FLIR Responds to Dahua Backdoor

By: John Honovich, Published on Mar 10, 2017

FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure:

Certain FLIR and Lorex branded products that are produced by Dahua may be affected by this vulnerability.

To reduce concern / problems, they highlighted many product lines that are not from Dahua:

Please note that the following product lines are NOT affected by this vulnerability:

FC-Series ID, FC-Series S, FC-Series R
PT-Series, F-Series, D-Series
Ariel, Quasar
Meridian, Horizon, Latitude Series
TRK, IoI
FLIR FX, FLIR Secure HD

However, that still leaves a lot of Lorex products and lower end FLIR branded devices that are Dahua OEMs.

Unlike Dahua, FLIR emphasized the benefit of their existing cloud management feature on a number of their Dahua OEMed devices:

Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue.

Also, FLIR went further than Dahua, advising strong action for those not using their cloud service with Dahua OEMed products:

Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP.

However, FLIR acknowledges that Dahua still has not provided clarity and a solution to the vulnerable devices:

We are continuing to work with Dahua to discover exactly which products are affected, and when patches will be available.

Why Dahua?

One obvious question that comes to mind is why would FLIR, Honeywell, Tyco, etc. choose Dahua?

**** ** *** ***** Dahua *** ********* ***** * ***********************'* ******************:

******* **** *** ***** branded ******** **** *** produced ** ***** *** be ******** ** **** vulnerability.

** ****** ******* / ********, they *********** **** ******* lines **** *** *** from *****:

****** **** **** *** following ******* ***** ************** ** **** *************:
**-****** **, **-****** *, FC-Series *
**-******, *-******, *-******
*****, ******
********, *******, ******** ******
***, ***
**** **, **** ****** HD

*******, **** ***** ****** a *** ** ***** products *** ***** *** FLIR ******* ******* **** are ***** ****.

****** *****, **** ********** the ******* ** ***** existing ***** ********** ******* on * ****** ** their ***** ***** *******:

**** ** ***** ******** are ******* ********* **** this ************* *** ** the ******** ********** ***** managed ** ****’* ***** connection *******. **** *** device ********* ** *** internet *** *** **** Cloud *******, ** **** confirmed **** ***** ******* are ** ****** ********** to **** *****.

****, **** **** ******* **** Dahua, ******** ****** ****** for ***** *** ***** their ***** ******* **** Dahua ***** ********:

***** **** ***** ** resolved, *** ************** ** to *********** ******* ****, disable *** **** ********** and, ** *********, **** off ****.

*******, **** ************ **** Dahua ***** *** *** provided ******* *** * solution ** *** ********** devices:

** *** ********** ** work **** ***** ** discover ******* ***** ******** are ********, *** **** patches **** ** *********.

Why *****?

*** ******* ******** **** comes ** **** ** why ***** ****, *********, Tyco, ***. ****** *****?

[***************]

****** *** ** *** major *** ***** **** Dahua **** ****** ***** ago **** ***** *** virtually ******* ** *** West *** ***** *** not ******** ******* ************* sales.

***, ** ******, **** before *** ********, *********'* **** **********,******** **** *****, ********* *********** **** ***** partners, ***** ** * baffling ******.

*** **** **** ** Dahua, **** ***** *** when **** ***** *****, was **** ***** *** one ** *** ****** factories *** ********* **** to **** *** ****** / ******** ******* ******* of ***** ****** ******* companies. *** ***** ******** emerged **** ****.

Hit *** ****

**** ** ******* * negative *** ****, **** simply ******** ************* *** Dahua ************ ** ***********. Worse, ** * ******* government ********** (**** ** these ******** ***** ***** products **** ********* **** to ********* *** ****), the ******* **** **** has *** ******** ****** its ******** *** ***** security **** ********** ******* some ****** ******. ********, while ***** * ******* based ******* **** ******* US ******** *** ** an ************ ***********, ******** US ***** **** *** be **** ********.

Dahua ****** **** ****?

**** *****, ***** **** Dahua's ********** ********* *********** with ****, **** ****** put ******* ** ******** the ************ **** *****. On *** ***** ****, switching **** ** *** easy ** ** *******, given *** ********* ******** of ******* ** **** cameras. *** ********* **** may **** ******'* **** *********** ** ISD, * **** ** which **** *** ***** was ** ******** ***** internal ** ****** ***********.

Credit *** **********

**** ********* ******** ****** for ********** ******* *** informing ***** *********, ********** given **** *** **** are ***** ******* ** the **** ***** **** and **** ***** **** actually ** ** ***** this.

***** ** ******** ************ with ********* *** ****, we *** ********* **** they **** ** *******, though ** ********* **** publicize **** ** **** do ***.

Comments (6)

Chris Lanier

03/10/17 04:27pm

Thanks IPVM for including this important topic in your blog series. Industry awareness had definitely increased and clearer information is appreciated. OEM partnerships cut both ways- On one side, a trusted brand can get products to market quickly. On the other hand, it is evident a couple of high profile OEMs have emboldened themselves to poach their own customers.

To FLIR's customer care credit, they have included a hotline number and email enrollment for those needing immediate help or want to be first in the development loop: 877-757-6981 and www.flir.com/securityinfo

Undisclosed Distributor #2

03/13/17 06:58pm

I want to know what the customer response is... When we first released a statement last time Dahua was involved in a hack and a major world-record-breaking DDOS attack NO ONE CARED.

Do we really think anyone will care now? I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it. If they can see video on their phone they're pleased...

Until someone gets properly sued and there's a precedent for responsibility... no one will care.

John Honovich

IPVM | In reply to Undisclosed Distributor #2 | 03/13/17 07:08pm

I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it.

I believe that and have seen similar. However, the larger the end user gets, the more likely they are to consider poor security vulnerabilities / recent backdoors to be a disqualification / deal breaker.

Brian Karas

IPVM | In reply to Undisclosed Distributor #2 | 03/13/17 07:36pm

I talked to some people who run businesses in our city's chamber of commerce meeting and no one cares about it. If they can see video on their phone they're pleased.

That does not surprise me. My personal feeling is that in many cases there is still a mentality of "well, *my* system is so small/inconsequential/boring that I won't be a target". Or similarly "what are the odds that *I* get attacked?".

I do not know the exact number, but I believe it will take 10 or 20 (or more) widespread cases like this before people realize that ALL unprotected internet-connected devices are at risk. The hackers don't care if your system is big or small, boring or exciting, they just know you as an IP address, found by scanning endless across all possibilities.

This is probably not the straw that will break the camel's back, but it is still a straw.

Undisclosed #1

In reply to Brian Karas | 03/13/17 08:07pm

Greg Cortina

10/04/17 04:53am

Our page has been updated.

http://www.flir.com/securityinfo/

FLIR has been pushing updates to Cloud Connected models and users or dealers can accept these updates locally at the machine or through the CMS software and App.

Please read the instructions carefully.

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Bosch Dropping Dahua on Feb 13, 2020

Bosch has confirmed to IPVM that it is in the process of dropping Dahua, over the next year, as both IP camera contract manufacturer and recorder...

Dahua New Critical Vulnerability 2019 on Sep 23, 2019

Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019

The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...

Uniview OEM Directory on Sep 11, 2019

This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...

3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019

The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...

Dahua OEM Directory on Aug 16, 2019

US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...

Hikvision OEM Directory on Aug 13, 2019

The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...

Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019

For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...

Vivotek Revenue Soars on Aug 05, 2019

Vivotek's revenue has soared so far in 2019, growing 45%. Inside this note, we examine import records and see who is driving Vivotek's growth...

Top Hikvision Proponent Nelly's "GoSwift" Elsewhere on May 03, 2019

Sean Nelson [link no longer available] of Nelly's Security has made a name for himself and his company as a proponent of Hikvision, such as this...

Most Recent Industry Reports

Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020

Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...

Seek Scan Thermal Temperature Screening System ReTested on May 28, 2020

Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to Seek, the first blackbody system we tested and retested it with our...

Directory of 106 "Fever" Camera Suppliers on May 28, 2020

This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...

Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020

Fever cameras are medical devices, despite what euphemisms various sellers use. The US FDA clearly categorizes them as medical devices and...

Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020

Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...

Startup Videoloft Presents Cloud Storage on May 27, 2020

Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...

Directory of 300+ Fever Camera News Reports Globally on May 27, 2020

This global directory tracks 300+ articles about thermal cameras used to detect fevers in response to the coronavirus pandemic. Articles are...

Integrators Rising Against Coronavirus on May 27, 2020

IPVM integrator statistics make it clear - Coronavirus's impact on business is lessening and many are anticipating even better news in weeks...

Netposa Stock Surges 46% After US Human Rights Abuse Sanctions on May 27, 2020

Last Friday, the US government announced it would sanction PRC video management provider NetPosa for being "complicit in human rights violations...

LILIN Presents NDAA-Compliant P2 Cameras on May 26, 2020

Merit LILIN presented its NDAA-compliant P2 camera series at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...