Dahua Won't Say, But Anyone With Telnet Enabled Is At Risk

By Brian Karas, Published on Oct 05, 2016

Dahua has decided not to provide details they have about how hackers are exploiting their products. They explained:

A public statement about what technology is in place and which models have certain security features would serve as a beacon to hackers to attempt to infiltrate older-model Dahua products. We do not wish to put our customers at risk to such hackers.

Instead, Dahua's communication focuses on Dahua models running firmware releases prior to January 2015. Because of Dahua's fractured distribution / OEM model and historically poor firmware upgrade offering, many devices purchased after January 2015 are at risk.

In this note, we examine why telnet is critical to the Dahua hacks and what you should do about it.

Three Core ******

*** **** **************** ** ****** ******* like ***** *** **** propagate ****** ** *** devices *************.

** ******* ** ***** **** issues:

  • ****** ****** ** *** camera/recorder. ** ***** **** recently ***** ******* *** recorders (*** ********** **** of ***** ****) *** ****** permanently ******* *** ***** could *** ****** ****.
  • ******* ********* *** *********.
  • ********** ********* ****** ** *** camera **** **** ******* arbitrary **** ********** ** attackers.

**** *** ***** ******** gains ****** ** *** device, ** ******** *** executes ********* ****. ***** can ******* *** ***** two ******, ***** ** describe *****, *** **** no ******* **** *** Dahua ********** *** **** operating ****** ** ***** devices. ****, ****** ******* using *** *******, *** occur *** ***** ** Dahua ******** ****** ** vigilant ***** ********** ***** devices *** ********.

Three Steps ** ******** **** ********

***** *** ***** ******* ****** users *** ** ** reduce ***** **** ** infection ** **** (*** other) *******:

  • ******* ********
  • ****** ******* *********
  • ****** ****** ** ********

Upgrade ********

**** ** *** **** critical *********, ******* ****** access ***** *** ** method ** ******* ** the ******. ** **** *** ***** firmware *** ******* ****** **********, ******* older ******** *** ****** enabled *** ** ***** for *** **** ** disable **.

***** *** ********* ******** downloads ** ***** ******* ****, ***** ** ***** countries **** **** ** utilize ******* ***** ********* in ***** ******. *** **** to **** *** ***** number, ***** ****** ** printed ** *** ******, or ********* ** *** web ** ** **** device ** ***** ** find *** ****** ******** download. *** ********* ********** shows *** ****** **** for * ***** ******, available ***** *** "***********" section ** *** *** UI ** *** ******, you *** **** *** the ******** ***** **** shows ** ***** ******* that ****** ** ********:

Change ******* *********

*** ***** ******* **** a ****-***** **** ** usernames *** ********* ** try **** ********* *******. There *** ** ***** combinations, ********* ******* *****'* like "*****/*****" *** "*****/********". Strong ********* *** ***********, but *********** ******** ***** than * ****** ******* password ****** ******* ********* by *** ******* *******.

Verify ****** ** ********

****** ****** ** ******** after ******** ** ******** to * ***** *******, but ** ** **** to ****** ** ** truly ********. *** *** to ***** ***** ***** are **** ** ***** ****, ** * variant **** ******, ***** ** **** in *** ***** *****:

What ** ** ** *** *** *** ******* ********

***** ** ***** *** products, ** ***** **** are ****** ** **** a ******** ****** *** their ****** ***** **** options ** ******* **********. Changing *** ******* ********* will ******* ********* **** gaining ****** *** *****. Disabling ****** (**** **) on ****** ****-********** ***** will ******* *** ******* from ********** ** *** camera ** *** ***** place, ******** ****** **** if *** ********* *** more ******* ********/******** ******.

Dahua ************* *****

***** *** ****** ******** **** ********* guide [**** ** ****** available], ***** ********* ****** common *********** **** ******** passwords, ***** ****** *********, and **** ********** ******** ports. ** **** *** specifically ******* ****** ** disabling ****** ******, ****** by ******* ***** ** only ******* ******** ***** it **** ******* **** indirectly.

 

Comments (9)

The first core issue listed is telnet access. Isn't telnet in most cases blocked by the firewall to the internet or is this malware spreading from the LAN itself?

Also, as for changing passwords, didn't Dahua have hard coded known usernames and passwords that couldn't be changed?

They had 888888 accounts in the old fimware that couldn't be deleted, but they could only be used locally. Maybe even older models you could?

If there are models that do allow access remotely thru a unchangeble admin acct, then whether telnet can be disabled is relevant.

Otherwise, its really on whomever didnt change the password.

Yes, until recently, all Dahua cameras could be accessed via Telnet with admin/admin, even if you changed the admin password to something else. The changing of the admin password only restricted http web browser access. All other services still allowed admin/admin credentials, including ONVIF.

So that makes it sound like the only real fix here is to update the firmware assuming there is firmware through all the OEM brands to upgrade to.

If you are using white label OEM products, just find files with General rather than DH in the header. SavvyTech hosts a number of firmware files themselves and if you need more help finding firmware updates, please feel free to contact me. I can assist with cross referencing your model number and ensuring your update goes smoothly. Just um...if you want the super shiny 2.6 firmware that I got John Dillabaugh...I found out that it was not supposed to be released yet >.>

They'll release it officially when IVS gets rebuilt. Oh and I think it'll have Control4 compatibility and it already has Smart H.264+!

Regardless, I'm here to help!

Isn't telnet in most cases blocked by the firewall to the internet or is this malware spreading from the LAN itself?

In most cases, yes, it should be blocked, but clearly there are hundreds of thousands of cameras that do not have it blocked.

The malware should not be able to spread via LAN at all, in fact if you look at the Mirai source code, the part that assembles a random IP address to scan specifically excludes local IP's, and certain other networks:

Also, as for changing passwords, didn't Dahua have hard coded known usernames and passwords that couldn't be changed?

This seems to vary product. US OEM's, DahuaUSA official product, and overseas (and imported gray market cameras) all seem to have different behaviors here.

I spoke with an integrator who had used Dahua OEM product from ~2011 onward, and those had admin/admin hard-coded and seemingly unchangeable. Dahua USA "official" products have been recent, and so their firmware has telnet disabled by default. I have some Dahua graymarket Amazon cameras where the telnet admin password changes with the web UI admin password.

All of the above is what makes it very difficult for users to know if they are affected. Part of the problem lies in exactly which variant of a Dahua camera you have. Oddly enough people who bought through official channels (Dahua OEMs) may be at much higher risk than people who bought through rogue importers.

You can not always blame the manufacture. A lot of Security techs are not properly trained in IP systems and create vulnerabilities. They leave default passwords and open ports in firewalls that are not required.

A lot of Security techs are not properly trained in IP systems and create vulnerabilities.

But there would be no vulnerability here if the manufacturer closed Telnet? And it is not as if Telnet is something that is commonly needed out of the box. Yes/no?

Correct Telnet should be disabled OOB, and only enabled if and when needed.

Read this IPVM report for free.

This article is part of IPVM's 6,604 reports, 890 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Monitoring Alarm Systems From Home - Innovation or Danger? on Oct 13, 2020
Remote monitoring by alarm companies since COVID-19 is bringing cost savings...
Hikvision Admits Minority Recognition, Now Claims Canceled on Jul 23, 2020
For the first time, Hikvision has directly addressed its minority recognition...
Temperature Screening From The Protection Bureau and ZKTeco Violate IEC Standards and FDA Correct Operation on Jun 22, 2020
ZKTeco and integrator The Protection Bureau are marketing an installation...
Wyze Fails To Deliver Own On-Board Analytics, Launches Novel Name Your Own Price Service on Jul 24, 2020
While Wyze failed to deliver their own onboard analytics to replace the...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Briefcam Responsible Use Examined on Aug 24, 2020
While mega-companies Amazon, IBM, and Microsoft have been criticized for...

Recent Reports

Motorola Solutions Total Revenue Down, Video Revenue Up on Oct 30, 2020
Motorola Solutions' total revenue is down, but video (both fixed and...
Recruiters Show 2020 On-Demand Recordings on Oct 30, 2020
Recordings from the 12 recruiter presentations are now available...
Consultants Show 2020 On-Demand Recording on Oct 29, 2020
Recordings from the consultant show are available on-demand at the end of...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...