Dahua Recorders Mass Hacked

Author: IPVM Team, Published on Sep 25, 2017

Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days ago.

Key points:

  • If you have Dahua recorders and you port forwarded it (as they unfortunately recommend), check your recorders immediately for impact.
  • Disable port forwarding immediately and block public access to these recorders.
  • Try to upgrade firmware, if possible for your units, though Dahua regularly had challenges distributing firmware for various models and partners.
  • If you have one of the many Dahua OEM recorders (e.g., ADT who we have confirmed multiple reports), disable port forwarding and contact your manufacturer.
  • Dahua has still not made any public statement, continuing a trend of poor communication.

Inside, we share full details of the reports we have and the technical elements / vulnerabilities behind this.

Hacked Overview

Based on screen caps and log files submitted to IPVM and posted in public forums, hacked systems will show black images from the camera and display "HACKED 1, HACKED 2, etc." on each camera feed:

The video will be black, as the hacker changes the exposure to effectively hide / block out the video feeds, as shown again below:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

And below is a log file sample from CCTV Forum that shows some of the changes made:

Victims Seeking Help

Dahua has not issued any statements on these hacks, their most recent US cyber security update is July 2017. Search traffic to IPVM for terms relating to 'Dahua hack' show a ~500% surge above average for the past week:

Sample Reports

IPVM has received numerous reports and cataloged other reports across the Internet including:

I have over 60 dvr that are old and new that are less than 6 months old both branded and unbranded have been severely hacked. Phone has been ringing off the hook. Dahua keeps sending me a year old firmware.

They hackers turned off the camera feed to the four channels and locked out access to turn them back on. There were changes made to color setting, general network, and channel name.

I had a client reach out to me at around 0900 eastern this morning to tell me two of four sites DVR's were sitting with a black 4 pane screen and where the cam info usually sits, it said "hacked." By 2100 eastern time the other two sites went down with the same issue.

Tonight a family member called me and told me their Dahua DVR was showing "hacked" as all the camera titles. I went over to their house and looked at it, and indeed it had been hacked. About an hour later I get a text from an old co-worker... his DVR also showed hacked, also a Dahua. The unit was logged into, some data was changed that caused the screen to go black, and the camera names were changed to Hacked 1, Hacked 2, Hacked 3 and Hacked 4. My main admin account had the password changed, not sure about the secondary.

My cameras say they are "Hacked." I called Dahua in California and they refused to offer any explanation or assistance other than pointing me to their cyber security PDF bulletins online which were of no help to my situation. They simply refused to talk to me other than to say read the bulletins and that's all they were going to say.

An Italian distributor posted about massive problem from the Dahua hacks:

In the last few days, news of a huge hacker attack on the Italian network has blocked nearly 6,000 Dahua recording apps, only from our channel, over 800 calls between September 19 and 21, regarding Dahua Hackerati recorders. [emphasis IPVM]

And a Greek Dahua partner posted a LinkedIn item:

He later deleted the item.

And this Facebook item cited several national chains impacted with Dahua responding that the person was lying:

A key clue to the hacks came from a person who emailed IPVM:

I stopped by one of our old customers today to look at his DVR, looks like the local only account 888888 was accessed via the internet.

The 888888 Account

Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.

We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.

These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:

Technical Analysis

Presence of the Dahua special '888888' account, and internet access to port 37777, are the two factors impacted systems reported to IPVM have had in common. Users with non-default admin passwords have reported hacks to their systems. In a number of cases, users were running latest available firmware, particularly in the case of OEM models.

Based on the number and geographic diversity of systems reported as attacked, this looks to be an automated attack, with victims picked at random from Shodan or similar scans. The attack adjusts settings on connected cameras to make the image black, but does not touch recorded video, or lock the user out of the system. This makes the attacks similar to Brickerbot in nature, attempting to call attention to the devices poor security, not render it inoperable or enroll it in a botnet.

Dahua Many Vulnerabilities

Dahua has had a number of reported vulnerabilities in products. Dahua cameras and recorders fueled the Mirai botnet in 2016, leading to some of the largest DDoS attacks on victims ever (Dahua also claimed themselves as a victim of Mirai).

This was followed up by bashis' Dahua backdoor discovery in March 2017. This also impacted key partners, such as FLIR, forcing them to deal with Dahua's poor security implementation. A Dahua buffer overflow vulnerability was discovered in July 2017, though no known exploits of this have been seen (yet). Multiple vulnerabilities have also been found in Dahua's DHI-HCVR7216A-S3 recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.

Vote / Poll

Dahua Responds / Buries Attacks

Dahua has issued a press release in response to these attacks obscurely titling it, "Dahua USA Launches Latest Cybersecurity Initiatives". The hacks are not mentioned until paragraph 3:

Two important problems to note: These other 'leading' manufacturers are Dahua's own customers / OEMs. The way Dahua phrases it implies that this is some general issue across independent manufacturers but what really is a Dahua defect that Dahua delivered to both their branded and OEM customers. Moreover, the release tries to blame the attacks on default passwords but the critical problem is Dahua's own vulnerability that allowed remote attackers to fake local access to hack the Dahua recorders with the 'local only' 88888888 account.

