FLIR Responds to Dahua Backdoor

By: John Honovich, Published on Mar 10, 2017

FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure:

Certain FLIR and Lorex branded products that are produced by Dahua may be affected by this vulnerability.

To reduce concern / problems, they highlighted many product lines that are not from Dahua:

Please note that the following product lines are NOT affected by this vulnerability:

FC-Series ID, FC-Series S, FC-Series R
PT-Series, F-Series, D-Series
Ariel, Quasar
Meridian, Horizon, Latitude Series
TRK, IoI
FLIR FX, FLIR Secure HD

However, that still leaves a lot of Lorex products and lower end FLIR branded devices that are Dahua OEMs.

Unlike Dahua, FLIR emphasized the benefit of their existing cloud management feature on a number of their Dahua OEMed devices:

Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue.

Also, FLIR went further than Dahua, advising strong action for those not using their cloud service with Dahua OEMed products:

Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP.

However, FLIR acknowledges that Dahua still has not provided clarity and a solution to the vulnerable devices:

We are continuing to work with Dahua to discover exactly which products are affected, and when patches will be available.

Why Dahua?

One obvious question that comes to mind is why would FLIR, Honeywell, Tyco, etc. choose Dahua?

**** ** *** ***** Dahua *** ********* ***** * ***********************'* ******************:

******* **** *** ***** branded ******** **** *** produced ** ***** *** be ******** ** **** vulnerability.

** ****** ******* / ********, they *********** **** ******* lines **** *** *** from *****:

****** **** **** *** following ******* ***** ************** ** **** *************:
**-****** **, **-****** *, FC-Series *
**-******, *-******, *-******
*****, ******
********, *******, ******** ******
***, ***
**** **, **** ****** HD

*******, **** ***** ****** a *** ** ***** products *** ***** *** FLIR ******* ******* **** are ***** ****.

****** *****, **** ********** the ******* ** ***** existing ***** ********** ******* on * ****** ** their ***** ***** *******:

**** ** ***** ******** are ******* ********* **** this ************* *** ** the ******** ********** ***** managed ** ****’* ***** connection *******. **** *** device ********* ** *** internet *** *** **** Cloud *******, ** **** confirmed **** ***** ******* are ** ****** ********** to **** *****.

****, **** **** ******* **** Dahua, ******** ****** ****** for ***** *** ***** their ***** ******* **** Dahua ***** ********:

***** **** ***** ** resolved, *** ************** ** to *********** ******* ****, disable *** **** ********** and, ** *********, **** off ****.

*******, **** ************ **** Dahua ***** *** *** provided ******* *** * solution ** *** ********** devices:

** *** ********** ** work **** ***** ** discover ******* ***** ******** are ********, *** **** patches **** ** *********.

Why *****?

*** ******* ******** **** comes ** **** ** why ***** ****, *********, Tyco, ***. ****** *****?

[***************]

****** *** ** *** major *** ***** **** Dahua **** ****** ***** ago **** ***** *** virtually ******* ** *** West *** ***** *** not ******** ******* ************* sales.

***, ** ******, **** before *** ********, *********'* **** **********,******** **** *****, ********* *********** **** ***** partners, ***** ** * baffling ******.

*** **** **** ** Dahua, **** ***** *** when **** ***** *****, was **** ***** *** one ** *** ****** factories *** ********* **** to **** *** ****** / ******** ******* ******* of ***** ****** ******* companies. *** ***** ******** emerged **** ****.

Hit *** ****

**** ** ******* * negative *** ****, **** simply ******** ************* *** Dahua ************ ** ***********. Worse, ** * ******* government ********** (**** ** these ******** ***** ***** products **** ********* **** to ********* *** ****), the ******* **** **** has *** ******** ****** its ******** *** ***** security **** ********** ******* some ****** ******. ********, while ***** * ******* based ******* **** ******* US ******** *** ** an ************ ***********, ******** US ***** **** *** be **** ********.

Dahua ****** **** ****?

**** *****, ***** **** Dahua's ********** ********* *********** with ****, **** ****** put ******* ** ******** the ************ **** *****. On *** ***** ****, switching **** ** *** easy ** ** *******, given *** ********* ******** of ******* ** **** cameras. *** ********* **** may **** ******'* **** *********** ** ISD, * **** ** which **** *** ***** was ** ******** ***** internal ** ****** ***********.

Credit *** **********

**** ********* ******** ****** for ********** ******* *** informing ***** *********, ********** given **** *** **** are ***** ******* ** the **** ***** **** and **** ***** **** actually ** ** ***** this.

***** ** ******** ************ with ********* *** ****, we *** ********* **** they **** ** *******, though ** ********* **** publicize **** ** **** do ***.

Comments (6)

Chris Lanier

03/10/17 04:27pm

Thanks IPVM for including this important topic in your blog series. Industry awareness had definitely increased and clearer information is appreciated. OEM partnerships cut both ways- On one side, a trusted brand can get products to market quickly. On the other hand, it is evident a couple of high profile OEMs have emboldened themselves to poach their own customers.

