Dahua Recorders Mass HackedBy: IPVM Team, Published on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days ago.
- If you have Dahua recorders and you port forwarded it (as they unfortunately recommend [link no longer available]), check your recorders immediately for impact.
- Disable port forwarding immediately and block public access to these recorders.
- Try to upgrade firmware, if possible for your units, though Dahua regularly had challenges distributing firmware for various models and partners.
- If you have one of the many Dahua OEM recorders (e.g., ADT who we have confirmed multiple reports), disable port forwarding and contact your manufacturer.
- Dahua has still not made any public statement, continuing a trend of poor communication.
Inside, we share full details of the reports we have and the technical elements / vulnerabilities behind this.
Based on screen caps and log files submitted to IPVM and posted in public forums, hacked systems will show black images from the camera and display "HACKED 1, HACKED 2, etc." on each camera feed:
The video will be black, as the hacker changes the exposure to effectively hide / block out the video feeds, as shown again below:
And below is a log file sample from CCTV Forum that shows some of the changes made:
Victims Seeking Help
Dahua has not issued any statements on these hacks, their most recent US cyber security update is July 2017 [link no longer available]. Search traffic to IPVM for terms relating to 'Dahua hack' show a ~500% surge above average for the past week:
IPVM has received numerous reports and cataloged other reports across the Internet including:
I have over 60 dvr that are old and new that are less than 6 months old both branded and unbranded have been severely hacked. Phone has been ringing off the hook. Dahua keeps sending me a year old firmware.
They hackers turned off the camera feed to the four channels and locked out access to turn them back on. There were changes made to color setting, general network, and channel name.
I had a client reach out to me at around 0900 eastern this morning to tell me two of four sites DVR's were sitting with a black 4 pane screen and where the cam info usually sits, it said "hacked." By 2100 eastern time the other two sites went down with the same issue.
Tonight a family member called me and told me their Dahua DVR was showing "hacked" as all the camera titles. I went over to their house and looked at it, and indeed it had been hacked. About an hour later I get a text from an old co-worker... his DVR also showed hacked, also a Dahua. The unit was logged into, some data was changed that caused the screen to go black, and the camera names were changed to Hacked 1, Hacked 2, Hacked 3 and Hacked 4. My main admin account had the password changed, not sure about the secondary.
My cameras say they are "Hacked." I called Dahua in California and they refused to offer any explanation or assistance other than pointing me to their cyber security PDF bulletins online which were of no help to my situation. They simply refused to talk to me other than to say read the bulletins and that's all they were going to say.
An Italian distributor posted about massive problem from the Dahua hacks:
In the last few days, news of a huge hacker attack on the Italian network has blocked nearly 6,000 Dahua recording apps, only from our channel, over 800 calls between September 19 and 21, regarding Dahua Hackerati recorders. [emphasis IPVM]
And a Greek Dahua partner posted a LinkedIn item:
He later deleted the item.
And this Facebook item cited several national chains impacted with Dahua responding that the person was lying:
A key clue to the hacks came from a person who emailed IPVM:
I stopped by one of our old customers today to look at his DVR, looks like the local only account 888888 was accessed via the internet.
The 888888 Account
Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.
We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.
These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:
Presence of the Dahua special '888888' account, and internet access to port 37777, are the two factors impacted systems reported to IPVM have had in common. Users with non-default admin passwords have reported hacks to their systems. In a number of cases, users were running latest available firmware, particularly in the case of OEM models.
Based on the number and geographic diversity of systems reported as attacked, this looks to be an automated attack, with victims picked at random from Shodan or similar scans. The attack adjusts settings on connected cameras to make the image black, but does not touch recorded video, or lock the user out of the system. This makes the attacks similar to Brickerbot in nature, attempting to call attention to the devices poor security, not render it inoperable or enroll it in a botnet.
Dahua Many Vulnerabilities
Dahua has had a number of reported vulnerabilities in products. Dahua cameras and recorders fueled the Mirai botnet in 2016, leading to some of the largest DDoS attacks on victims ever (Dahua also claimed themselves as a victim of Mirai).
This was followed up by bashis' Dahua backdoor discovery in March 2017. This also impacted key partners, such as FLIR, forcing them to deal with Dahua's poor security implementation. A Dahua buffer overflow vulnerability was discovered in July 2017, though no known exploits of this have been seen (yet). Multiple vulnerabilities have also been found in Dahua's DHI-HCVR7216A-S3 [link no longer available] recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.
Vote / Poll
Dahua Responds / Buries Attacks
Dahua has issued a press release in response to these attacks obscurely titling it, "Dahua USA Launches Latest Cybersecurity Initiatives [link no longer available]". The hacks are not mentioned until paragraph 3:
Two important problems to note: These other 'leading' manufacturers are Dahua's own customers / OEMs. The way Dahua phrases it implies that this is some general issue across independent manufacturers but what really is a Dahua defect that Dahua delivered to both their branded and OEM customers. Moreover, the release tries to blame the attacks on default passwords but the critical problem is Dahua's own vulnerability that allowed remote attackers to fake local access to hack the Dahua recorders with the 'local only' 88888888 account.