FLIR Responds to Dahua Backdoor

Author: John Honovich, Published on Mar 10, 2017

FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure:

Certain FLIR and Lorex branded products that are produced by Dahua may be affected by this vulnerability.

To reduce concern / problems, they highlighted many product lines that are not from Dahua:

Please note that the following product lines are NOT affected by this vulnerability:

FC-Series ID, FC-Series S, FC-Series R
PT-Series, F-Series, D-Series
Ariel, Quasar
Meridian, Horizon, Latitude Series
TRK, IoI
FLIR FX, FLIR Secure HD

However, that still leaves a lot of Lorex products and lower end FLIR branded devices that are Dahua OEMs.

Unlike Dahua, FLIR emphasized the benefit of their existing cloud management feature on a number of their Dahua OEMed devices:

Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue.

Also, FLIR went further than Dahua, advising strong action for those not using their cloud service with Dahua OEMed products:

Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP.

However, FLIR acknowledges that Dahua still has not provided clarity and a solution to the vulnerable devices:

We are continuing to work with Dahua to discover exactly which products are affected, and when patches will be available.

Why Dahua?

One obvious question that comes to mind is why would FLIR, Honeywell, Tyco, etc. choose Dahua?

**** ** *** ***** ***** *** ********* ***** * ***********************'* ******************:

******* **** *** ***** ******* ******** **** *** ******** ** Dahua *** ** ******** ** **** *************.

** ****** ******* / ********, **** *********** **** ******* ***** that *** *** **** *****:

****** **** **** *** ********* ******* ***** ************** ** **** *************:

**-****** **, **-****** *, **-****** *
**-******, *-******, *-******
*****, ******
********, *******, ******** ******
***, ***
**** **, **** ****** **

*******, **** ***** ****** * *** ** ***** ******** *** lower *** **** ******* ******* **** *** ***** ****.

****** *****, **** ********** *** ******* ** ***** ******** ***** management ******* ** * ****** ** ***** ***** ***** *******:

**** ** ***** ******** *** ******* ********* **** **** ************* due ** *** ******** ********** ***** ******* ** ****’* ***** connection *******. **** *** ****** ********* ** *** ******** *** the **** ***** *******, ** **** ********* **** ***** ******* are ** ****** ********** ** **** *****.

****, **** **** ******* **** *****, ******** ****** ****** *** those *** ***** ***** ***** ******* **** ***** ***** ********:

***** **** ***** ** ********, *** ************** ** ** *********** disable ****, ******* *** **** ********** ***, ** *********, **** off ****.

*******, **** ************ **** ***** ***** *** *** ******** ******* and * ******** ** *** ********** *******:

** *** ********** ** **** **** ***** ** ******** ******* which ******** *** ********, *** **** ******* **** ** *********.

Why *****?

*** ******* ******** **** ***** ** **** ** *** ***** FLIR, *********, ****, ***. ****** *****?

[***************]

****** *** ** *** ***** *** ***** **** ***** **** formed ***** *** **** ***** *** ********* ******* ** *** West *** ***** *** *** ******** ******* ************* *****.

***, ** ******, **** ****** *** ********, *********'* **** **********,******** **** *****, ********* *********** **** ***** ********, ***** ** * ******** ******.

*** **** **** ** *****, **** ***** *** **** **** deals *****, *** **** ***** *** *** ** *** ****** factories *** ********* **** ** **** *** ****** / ******** quality ******* ** ***** ****** ******* *********. *** ***** ******** emerged **** ****.

Hit *** ****

**** ** ******* * ******** *** ****, **** ****** ******** acknowledging *** ***** ************ ** ***********. *****, ** * ******* government ********** (**** ** ***** ******** ***** ***** ******** **** typically **** ** ********* *** ****), *** ******* **** **** has *** ******** ****** *** ******** *** ***** ******** **** rightfully ******* **** ****** ******. ********, ***** ***** * ******* based ******* **** ******* ** ******** *** ** ** ************ proposition, ******** ** ***** **** *** ** **** ********.

Dahua ****** **** ****?

**** *****, ***** **** *****'* ********** ********* *********** **** ****, will ****** *** ******* ** ******** *** ************ **** *****. On *** ***** ****, ********* **** ** *** **** ** do *******, ***** *** ********* ******** ** ******* ** **** cameras. *** ********* **** *** **** ******'* **** *********** ** ***, * **** ** ***** **** *** ***** *** ** increase ***** ******** ** ****** ***********.

Credit *** **********

**** ********* ******** ****** *** ********** ******* *** ********* ***** customers, ********** ***** **** *** **** *** ***** ******* ** the **** ***** **** *** **** ***** **** ******** ** to ***** ****.

***** ** ******** ************ **** ********* *** ****, ** *** skeptical **** **** **** ** *******, ****** ** ********* **** publicize **** ** **** ** ***.

Comments (5)

Thumbnail lrg button

Chris Lanier

03/11/17 12:27am

****** **** *** ********* **** ********* ***** ** **** **** series. ******** ********* *** ********** ********* *** ******* *********** ** appreciated. *** ************ *** **** ****- ** *** ****, * trusted ***** *** *** ******** ** ****** *******. ** *** other ****, ** ** ******* * ****** ** **** ******* OEMs **** ********** ********** ** ***** ***** *** *********.

