FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure:
Certain FLIR and Lorex branded products that are produced by Dahua may be affected by this vulnerability.
To reduce concern / problems, they highlighted many product lines that are not from Dahua:
Please note that the following product lines are NOT affected by this vulnerability:
FC-Series ID, FC-Series S, FC-Series R
PT-Series, F-Series, D-Series
Ariel, Quasar
Meridian, Horizon, Latitude Series
TRK, IoI
FLIR FX, FLIR Secure HD
However, that still leaves a lot of Lorex products and lower end FLIR branded devices that are Dahua OEMs.
Unlike Dahua, FLIR emphasized the benefit of their existing cloud management feature on a number of their Dahua OEMed devices:
Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue.
Also, FLIR went further than Dahua, advising strong action for those not using their cloud service with Dahua OEMed products:
Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP.
However, FLIR acknowledges that Dahua still has not provided clarity and a solution to the vulnerable devices:
We are continuing to work with Dahua to discover exactly which products are affected, and when patches will be available.
Why Dahua?
One obvious question that comes to mind is why would FLIR, Honeywell, Tyco, etc. choose Dahua?
****** *** ** *** major *** ***** **** Dahua **** ****** ***** ago **** ***** *** virtually ******* ** *** West *** ***** *** not ******** ******* ************* sales.
***, ** ******, **** before *** ********, *********'* **** **********,******** **** *****, ********* *********** **** ***** partners, ***** ** * baffling ******.
*** **** **** ** Dahua, **** ***** *** when **** ***** *****, was **** ***** *** one ** *** ****** factories *** ********* **** to **** *** ****** / ******** ******* ******* of ***** ****** ******* companies. *** ***** ******** emerged **** ****.
Hit *** ****
**** ** ******* * negative *** ****, **** simply ******** ************* *** Dahua ************ ** ***********. Worse, ** * ******* government ********** (**** ** these ******** ***** ***** products **** ********* **** to ********* *** ****), the ******* **** **** has *** ******** ****** its ******** *** ***** security **** ********** ******* some ****** ******. ********, while ***** * ******* based ******* **** ******* US ******** *** ** an ************ ***********, ******** US ***** **** *** be **** ********.
Dahua ****** **** ****?
**** *****, ***** **** Dahua's ********** ********* *********** with ****, **** ****** put ******* ** ******** the ************ **** *****. On *** ***** ****, switching **** ** *** easy ** ** *******, given *** ********* ******** of ******* ** **** cameras. *** ********* **** may **** ******'* **** *********** ** ISD, * **** ** which **** *** ***** was ** ******** ***** internal ** ****** ***********.
Credit *** **********
**** ********* ******** ****** for ********** ******* *** informing ***** *********, ********** given **** *** **** are ***** ******* ** the **** ***** **** and **** ***** **** actually ** ** ***** this.
***** ** ******** ************ with ********* *** ****, we *** ********* **** they **** ** *******, though ** ********* **** publicize **** ** **** do ***.
Read this IPVM report for free.
This article is part of IPVM's 6,807 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.
Comments (6)
Chris Lanier
Thanks IPVM for including this important topic in your blog series. Industry awareness had definitely increased and clearer information is appreciated. OEM partnerships cut both ways- On one side, a trusted brand can get products to market quickly. On the other hand, it is evident a couple of high profile OEMs have emboldened themselves to poach their own customers.
To FLIR's customer care credit, they have included a hotline number and email enrollment for those needing immediate help or want to be first in the development loop: 877-757-6981 and www.flir.com/securityinfo
Create New Topic
Undisclosed Distributor #2
I want to know what the customer response is... When we first released a statement last time Dahua was involved in a hack and a major world-record-breaking DDOS attack NO ONE CARED.
Do we really think anyone will care now? I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it. If they can see video on their phone they're pleased...
Until someone gets properly sued and there's a precedent for responsibility... no one will care.
Create New Topic
Greg Cortina
Our page has been updated.
http://www.flir.com/securityinfo/
FLIR has been pushing updates to Cloud Connected models and users or dealers can accept these updates locally at the machine or through the CMS software and App.
Please read the instructions carefully.
Create New Topic