24 reports cite this report:

Honeywell Hides Selling US Gov Banned Chinese Video Surveillance on Oct 10, 2018
Honeywell hides selling US government banned Chinese video surveillance as their own 'Honeywell' products, deceiving buyers and putting US security...
Axis Co-Founder: The End of Traditional OEMs In The Way It Has Been on Sep 07, 2018
Big changes are coming, predicts Axis Co-Founder Martin Gren. He contends that the end of traditional OEMs is coming, in the video embedded...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring (now US government banned) Dahua as a...
Dahua's Terrible Cybersecurity, Buys Credibility From PSA And SIA on Jun 04, 2018
Dahua has a terrible cybersecurity track record. But American organizations, like the Security Industry Association (SIA) and the PSA Security...
Dahua Products Are Not GDPR Compliant, No Products Can Be on May 29, 2018
Dahua products are neither GDPR-compliant nor certified, contrary to their marketing. The reason is that no products can be, as the EU does not...
US House Passes Bill Banning Gov Use of Dahua and Hikvision on May 24, 2018
UPDATE August 2018: The bill has now been signed into law. The US House of Representatives has passed H.R. 5515, a bill that includes a ban on the...
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...
Worst Camera Manufacturers 2018 on Feb 26, 2018
Who is the camera manufacturer integrators have had the worst experience within the past year? 200+ integrators told us. Here are some...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
Dahua Acquires Lorex And FLIR SMB Surveillance From FLIR on Feb 06, 2018
Would you buy your own customer? Well, Dahua has just done that. FLIR has sold its Lorex / home / SMB business to Dahua, just over 5 years after...
If You Have 4 Cameras, You Can Throw Them Away, If You Have 400, They Throw You Away on Jan 19, 2018
Do users care about anything but price? Do user care about cybersecurity? Do users care about trusting their supplier? These have become...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
2018 Video Surveillance Cameras Overview on Dec 11, 2017
This report concisely explains the developments for surveillance cameras offered in 2017 and the state of offerings going into 2018, including...
The Race To The Bottom Is Over on Nov 28, 2017
The race to the bottom in video surveillance is over. After 3 years of aggressive price cuts and heavy sales and marketing expenditures, the...
Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering it as: not the result of an accidental logic error or poor...
Axis Commits To Long-Term Firmware Support on Nov 15, 2017
With the rise of cyber security awareness, and a general increase in hardware reliability, "software warranties" may prove more valuable than...
Bubble: Dahua Doubles Market Capitalization on Nov 07, 2017
Dahua's stock is in a bubble. Those of you in the industry know how bad of a year Dahua has had - the zero-day backdoor, the massive hacking...
Exacq M Series Low Cost NVR Tested on Oct 12, 2017
With recent cyber security issues hitting NVRs and cameras from low cost leaders Dahua and Hikvision, users are increasingly seeking alternatives...
Surveillance Systems Remote Access Usage Statistics on Oct 11, 2017
Remote access is a major benefit and risk for video surveillance. It is a benefit because it allows users to manage security or review...
Dahua Access Control Tested on Oct 10, 2017
Can Dahua become a major force in access control? We bought Dahua's ASC1202B to find out. We tested Dahua access and its management application...
Bosch Divar NVR Tested vs Dahua on Oct 05, 2017
Bosch has a partnership with Dahua. But what type of partnership is it? How much is Bosch's own vs taken from embattled mega-OEM Dahua? We bought...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision Europe Warns Of "A Wave of Cyberattacks" on Sep 28, 2017
Hikvision Europe has issued a "Hikvision Security Advisory" press release and emailed an e-newsletter with the advisory at the very top: ...
ASIS Show 2017 Final Report on Sep 27, 2017
ASIS is in Dallas for 2017 and this is our final show report (compare to our 2016 ASIS show report). When walking in, one is greeted with Dahua's...

Comments (163)

Only IPVM PRO Members may comment. Login or Join.

The upside of this is that dealers will start appreciating the downsides of buying lower priced items that have expensive longer term costs. Consider the Dahua dealers that need to explain why this is happening, why they recommended these products, and deal with servicing those systems.

The excuse that any product can be 'hacked' is exposed when you see the type of fundamental errors and poor response underlying Dahua's situation here.

Much better that we saw this coming quite a while ago and got out ASAP! For a while we thought no one in the industry cared about actual security. Maybe I was just ahead of the curve.

The upside of this is that dealers will start appreciating the downsides of buying lower priced items that have expensive longer term costs. Consider the Dahua dealers that need to explain why this is happening, why they recommended these products, and deal with servicing those systems.