To FLIR's customer care credit, they have included a hotline number and email enrollment for those needing immediate help or want to be first in the development loop: 877-757-6981 and www.flir.com/securityinfo

Undisclosed Distributor #2

03/13/17 06:58pm

I want to know what the customer response is... When we first released a statement last time Dahua was involved in a hack and a major world-record-breaking DDOS attack NO ONE CARED.

Do we really think anyone will care now? I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it. If they can see video on their phone they're pleased...

Until someone gets properly sued and there's a precedent for responsibility... no one will care.

John Honovich

IPVM | In reply to Undisclosed Distributor #2 | 03/13/17 07:08pm

I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it.

I believe that and have seen similar. However, the larger the end user gets, the more likely they are to consider poor security vulnerabilities / recent backdoors to be a disqualification / deal breaker.

Brian Karas

IPVM | In reply to Undisclosed Distributor #2 | 03/13/17 07:36pm

I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it. If they can see video on their phone they're pleased.

That does not surprise me. My personal feeling is that in many cases there is still a mentality of "well, *my* system is so small/inconsequential/boring that I won't be a target". Or similarly "what are the odds that *I* get attacked?".

I do not know the exact number, but I believe it will take 10 or 20 (or more) widespread cases like this before people realize that ALL unprotected internet-connected devices are at risk. The hackers don't care if your system is big or small, boring or exciting, they just know you as an IP address, found by scanning endless across all possibilities.

This is probably not the straw that will break the camel's back, but it is still a straw.

Undisclosed #1

In reply to Brian Karas | 03/13/17 08:07pm

Greg Cortina

10/04/17 04:53am

Our page has been updated.

http://www.flir.com/securityinfo/

FLIR has been pushing updates to Cloud Connected models and users or dealers can accept these updates locally at the machine or through the CMS software and App.

Please read the instructions carefully.

Login to read this IPVM report.

Related Reports

Industry Study: 83% of US Temperature Screening Sellers Falsely Say Not Medical Devices on Jun 29, 2020

83% of US companies selling temperature screening devices, aka 'fever'...

FDA "Does Not Intend to Object" To Unapproved Fever Detection Cameras If No 'Undue Risk' on Apr 17, 2020

The US FDA has declared it will not go after the many companies marketing...

Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020

Fever cameras are medical devices, despite what euphemisms various sellers...

UK ICO Approves Unconsented Facial Recognition At Security Conferences on Feb 05, 2020

The UK's data protection agency has declined IPVM's GDPR complaint against...

The Insecure Verkada Access Control System on Jun 25, 2020

While Verkada touts the security of its system and that how their new door...

Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020

Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...

Temperature Screening From The Protection Bureau and ZKTeco Violate IEC Standards and FDA Correct Operation on Jun 22, 2020

ZKTeco and integrator The Protection Bureau are marketing an installation...

Avigilon Face Mask Detection Tested on Jun 24, 2020

Face mask detection or, more specifically not wearing a face mask, is an...

ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020

ISC News, the Reed publication behind the ISC East and West trade shows, has...

IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020

IPVM categorically rejects Feevr's improper threats and demands submitted...

"ONVIF Has Chosen Not To Enforce Their Copyright." on Mar 11, 2020

ONVIF has taken a bold and highly unconventional approach, telling IPVM,...

Dahua Critical Cloud Vulnerabilities on May 12, 2020

Dahua has acknowledged a series of cloud vulnerabilities that researcher...

Hanwha Face Mask Detection Tested on Jul 01, 2020

Face mask detection or, more specifically lack-of-face-mask detection, is an...

Hikvision USA Refuses [Now In], Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020

Both have been federally banned, both sanctioned for human rights abuses but...

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020

A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...

Recent Reports

False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020

Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...

US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020

With the 'Blacklist Clause' going into effect August 13 that bans the US...

Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020

The show featured 48 Access Control presentations, all now recorded and...

Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020

Face detection analytics are available from a number of manufactures...

Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020

Most China manufacturers are going to be impacted by the NDAA 'Blacklist...

Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020

A US company marketed a 'thermal temperature scanner' as its own, selling...

Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020

China is the cause of the breakup between Canada's and Brazil's largest video...

This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020

An enterprising 20-year old is mass marketing medical devices on Facebook and...

Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020

While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...

Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020

While Intelbras is not widely known outside of Latin America, Intelbras is a...

The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020

Video surveillance is not the only market that has pivoted to medical device...

Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020

Industry broker Ron Davis of the "Greybeards" says that the integrator and...

Keypads For Access Control Tutorial on Jul 28, 2020

Keypad readers present huge risks to even the best access systems. If...

US Surgeon General Unwittingly Showcases Sanctioned Dahua Temperature System on Jul 28, 2020

The US' top public health spokesperson, the Surgeon General, posted a photo...

Remote Network Access for Video Surveillance Guide on Jul 27, 2020

Remotely accessing surveillance systems is key in 2020, with more and more...