Dahua Won't Say, But Anyone With Telnet Enabled Is At Risk

By: Brian Karas, Published on Oct 05, 2016

Dahua has decided not to provide details they have about how hackers are exploiting their products. They explained:

A public statement about what technology is in place and which models have certain security features would serve as a beacon to hackers to attempt to infiltrate older-model Dahua products. We do not wish to put our customers at risk to such hackers.

Instead, Dahua's communication focuses on Dahua models running firmware releases prior to January 2015. Because of Dahua's fractured distribution / OEM model and historically poor firmware upgrade offering, many devices purchased after January 2015 are at risk.

In this note, we examine why telnet is critical to the Dahua hacks and what you should do about it.

***** *** ******* *** to ******* ******* **** have ***** *** ******* are ********** ***** ********. They *********:

* ****** ********* ***** what ********** ** ** place *** ***** ****** have ******* ******** ******** would ***** ** * beacon ** ******* ** attempt ** ********** *****-***** Dahua ********. ** ** not **** ** *** our ********* ** **** to **** *******.

*******, *****'* ************* ******* on ***** ****** ******* firmware ******** ***** ** January ****. ******* ** Dahua's ********* ************ / OEM ***** *** ************ poor ******** ******* ********, many ******* ********* ***** January **** *** ** ****.

** **** ****, ** examine *** ****** ** critical ** *** ***** hacks *** **** *** should ** ***** **.

[***************]

Three Core ******

*** **** **************** ** ****** ******* like ***** *** **** propagate ****** ** *** devices *************.

** ******* ** ***** **** issues:

  • ****** ****** ** *** camera/recorder. ** ***** **** recently ***** ******* *** recorders (*** ********** **** of ***** ****) *** ****** permanently ******* *** ***** could *** ****** ****.
  • ******* ********* *** *********.
  • ********** ********* ****** ** *** camera **** **** ******* arbitrary **** ********** ** attackers.

**** *** ***** ******** gains ****** ** *** device, ** ******** *** executes ********* ****. ***** can ******* *** ***** two ******, ***** ** describe *****, *** **** no ******* **** *** Dahua ********** *** **** operating ****** ** ***** devices. ****, ****** ******* using *** *******, *** occur *** ***** ** Dahua ******** ****** ** vigilant ***** ********** ***** devices *** ********.

Three Steps ** ******** **** ********

***** *** ***** ******* ****** users *** ** ** reduce ***** **** ** infection ** **** (*** other) *******:

  • ******* ********
  • ****** ******* *********
  • ****** ****** ** ********

Upgrade ********

**** ** *** **** critical *********, ******* ****** access ***** *** ** method ** ******* ** the ******. ** **** *** ***** firmware *** ******* ****** **********, ******* older ******** *** ****** enabled *** ** ***** for *** **** ** disable **.

***** *** ********* ******** downloads ** ***** ******* ****, ***** ** ***** countries **** **** ** utilize ******* ***** ********* in ***** ******. *** **** to **** *** ***** number, ***** ****** ** printed ** *** ******, or ********* ** *** web ** ** **** device ** ***** ** find *** ****** ******** download. *** ********* ********** shows *** ****** **** for * ***** ******, available ***** *** "***********" section ** *** *** UI ** *** ******, you *** **** *** the ******** ***** **** shows ** ***** ******* that ****** ** ********:

Change ******* *********

*** ***** ******* **** a ****-***** **** ** usernames *** ********* ** try **** ********* *******. There *** ** ***** combinations, ********* ******* *****'* like "*****/*****" *** "*****/********". Strong ********* *** ***********, but *********** ******** ***** than * ****** ******* password ****** ******* ********* by *** ******* *******.

Verify ****** ** ********

****** ****** ** ******** after ******** ** ******** to * ***** *******, but ** ** **** to ****** ** ** truly ********. *** *** to ***** ***** ***** are **** ** ***** ****, ** * variant **** ******, ***** ** **** in *** ***** *****:

What ** ** ** *** *** *** ******* ********

***** ** ***** *** products, ** ***** **** are ****** ** **** a ******** ****** *** their ****** ***** **** options ** ******* **********. Changing *** ******* ********* will ******* ********* **** gaining ****** *** *****. Disabling ****** (**** **) on ****** ****-********** ***** will ******* *** ******* from ********** ** *** camera ** *** ***** place, ******** ****** **** if *** ********* *** more ******* ********/******** ******.

Dahua ************* *****

***** *** ****** ******** **** ********* guide [**** ** ****** available], ***** ********* ****** common *********** **** ******** passwords, ***** ****** *********, and **** ********** ******** ports. ** **** *** specifically ******* ****** ** disabling ****** ******, ****** by ******* ***** ** only ******* ******** ***** it **** ******* **** indirectly.

 

Comments (9)

The first core issue listed is telnet access. Isn't telnet in most cases blocked by the firewall to the internet or is this malware spreading from the LAN itself?

Also, as for changing passwords, didn't Dahua have hard coded known usernames and passwords that couldn't be changed?

They had 888888 accounts in the old fimware that couldn't be deleted, but they could only be used locally. Maybe even older models you could?

If there are models that do allow access remotely thru a unchangeble admin acct, then whether telnet can be disabled is relevant.

Otherwise, its really on whomever didnt change the password.

Yes, until recently, all Dahua cameras could be accessed via Telnet with admin/admin, even if you changed the admin password to something else. The changing of the admin password only restricted http web browser access. All other services still allowed admin/admin credentials, including ONVIF.

So that makes it sound like the only real fix here is to update the firmware assuming there is firmware through all the OEM brands to upgrade to.

If you are using white label OEM products, just find files with General rather than DH in the header. SavvyTech hosts a number of firmware files themselves and if you need more help finding firmware updates, please feel free to contact me. I can assist with cross referencing your model number and ensuring your update goes smoothly. Just um...if you want the super shiny 2.6 firmware that I got John Dillabaugh...I found out that it was not supposed to be released yet >.>

They'll release it officially when IVS gets rebuilt. Oh and I think it'll have Control4 compatibility and it already has Smart H.264+!

Regardless, I'm here to help!

Isn't telnet in most cases blocked by the firewall to the internet or is this malware spreading from the LAN itself?

In most cases, yes, it should be blocked, but clearly there are hundreds of thousands of cameras that do not have it blocked.

The malware should not be able to spread via LAN at all, in fact if you look at the Mirai source code, the part that assembles a random IP address to scan specifically excludes local IP's, and certain other networks:

Also, as for changing passwords, didn't Dahua have hard coded known usernames and passwords that couldn't be changed?

This seems to vary product. US OEM's, DahuaUSA official product, and overseas (and imported gray market cameras) all seem to have different behaviors here.

I spoke with an integrator who had used Dahua OEM product from ~2011 onward, and those had admin/admin hard-coded and seemingly unchangeable. Dahua USA "official" products have been recent, and so their firmware has telnet disabled by default. I have some Dahua graymarket Amazon cameras where the telnet admin password changes with the web UI admin password.

All of the above is what makes it very difficult for users to know if they are affected. Part of the problem lies in exactly which variant of a Dahua camera you have. Oddly enough people who bought through official channels (Dahua OEMs) may be at much higher risk than people who bought through rogue importers.

You can not always blame the manufacture. A lot of Security techs are not properly trained in IP systems and create vulnerabilities. They leave default passwords and open ports in firewalls that are not required.

A lot of Security techs are not properly trained in IP systems and create vulnerabilities.

But there would be no vulnerability here if the manufacturer closed Telnet? And it is not as if Telnet is something that is commonly needed out of the box. Yes/no?

Correct Telnet should be disabled OOB, and only enabled if and when needed.

Login to read this IPVM report.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
FDA "Does Not Intend to Object" To Unapproved Fever Detection Cameras If No 'Undue Risk' on Apr 17, 2020
The US FDA has declared it will not go after the many companies marketing...
UK ICO Approves Unconsented Facial Recognition At Security Conferences on Feb 05, 2020
The UK's data protection agency has declined IPVM's GDPR complaint against...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...
Temperature Screening From The Protection Bureau and ZKTeco Violate IEC Standards and FDA Correct Operation on Jun 22, 2020
ZKTeco and integrator The Protection Bureau are marketing an installation...
Hikvision USA Refuses [Now In], Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...