Because people likes cheap stuff here too much, they just love it that make them to pay less。

seriously what alternatives are there

at these price points

it must originate from china with same inherent issues

at these price points

it must originate from china with same inherent issues

I do wonder at what point these companies factor in the higher support and cybersecurity costs involved. The West is different than China in these respects and, as these manufacturers absorb those costs, I could see this become a factor in stopping the fall of pricing and/or increasing prices to cover that.

Hikvision: “We shipped millions of IP cameras with a backdoor so simple a 5 year old could exploit it. We are #1”

Dahua: “Hold my beer.”

*Satire

I wish it were true and that it occurred before any exploits were found because then it would seem that they actually tried to prevent exploits and cared about cyber security.

I wish it were true and that it occurred before any exploits were found

Ah, actually it is true in a sense; the joke I was trying to make (but may have muddled accidentally), was exploring what the ultimate shameless spin that Dahua could put on the fact that they were hacked by bashis multiple times.

No I got the joke. I was meaning it would have been nice for Dahua to have put this out because of the fact the patches were released and they had paid Bashis to find the exploits. Yes, Dahua could spin it the way you wrote it. I would just like to see the manufacturers pay for pen testing before releasing all their products.

With possible payments comes NDA (Non Disclousure Agreement), and I don't like NDA nor be in dependent position and/or biased.

I like to be independent and impartial in this kind of research, and here are no payments involved.

Dahua are not my preferred target, it's more like D-Link - dig a bit, and you always find something. (quite boring in the long run to be frank)

Axis is however, they provides considerable higher challenge to exploit any findings, since they seems to moving more and more towards the Yocto Project.

However, Axis still suffer a bit with some legacy stuff, and I have lately noted they have removed all goodies like netcat, sftpclient, shttpclient, smtpclient.. etc. and introduced ASLR on heap. (bummer)

If all vendors in this industry would try to move towards the Yocto way, I could finally dissect my iRobot and try to see what that camera sees...

Dahua are not my preferred target...

I suppose Dahua should take some comfort there.

Axis is however...

Yes, you beat them at their own game :)

When will OEM manufactures stop using Hikvision or Dahua? How many excuses can they make for their OEM partner with all these security issues? This has to be affecting their reputation and affecting their bottom line.

Partner is a very very loose term with those people. They just want to dump their old junk on you and then release a newer item. Hack? What Hack? Here's a brand new XVR!

Hackers will always be Hacking no matter the manufacturer

Hackers will always be Hacking no matter the manufacturer

Manufacturers who make it easy with poor cybersecurity are the ones who are going to get the hit the hardest.

Plus since the two biggest volume manufacturers (Dahua and Hikvision) are so poor at cybersecurity, it makes it even more attractive. Lots of targets + easy hacking = top choice for hackers.

This is true. And it explains why manufacturers need to pay better attention to this, no need to make your products easy to hack. At least require hackers to put some effort into creating exploits.

Email from Dahua:

Hi Mick

Sorry to cause this issue. We are perparing all general firmware for our OEM customer which should be ready around next Wednesday. Please let you technical talk to Tessie if you need some firmware quickly. And I saw the email between Tessie and Matt. They were trying to solve this issue.

Best Regards

Eric

are oem dahua partners so unloved they try protect their own brand

leaving oem partners in the dark

how long can customers go without cctv

as an immediate fix we in the uk are offering a nominal charge to get another dvr /nvr

until dahua issue us with a workable fix

in the meantime buy a shovel and bury a dahua dvr in a big dark hole

flir must be crying imagine getting sued by investors for 2 bilion usd

for not giving full disclosure

wow

someone needs to go through their emails

see what they knew and when

To this end; who is most responsible? The manufacturer, the distributor or the installer?

I guess what I'm asking is, how do we get in on the class action lawsuit?

I guess what I'm asking is, how do we get in on the class action lawsuit?

Class-action settlements are never anything worthwhile, in this case you'd be lucky to get $5 and a $50 off any DVR coupon.

Not for my gain...

For public safety. To teach a lesson. To maybe, for once, stop the infection of insecure Chinese hacking aids from a rival nation that seeks to own us. Maybe to get people to WAKE UP.

unfortunately the end user or their IT department

if not on the internet hacking not really possible

but should a corporate adt/flir ipo quoted companies not declare the issue to shareholders investors may have a case for not giving full disclosure

dont use phone app keep it off the internet less risk

[IPVM Note: this is from security researcher Bashis]

Dahua Snapshot (07/10/2016): How to Create a More Secure Security System (v1)

19. Use 888888 and 666666 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Snapshot (12/3/2017): How to Create a More Secure Security System (v2)

17. Use 888888 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Nowdays: How to Create a More Secure Security System (v3)

17. [Not Existing]

Now thats ridiculous

Yes.

But below was a stupid responce from Dahua after I reported this issue;

When they released a small "script patch" to transform this

"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "[obscured]",
"Reserved" : true,
"Sharable" : true
},

to this

"Group" : "admin",
"Id" : 2,
"Reserved" : true,
"Sharable" : true
},

That had this effect

Dahua Backdoor Patch Creates A New User "Null"

My crosspost from ipcamtalk DAHUA RECORDERS HACKED

There is three aspects with the Dahua backdoor worth considering.

1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)

Simple.

2. You have not upgraded Firmware, but changed default admin or 888888 password = You are pwned

Bashis, thanks. Can you elaborate on this? If the upgraded firmware did indeed 'fix' this, why would the user need to change the 8888888 password?

John,

Newer Dahua has no 888888 account (only admin), but those older Dahua who still has, it's not enough to only upgrade Firmware, admin/888888 password needs to be changed as well.

The fixed Firmware by Dahua is only about the passwd/Account1 backdoor, not the 888888 account.

There are no code in Dahua server that checking if login with 888888 account is local or remote, this is only done locally in the users browser by one simple simple check if username is 888888 (then reject with local browser pop-up) in downloaded Javascript code.- One of the reasons why Dahua removed their false statement from "Best Practice".

The usage of 888888 admin account for remote access, I really don't believe this is anything new (I have seen this also in some bot code), but have only been brought up to the surface now.

My PoC script for the passwd/Account1 backdoor simply download the whole user database, checking for first available admin account to try login with, now it happens that 888888 are the first chosen one - and usually works, since nobody changes this password - since it's supposedly local only.

So, it's very important to maintain both upgraded Firmware AND no default password, not for any account!

Have a nice day

/bashis

@bashis, if devices only had the TCP port for port forwarding open is this hack still possible? e.g. are devices with just the HTTP / HTTPS port vulnerable?

Indeed, even with your favorite browser if you bypass the local check of 888888 account in 'loginEx.js'. You could use Burp proxy for instance.

I had a client ask me how it was possible that anyone could have gotten the default password to a Dahua recorder. I asked him to go to google and type in "Dahua Default Password,"

https://forum.use-ip.co.uk/threads/dahua-default-login-username-and-password.377/

This is the first entry that pops up and is the very reason why anyone who gets any recorder/PC/Laptop/Etc. from any manufacturer should always change the default password.

**Warning: Conspiracy Theory Coming!!**

Is it too far fetched to think that Hik could be behind the hacking of Dahua? Making Dahua look bad would only benefit HikVision. Or is it silly to think Hik has the ability to hack a competitor, while leaving their own product so vulnerable?

I wish this was a completely ridiculous idea, but alls fair in love and war. This hypothesis is totally supposed to make you laugh, or is it....

Recall Hikvision devices were mass hacked earlier this year - Hikvision Defaulted Devices Getting Hacked.

I have no idea who is doing it and would not even attempt to guess with the little information we know now. However, if there is some material analysis of the source of these attacks, we would potentially report on that.

North Korea.....?? They have been heavily involved in Cyber attacks and Kim Jong Un hand picks kids to go into their elite cyber warfare divisions...

maybe they could knock out a dvr or nvr

got cheap labour costs

The Highfinance, Rotschild, Soros, Freemansons, Gobalists they are making the roules

"Making Dahua look bad would only benefit xxxxx.

"cui prodest scelus is fecit" (for whom the crime advances, he has done it).

If you look with that angle, you may notice that Hikvision and Dahua are real threats to their (mostly western) competitors because of their prices.

And the price is not the only reason: Dahua was one of first 3 manufactureres (with AXIS and BOSCH) who presented their 4K cameras before other competitors.

https://ipvm.com/reports/dahua-4k-test

(actually that 4K cameras release surprised me a lot)

And recently we hear a lot about HIK and Dahua problems with hackers. cui prodest

Is it too far fetched to think that Hik could be behind the hacking of Dahua?

See: Should Manufacturers Sponsor Penetration Testing Of Competitor's Products?

We sold hundreds of Hikvision NVR's the first few years we were selling IP video and stopped about 18 months ago. Fortunately, we always created complex passcodes and did not use default ports. I am hoping this means those clients won't be affected. Boy am I happy we stopped when we did. We've sent out some mass emails letting people know this is happening and I have spoken to a few clients...it's interesting tho..the clients I've spoken to don't care and arent worried.

the clients I've spoken to don't care and arent worried.

So if their recorders were hacked, the camera feeds turned to black and the camera names changed to 'hacked X', they would not care?

If they actually got hacked I think they might care. When I warned them about the potential vulnerabilities they didn't seem to care that much.

When we find deficiencies during fire alarm inspections we get a similar response. People for the most part just don't care that much. We have a document from the lawyer we have people sign when we make them aware of a problem and they don't want us to address it with fire alarm systems. We're working on the same thing now for our clients who don't want us to come out and upgrade firmware or replace these old cameras systems.

We've made recommendations for these same clients to upgrade to a different system and offered a discount. A few have taken us up on the offer. We're making it easy by leaving the NVR in place and using the cameras and just installing a new server with a new VMS and keeping the cameras/NVR off the WAN. It's not ideal but it's a cost-effective upgrade that keeps the cameras away from the internet. Our recommendation, of course, has been to upgrade everything but no one has gone for it yet.

We should have a fix from dahua tomorrow after a long and unnecessary wait

we will posting their solution here tomorrow

will apply to

customers with pal

not ntsc

Sadly that is the current state of the industry: most don't care or have the cyber security skills of a 7-year old, and those who care and try to make the situation better are simply shrugged off because they cause stress, and taking the free advice requires their audience to first understand what the problem is. That would also mean they acknowledge their system has flaws. Feels bad.

so accurate and true. Most people just do not comprehend and explaining how their system is vulnerable goes in one ear and out the other. Like our industry has shown over the years, until something bad happens most people do not want to spend.

Apparently this has affected FLIR as well. I have an older 8 channel FLIR NVR in one of my garages that I monitor during the day. I noticed earlier today that I was unable to connect to it. Upon arriving home, sure enough, it has been hacked. All of the settings were changed. It didn't matter that I wasn't using default passwords. I had as secure of a password as you can have with only 6 digits. It took me a couple of hours tonight to get it back online. Currently I'm still on hold with FLIR to see if there are any future firmware updates or any help that they can offer. I'm not going to be holding my breath.

We are hearing many OEMs are impacted.

I know FLIR more recently has their own cloud service which eliminate the need for open ports that this hack uses. On the other hand, older FLIR units, in particular would be at risk.

I am happy with Dahua. If you use IT technology, you have the risk of attacks and it dosent matter who is the manufacturer. This is the danger which is comming of success. Without the quality / price ratio, it would be hard for us to make profit.

If you use IT technology, you have the risk of attacks and it dosent matter who is the manufacturer.

It does matter if the manufacturer includes a 'local only' account that has a vulnerability that allows remote attack. That is a defect, not a normal 'IT' 'thing'. Agree/disagree?

That's a bit like saying if you have someone build you a house, it's business as usual that they forgot to install one wall but covered it with a blanket and assured you everything's fine. Perhaps someone also suggested you should at least have a fence, but you ignored them because you trust the "wall".

Edit: I understand that profit margins matter, and also that essentially every device has security flaws. These are just so basic, awful flaws that they are worthy of ridicule. Maybe in the future a company will emerge that has the skill and cojones to guarantee that their unit is not susceptible to easy attacks. And if it still was, they would humbly apologize, fix, and compensate the damage 50x. Too bold? For those who know they suck, it would be.

This would be a death sentence to anyone making that statement. There are many, many super smart people out there who are bored and do this type of thing for entertainment. This was just a script-kiddie attack by someone who figured out how to adapt the local-only account flaw into a script that has been around bugging dahua stuff for a few years now (it used to create a "system" account and in the account notes said something like "You've been hacked"). In considering the alternatives, this was not malicious. As far as I have heard, footage has not been lost, hard drives have not been formatted to erase footage, and only the live preview windows were altered, not the actual recorded content. It could actually be considered a nudge to wake people up and try to get them to secure their equipment and maybe put a bug in the manufacturer's ear to get them to actually give half a hoot about security, which they won't because they: a) just don't care, b) won't add to the cost and detract from the profits or c) just don't know how.

I agree, some automated script like this is probably just "for teh lulz" and while providing amusement for the initiator, it hopefully also wakes someone up to the security problems. Just like you - I'm sure - I wish most manufacturers/integrators et al. would take it seriously after their customers take a hit.

are you also happy with alleged postings from the Mirai botnet author that Dahua products included 60 plus "secret" user and password credentials?

I would recommend Dahuas, but not the NVR's...

On a job we are pricing now, we just removed a Dahua NVR option..

Nelly's Security has issued a notice about the hack:

They blame if on default passwords but they leave out the critical point that it was a vulnerability that allowed remotely using the 'local only' account.

When we first learned about the hack, we were under the impression that it was due to usernames & passwords remaining default and having old firmware and/or a combination of the both. All the reports we have had so far were from customers who left their passwords default. Some of our larger previous customers who used alot of Dahua in the past who routinely changed their passwords were not affected as much as other customers who never changed their passwords. So far, we've only had one report of a guy saying that he is very positive that he changed the password to the 888888 account so its possible that even machines with changed passwords were vulnerable.

Due to the onslaught of inquiries we received yesterday regarding this issue, we wanted to get something up as quick as possible and give a brief overview of the issue for our customers with the information that we have received to get them back up and running as soon as possible without going into deep depths of the technical aspects of how and why the hack occurred as we are still learning ourselves. We will update the site as needed and plan on continuing to educate our current customers about best practices on how to keep their products secure. I've given up along time ago about getting any relevant information from Dahua so unfortunately we have to figure this out the hard way.

Sean, I see in your instructions that you are not recommending changing the default port. Is there a reason why that isn’t part of your plan? Is it the difficulty of getting port forwarding configured in the firewall?

So far we only had 1 compromised unit and by coincidence its the only one using Dahuas p2p service.

In this device the log shows that the admin account was compromised. Ive double check, and the password was not the default, our password is still operational. The attack also included changing the network settings.

Untill the new firmware is out guess we have to pull the plug on every device..

I have a Uniden Scanner Radio and monitor my local emergency agencies. Sometimes I hear an alarm dispatch to one of my customer's homes or businesses. The other night I heard a local police department being dispatched to a home to investigate a suspicious activity. The dispatcher said the homeowner has multiple cameras around her home and noticed the monitor is displaying the word "hacked" on all of her cameras.

Chances are, this is one of the affected systems and this gives you an idea of how some of your clients will be reacting to the problem. Some people may think they're being targeted or stalked, and may not realize it's happening globally. We don't know if this was a DIY install or something installed by an integrator, not that it makes a big difference. I don't know what a law enforcement agency would do in this type of matter, they may just document the call with a brief report, especially if the person had the cameras installed because they were, or are currently being, stalked or harassed.

I find it sort of cool you were eavesdropping an emergency report of this particular hack in the wild.

yes sometimes people forget these are products solutions to safeguard people

women at risk is a common use where the ex comes round to cause trouble

in this light something really should have been put togther more quickly

I see your point. My counterpoint is that if the client's sole requirement for a security system is that it is cheap... they're kind of asking for it. It is a risk on their part, measured appropriately or not. No one hires a 5'2" 100 lbs bodyguard, at any price, for good reason. Also, much less likely to do so if they also work for a frenemy on the side.

But a good guard company wouldn't hire a 5'2" 100lb guard. By hiring them and offering them to their customers they are vetting it as an appropriate solution. If they were offering this individual as a clown and they were then offered a jobs as a guard, then it is the customer's fault.

But dahua is offering products that look like professional security products and marketing them to professional customers.

It ends up being buyer beware but a small customer who doesn't do lots of research or have experience with this would have no idea, except that they can't pronounce the name or identify the logo.

I don't know, there are some short guys that I'd prefer as a bodyguard:

https://www.youtube.com/watch?v=6HvnRvUSHr4

Update:

Dahua Responds / Buries Attacks

Dahua has issued a press release in response to these attacks obscurely titling it, "Dahua USA Launches Latest Cybersecurity Initiatives". The hacks are not mentioned until paragraph 3:

Two important problems to note: These other 'leading' manufacturers are Dahua's own customers / OEMs. The way Dahua phrases it implies that this is some general issue across independent manufacturers but what really is a Dahua defect that Dahua delivered to both their branded and OEM customers. Moreover, the release tries to blame the attacks on default passwords but the critical problem is Dahua's own vulnerability that allowed remote attackers to fake local access to hack the Dahua recorders with the 'local only' 88888888 account.

*bottles Dahua's crocodile tears to sell at a discount later*

As usual, goes to show the typical response of a company responsible for ********: denial, misleading and blaming others. Too bad it only works on clueless people.

Apparently it works for everyone because both dahua and hik continue to use this tactic time after time after time without fail. They just don't care, it will blow over in a few days and they'll have another sale and it will all be water under the bridge until the next time it happens. If a reseller/installer tries to take a stand by not buying their stuff, they only suffer when they lose customers that insist on the cheap garbage no matter the risks.

#8, #12, good exchange.

I do agree with #12 that many dealers will blow over in a few days, and these guys will do more sales, etc.

On the other hand, I still think it is going to be damaging. (1) Some dealers (even if it is only 1 out 5) are going to be upset, maybe upset enough to switch, (2) many potential new dealers will hear about this, and make them more wary, increasing sales cost and (3) these companies really need to get to a point where they hold their prices to pay for their heavy sales and marketing expenses.

My net/net, these companies can take an external marketing position that everything is sunshine and roses all they want but they know inside that they can't absorb these types of problems long term.

These issues are going to make it harder and harder for Dahua and Hikvision to get into the enterprise market IMO. In the last couple of weeks, I am starting to see some changes in our healthcare customers. Before we worked either with security or facilities but in the last couple of weeks IT is getting involved and wants to know everything. One of our customers just handed all physical security to there new CSO who promptly started to do pen tests on the network and showed his bosses how easy it is to clone their access cards. I would not want to be the guy trying to sell him Hikvision or Dahua.

That's fantastic!

We are seeing some pretty significant pushes in the cyber security items that ride or touch the client network:

1. Antivirus on the VMS server.

2. Carbon Black

3. ACL limitations on remote access

4. SolarWinds deployment

5. Actually taking the time to manage their domains as it applies to the VMS clients

6. Automatic scheduled windows updates

All welcome changes with the possible exception of #2 simply due to the time Carbon Black adds when updating servers. These are both enterprise accounts. I believe the news on hacks may be starting to shake them. For this reason I can guarantee Hik/Dahua would have an incredibly difficult time poaching these Enterprise accounts.

I guess you're right, at least in the sense that it works way too often. Perhaps imprisoning people with absolute disregard for their ignorant and damaging behavior would deter others from doing the same mistake too often. But hey, it's not like the same doesn't happen in any other sector, including geopolitics, so I'm not holding my breath.

Most of our hacked machines have had no actual 888888 local accounts but may have had default admin passwords (we have had some reports where all passwords were changed too!) so the attack was done in multiple ways.

Also we actually 1st started to experience reports from recorders that only had P2P setup so this is a concern too going forward....

I only use Chinese made products on standalone networks. I use Axis if the network is connected to the internet.

Who would have thought that exposing a device to the internet with default passwords was a bad idea !?!

I must say I`m a bit supprised to see how many installers thats making this cardinal error.

To be fair, they were probably just following the instructions: change default admin password, check. Set up port forwarding, check. Get pwned, ****.

I would agree. If you aren’t changing the default password and are on the internet, you don’t deserve to be in business. Yes, Dahua isn’t perfect, but hearing the presence of default passwords is just dumb.

i also don’t understand why you wouldn’t have different passwords for every machine. It’s not that hard to document user names and password.

I have one customer that had a Dahua DVR with all default passwords. The reason for this is that the owner keeps it in a steel lockbox with a custom steel bar with a padlock. It’s not connected to any network.

While I don't know all specifics of those Dahuas, it doesn't sound unlikely that someone might just buy a recorder, set it up per the Quick Start Guide, reach page 20 where it says:

For security reason, please modify password after you first login.

Fair enough, they do that. That is, they change the password of the admin account that is bolded in the manual, since the "888888" account is defined as "local only". It's plausible someone believes that and just leaves that as default, in case of dementia or something else. On the same page they repeat:

For your own safety, please change your administrator default password after your first login. (emphasis mine)

This makes it sound a bit like the admin account is the one to care of and gives a mixed signal, not making it clear that also the "local" passwords should be changed. The main fault though is the poor implementation of "local only" for the "888888" account, as far as I've understood the issue.

I have only had one Dahua DVR hacked so far. It was on older firmware using port 8080 and 37777. It’s also the only DVR that has HTTP port forwarded. Every other unit only has 37777. Time of hack was 4:00 a.m. EST Sunday. All passwords were not default and no passwords appeared to have been changed after the hack.

All passwords were not default and no passwords appeared to have been changed after the hack.

Kyle, to that end, you agree that the hacks are exploiting something beyond default passwords?

For sure. On every Dahua that has been connected to the internet I have always changed the 6’s, the 8’s and admin account passwords. I would like to know if the hack was through HTTP port. I stopped opening the HTTP on Dahua DVRs a long time ago unless the customer absolutely needed browser access. That was true for this DVR.

Kyle, good feedback. We did get more detailed comments from Dahua overnight but we are still in the process of talking to them and will pass along your input as well as ask some more questions and report back here when we have more details to share.

A suggestion would be to use the P2P option with the qr code and an app such as easy4ip. I have heard that the refresh rate is slower than accessing your NVR via port forwarding but this solution I believe is far safer. What are your thoughts on this John?

http://www1.dahuasecurity.com/products_category/easy4ip-587.html

Slower access...to not connecting at all...to I’m not going to trust their security on the cloud and be held hostage if their connection breaks. I tried it with two customers as a test when it was first available...no thanks.

Thank you for your feedback Kyle. It is appreciated. It is unfortunate that we live in a world where people feel the need to be destructive with other peoples property. These hackers get a buzz out of this kind of destructive challenge when they could be using their intelligence and creative abilities to make our world a much better place. The manufacturer, installer and customer unfortunately wear the brunt of these childish games.

the majour number of dahua customers are oem

they have been abandoned by dahua saying that james pulled all the stops at dahua and has now given us firmware for our older dvrs

i would like to thank him for fixing this

all those who use pal oem dvr/nvr heres the fix

http://qvisglobal.com/dahua-hack-fix

The Dahua hacks are getting some interest / attention on Reddit but only one participant correctly was able to explain that this was from Dahua, the rest speculated about what to do / what was going on.

This is becoming old news

dahua have published a fix

Heading out to fix two more units this morning. They were not my installs. These are IC Realtime units that were installed by alarm techs with ZERO security knowledge. Default everything on these units upon install. Never even changed a single setting. Plug and run.

why easy for customer to do them self

I agree. They have step by step instructions from IC Realtime, but still want a professional to come do the work instead. I told them my business partner was out with appendicitis and they would have to settle for me instead.