** ****'* ******** **** ******, **** **** ******** * ******* number *** ***** ********** *** ***** ******* ********* **** ** want ** ** ***** ** *** *********** ****: ***-***-**** ******.****.***/************

Zachary Spradlin

03/14/17 02:58am

* **** ** **** **** *** ******** ******** **... **** we ***** ******** * ********* **** **** ***** *** ******** in * **** *** * ***** *****-******-******** **** ******** *** *****.

** ** ****** ***** ****** **** **** ***? * ****** to **** ****** *** *** ********** ** *** ****'* ******* of ******** ******* *** ** *** ***** ***** **. ** they *** *** ***** ** ***** ***** ****'** *******...

***** ******* **** ******** **** *** *****'* * ********* *** responsibility... ** *** **** ****.

John Honovich

IPVM | In reply to Zachary Spradlin | 03/14/17 03:08am

* ****** ** **** ****** *** *** ********** ** *** city's ******* ** ******** ******* *** ** *** ***** ***** it.

* ******* **** *** **** **** *******. *******, *** ****** the *** **** ****, *** **** ****** **** *** ** consider **** ******** *************** / ****** ********* ** ** * disqualification / **** *******.

Thumbnail brk1

Brian Karas

IPVM | In reply to Zachary Spradlin | 03/14/17 03:36am

* ****** ** **** ****** *** *** ********** ** *** city's ******* ** ******** ******* *** ** *** ***** ***** it. ** **** *** *** ***** ** ***** ***** ****'** pleased.

**** **** *** ******** **. ** ******** ******* ** **** in **** ***** ***** ** ***** * ********* ** "****, *my* ****** ** ** *****/***************/****** **** * ***'* ** * target". ** ********* "**** *** *** **** **** *** *** attacked?".

* ** *** **** *** ***** ******, *** * ******* it **** **** ** ** ** (** ****) ********** ***** like **** ****** ****** ******* **** *** *********** ********-********* ******* are ** ****. *** ******* ***'* **** ** **** ****** is *** ** *****, ****** ** ********, **** **** **** you ** ** ** *******, ***** ** ******** ******* ****** all *************.

**** ** ******** *** *** ***** **** **** ***** *** camel's ****, *** ** ** ***** * *****.

Undisclosed #1

In reply to Brian Karas | 03/14/17 04:07am

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

Final Day Save $50 - IP Networking Course September 2017 on Aug 17, 2017
Today, Thursday, August 17th is the last day to save $50 on the September IP Networking Course. This is the only networking course designed...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...
Vulnerability Directory For Access Control Cards on Aug 14, 2017
Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...
Hikvision Security Code Cracked on Aug 08, 2017
Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and...
US Army Bans Chinese DJI Drones on Aug 08, 2017
The US Army has issued a ban on Chinese-made DJI drones. A US Army memo obtained by sUAS News references a classified document from the Army...
Dahua Suffers Second Major Vulnerability, Silent [Finally Acknowledges] on Jul 25, 2017
Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for their backdoor. Now, Dahua has received another 10.0 score for a new...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
Wrongly Accused Critical Vulnerability for Vivotek on Jul 13, 2017
Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported...

Most Recent Industry Reports

Final Day Save $50 - IP Networking Course September 2017 on Aug 17, 2017
Today, Thursday, August 17th is the last day to save $50 on the September IP Networking Course. This is the only networking course designed...
Directory Of Consumer Security Cameras on Aug 16, 2017
The consumer camera segment continues to grow, with new startups and models from existing players released seemingly every month. In this report we...
Cat 5e vs Cat 6 vs Cat 6a Network Cable Usage Statistics on Aug 16, 2017
Cat 5e? Cat 6? Cat 6a? What do integrators use in practice, today? 140+ integrators told IPVM. Here are the results: For those who want to...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...
Stolen Video NVR / DVR Statistics on Aug 15, 2017
"But what happens if someone steals my recorder?" Anyone who has done more than a handful of jobs has probably heard this question several times....
Hikvision Europe Cutting Out Unauthorized End User Sales on Aug 15, 2017
The days of anyone buying Hikvision from anywhere off the Internet are numbered, at least in Europe, if Hikvision's plan comes to fruition. In...
Axis Laser Focus PTZ Tested on Aug 14, 2017
Axis has been touting its new Q6155-E laser focus PTZ as 'always in focus' and 'always in color'. Does it really deliver? We bought and tested...
Vulnerability Directory For Access Control Cards on Aug 14, 2017
Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...
IP Camera Specification / RFP Guide 2017 on Aug 14, 2017
RFPs are hard. Do them 'right' and it takes a lot of knowledge and time. Do them 'wrong' and you can be (a) unwittingly locked into a specific...
Cellphone Usage Issues For Integrators (Statistics) on Aug 11, 2017
Cellphones clearly offer significant advantages in communication and problem solving. But they can also be a major pain point if employees...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact