FLIR Responds to Dahua Backdoor

Author: John Honovich, Published on Mar 10, 2017

FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure:

Certain FLIR and Lorex branded products that are produced by Dahua may be affected by this vulnerability.

To reduce concern / problems, they highlighted many product lines that are not from Dahua:

Please note that the following product lines are NOT affected by this vulnerability:

FC-Series ID, FC-Series S, FC-Series R
PT-Series, F-Series, D-Series
Ariel, Quasar
Meridian, Horizon, Latitude Series
TRK, IoI
FLIR FX, FLIR Secure HD

However, that still leaves a lot of Lorex products and lower end FLIR branded devices that are Dahua OEMs.

Unlike Dahua, FLIR emphasized the benefit of their existing cloud management feature on a number of their Dahua OEMed devices:

Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue.

Also, FLIR went further than Dahua, advising strong action for those not using their cloud service with Dahua OEMed products:

Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP.

However, FLIR acknowledges that Dahua still has not provided clarity and a solution to the vulnerable devices:

We are continuing to work with Dahua to discover exactly which products are affected, and when patches will be available.

Why Dahua?

One obvious question that comes to mind is why would FLIR, Honeywell, Tyco, etc. choose Dahua?

**** ** *** ***** ***** *** ********* ***** * ***********************'* ******************:

******* **** *** ***** ******* ******** **** *** ******** ** Dahua *** ** ******** ** **** *************.

** ****** ******* / ********, **** *********** **** ******* ***** that *** *** **** *****:

****** **** **** *** ********* ******* ***** ************** ** **** *************:

**-****** **, **-****** *, **-****** *
**-******, *-******, *-******
*****, ******
********, *******, ******** ******
***, ***
**** **, **** ****** **

*******, **** ***** ****** * *** ** ***** ******** *** lower *** **** ******* ******* **** *** ***** ****.

****** *****, **** ********** *** ******* ** ***** ******** ***** management ******* ** * ****** ** ***** ***** ***** *******:

**** ** ***** ******** *** ******* ********* **** **** ************* due ** *** ******** ********** ***** ******* ** ****’* ***** connection *******. **** *** ****** ********* ** *** ******** *** the **** ***** *******, ** **** ********* **** ***** ******* are ** ****** ********** ** **** *****.

****, **** **** ******* **** *****, ******** ****** ****** *** those *** ***** ***** ***** ******* **** ***** ***** ********:

***** **** ***** ** ********, *** ************** ** ** *********** disable ****, ******* *** **** ********** ***, ** *********, **** off ****.

*******, **** ************ **** ***** ***** *** *** ******** ******* and * ******** ** *** ********** *******:

** *** ********** ** **** **** ***** ** ******** ******* which ******** *** ********, *** **** ******* **** ** *********.

Why *****?

*** ******* ******** **** ***** ** **** ** *** ***** FLIR, *********, ****, ***. ****** *****?

[***************]

****** *** ** *** ***** *** ***** **** ***** **** formed ***** *** **** ***** *** ********* ******* ** *** West *** ***** *** *** ******** ******* ************* *****.

***, ** ******, **** ****** *** ********, *********'* **** **********,******** **** *****, ********* *********** **** ***** ********, ***** ** * ******** ******.

*** **** **** ** *****, **** ***** *** **** **** deals *****, *** **** ***** *** *** ** *** ****** factories *** ********* **** ** **** *** ****** / ******** quality ******* ** ***** ****** ******* *********. *** ***** ******** emerged **** ****.

Hit *** ****

**** ** ******* * ******** *** ****, **** ****** ******** acknowledging *** ***** ************ ** ***********. *****, ** * ******* government ********** (**** ** ***** ******** ***** ***** ******** **** typically **** ** ********* *** ****), *** ******* **** **** has *** ******** ****** *** ******** *** ***** ******** **** rightfully ******* **** ****** ******. ********, ***** ***** * ******* based ******* **** ******* ** ******** *** ** ** ************ proposition, ******** ** ***** **** *** ** **** ********.

Dahua ****** **** ****?

**** *****, ***** **** *****'* ********** ********* *********** **** ****, will ****** *** ******* ** ******** *** ************ **** *****. On *** ***** ****, ********* **** ** *** **** ** do *******, ***** *** ********* ******** ** ******* ** **** cameras. *** ********* **** *** **** ******'* **** *********** ** ***, * **** ** ***** **** *** ***** *** ** increase ***** ******** ** ****** ***********.

Credit *** **********

**** ********* ******** ****** *** ********** ******* *** ********* ***** customers, ********** ***** **** *** **** *** ***** ******* ** the **** ***** **** *** **** ***** **** ******** ** to ***** ****.

***** ** ******** ************ **** ********* *** ****, ** *** skeptical **** **** **** ** *******, ****** ** ********* **** publicize **** ** **** ** ***.

Comments (6)

****** **** *** ********* **** ********* ***** ** **** **** series. ******** ********* *** ********** ********* *** ******* *********** ** appreciated. *** ************ *** **** ****- ** *** ****, * trusted ***** *** *** ******** ** ****** *******. ** *** other ****, ** ** ******* * ****** ** **** ******* OEMs **** ********** ********** ** ***** ***** *** *********.

** ****'* ******** **** ******, **** **** ******** * ******* number *** ***** ********** *** ***** ******* ********* **** ** want ** ** ***** ** *** *********** ****: ***-***-**** ******.****.***/************

* **** ** **** **** *** ******** ******** **... **** we ***** ******** * ********* **** **** ***** *** ******** in * **** *** * ***** *****-******-******** **** ******** *** *****.

** ** ****** ***** ****** **** **** ***? * ****** to **** ****** *** *** ********** ** *** ****'* ******* of ******** ******* *** ** *** ***** ***** **. ** they *** *** ***** ** ***** ***** ****'** *******...

***** ******* **** ******** **** *** *****'* * ********* *** responsibility... ** *** **** ****.

* ****** ** **** ****** *** *** ********** ** *** city's ******* ** ******** ******* *** ** *** ***** ***** it.

* ******* **** *** **** **** *******. *******, *** ****** the *** **** ****, *** **** ****** **** *** ** consider **** ******** *************** / ****** ********* ** ** * disqualification / **** *******.

* ****** ** **** ****** *** *** ********** ** *** city's ******* ** ******** ******* *** ** *** ***** ***** it. ** **** *** *** ***** ** ***** ***** ****'** pleased.

**** **** *** ******** **. ** ******** ******* ** **** in **** ***** ***** ** ***** * ********* ** "****, *my* ****** ** ** *****/***************/****** **** * ***'* ** * target". ** ********* "**** *** *** **** **** *** *** attacked?".

* ** *** **** *** ***** ******, *** * ******* it **** **** ** ** ** (** ****) ********** ***** like **** ****** ****** ******* **** *** *********** ********-********* ******* are ** ****. *** ******* ***'* **** ** **** ****** is *** ** *****, ****** ** ********, **** **** **** you ** ** ** *******, ***** ** ******** ******* ****** all *************.

**** ** ******** *** *** ***** **** **** ***** *** camel's ****, *** ** ** ***** * *****.

*** **** *** **** *******.

****://***.****.***/************/

**** *** **** ******* ******* ** ***** ********* ****** *** users ** ******* *** ****** ***** ******* ******* ** *** machine ** ******* *** *** ******** *** ***.

****** **** *** ************ *********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

Broken Hikvision App Exposes Hypocrisy on Dec 06, 2017
While Hikvision talks about a commitment to cybersecurity, their broken app and their insecure 'solution' exposes not only their engineering...
Hikvision UPnP Hacking Risk on Dec 04, 2017
Hikvision IP cameras are being hacked even for end users who had not set up port forwarding and believed their cameras were 'safe' behind...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
WSJ Investigates Hikvision on Nov 13, 2017
The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the...
Hikvision Admits Backdoor 'PR Issue' on Oct 24, 2017
Hikvision is admitting a problem. The backdoor itself is evidently not the problem for them. The problem, according to Hikvision, is a public...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision USA Misleads Dealers On Backdoor on Oct 03, 2017
Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year. Misleading Unfortunately, they...
FLIR Thermal Camera Multiple Vulnerabilities, Patch Released on Oct 03, 2017
Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. In this note,...

Most Recent Industry Reports

Integrator Managing Projects Statistics on Dec 14, 2017
Who actually manages projects for security integrators? Does the average security integrator have dedicated project managers, or are technicians,...
Hikvision NVR Load Testing on Dec 14, 2017
IPVM members recently debated Hikvision NVR's performance under load in Hikvision 30+ Cameras On NVR - Apps And Client Really Slow Down And CPU...
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
BBC Features Dahua on Dec 13, 2017
Hikvision is not the only mega-Chinese video surveillance manufacturer getting global attention. Last month, the WSJ investigated Hikvision and now...
Hiring Camera Calculator Product Manager on Dec 12, 2017
We are working on making the Camera Calculator even better and hoping you can help us find the right person to join our team. IPVM is hiring a...
Testing $20 WyzeCam, The Money Losing Amazon Vet Startup on Dec 12, 2017
This startup is perfecting the old adage: We lose money on every sale, but make it up on volume But it is no joke. The company, Wyze Labs, is...
Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks on Dec 12, 2017
The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by...
Robot Vandalism on Dec 11, 2017
Vandalism of security systems is a common concern. It is so common that camera vandalism statistics show that designers routinely sacrifice camera...
Access Controller Software Guide on Dec 11, 2017
Properly configuring access controllers software is key to a professional access system. These devices have fundamental settings that must be...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact