby, I like your chassis.”
”Mmm, yeah, is your FIRMware HARDened, big boy?”
”Yeah, baby... I’m about to do a data dump, I want you to parse my packets.”
Next thing you know, we find out he’s her stepbrother, Hikvision.
Let’s hope for her sake that he’s wearing a firewall!
Create New Topic
Undisclosed Integrator #3
John, your a bit behind the timeline on this one... :)
There has been advice circulating for at least a couple of weeks on mitigating these vulnerabilities. I believe that most of the firmware patches have been released so its just a time thing for SI's to update the deployed devices.
I'm not standing up for Dahua with regards to Cybersecurity, but they do (generally, quickly) fix things that are raised.
So to be clear, the device needs to be fully accessible from the internet... air-gapped, firewalled, P2P connected and VPN accessible sites should all be reasonably safe. Please update firmware and secure the networks properly of course!
Whilst its a reasonably bad vulnerability, its not particularly easy to leverage and a (at least) half decent deployment mitigates this.
If you look at comparables, Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined. Cisco has found something like 13 hard-coded backdoors in their products
1. patch early, patch often
2. design the system correctly
3. deploy systems securely
Create New Topic
Undisclosed #4
that kid is out of his league, she’s a solid 9! she needs a more experienced partner:
though some caution is in order, as he is definitely a player, and has been known to swap out recorders on a whim...
and she, despite her outward bluster, is still quite vulnerable :)
Create New Topic
bashis mcw
Interesting stuff, however,
[1] doesn't work on my "IPC-HDBW1320E-W, Build: 2017-08-31 09:30:50, Version: 2.400.0000000.16.R" as it use Digest and not Basic.
[2] Seems not to be working on above device either.
I must say that [4] & [5] is bit interesting, as they reporting others findings... (Ok, they link my PoC, but I think Dahua is already subscribed w/ obfuscated account and knew about it)
Moreover, I totally agree that the Debug shell/functions should be disabled!
[6], [7] and [8] is widely know, nothing new.
[3] No comments, as I didn't spend time on it, but looks interesting.
Create New Topic
bashis mcw
looks like the 'start-up' has been 'closed-down' , or did I miss something?
Create New Topic