Dahua's market capitalization since January of this year is up 51%. Sitting now at a tidy 10.1 Billion USD. And this is off their 52 week high of a market cap of nearly 12 Billion USD. What's interesting is the five years prior to the publicity Dahua received during the Mirai Botnet exposure, Dahua's stock traded flat , doing essentially nothing for five years. Immediately following the Mirai incident? The stock soared.

In 2015, Dahua realized a value of 4.3 Billion USD. Their stock late 2014 and early 2015 bounced around between 9 and 10 Chinese RMB or about 1.50 US Dollars a share. Since the public exposure to all of the security vulnerabilities, Dahua has gained over 100% in value or nearly 6 BILLION USD. If you are a senior executive at Dahua with company stock, I would imagine you're hoping and praying for more bad press.

Flir/Lorex is obviously Dahua's largest USA buyer now. FLIR stock performance nearly mirrors Dahua since the Mirai incident.

I think Dahua deserves a market capitalization of about 200 hundred dollars.

But being a contrarian here, I do find the irony of the massive wealth created for Dahua management to be extraordinary given the timing of their massive jackpot.

I have had two systems attacked so far at least two or three times each, where would I find this "fix" from Dahua please? Are we talking about firmware upgrade?

Thank you

Eythor

Firmware upgrade and no default password on any account

Try here, if you can find what you should look for...

http://www.dahuasecurity.com/firmware_111.html

Good luck

So bad news. Defaulted and Upgraded a dahua dvr yesterday with new firmware from supplier, changed all default password and was hacked again tonight. Any ideas?

Defaulted and Upgraded a dahua dvr yesterday with new firmware from supplier, changed all default password and was hacked again tonight. Any ideas?

Unfortunately, I believe you because we have a heard a few other cases in the past week with same pattern.

Can you share what firmware version that was? It would help us track this back with Dahua.

A big problem with this situation is that because Dahua has had so many vulnerabilities and such unclarity about what firmware fixes what, it is hard to tell what the attackers are using (potentially multiple vulnerabilities) and what versions 'fix' them.

What is your firmware build date and what is your model? We thought we had the latest firmware on some but apparently we didnt. What a nightmare. Issue is dahua isnt putting firmware on their site for ALL of their previous DVRs and its been heel trying to find all of them.

A worst case scenario would probably include the algorithms for the various Dahua password generators out there.

Honestly, this could have played out much worse than it could have if they wanted to do some real damage. Bricking the units, deleting all stored footage, or actively shutting out all other users from access so that defaulting through normal means isn't even possible: these are all things that haven't happened here, but could have and it's a clear indicator that this hacker is just being extra snarky at bringing awareness to insecure practices and firmware in the field of video surveillance.

The method of delivering this public awareness bulletin is a little too "gray" for my tastes (as opposed to being "white"), but the intention is...mostly beneficial to the overall industry.

The model that was hacked again is HCVR16HS-S2 with a firmware build date of 4/17/2017. This is what our supplier sent as a fix.

I think that may be an incomplete SKU for Dahua. However if you mean HCVR4116HS-S2 then the correct firmware would be V3.200.0004.11.R.20170417 (according to Dahua Rep) so the date seems to correspond. This is the firmware we also were instructed to use in order to patch the 888888 vulnerability.

Have you guys tried deleting the 888888 account altogether?

I would be interested to know what response you will get if you trying these URI's

1) http://<IP>/current_config/passwd

2) http://<IP>/current_config/Account1

3) http://<IP>/current_config/Config1

4) http://<IP>/current_config/user.lua

5) http://<IP>/current_config/a.sh

6) http://<IP>/current_config/b.sh

/bashis

How did you apply the firmware update? Did you just flash it with a usb or apply full image over serial?

Yes, the complete model number is HCVR4116HS-S2 and the firmware did not appear to fix the problem.

None of the commands above returned anything but webpage not found.

Thanks

What was your reasoning on the commands above?

Looks to me there is something new found (or old but not fixed), some of these URI's is accessible with the things (backdoor) I've found, and some with earlier fixes from Dahua.

And if you get 404 on all, then there is something new...

bashis, hypothetically speaking, could you devise a simple gray hat fix that could be run remotely, as discussed in Should I Hack 10,000 Dahua Cameras?

U3, I don't want to speculate into who and possible motive, I'm more interested into how, and what I have learned today from above it's most probably not what I've discovered and published.

No, I'm just asking you if think that a remote fix could be created, without the help of Dahua, that would use the 888888 vulnerability to gain access to a device, then do *something* that would disallow 888888 network access, until the owner applies the proper Dahua fix?

I'm not concerned with who or motive either.

Well, if there is a bug is into the Firmware - then no.

If there is somehow, by any chance and for any reason, another account that you cannot change password on that can dump the user database - then yes, maybe.

There is one hidden account with login: default and passwd: tluafed

But this account don't have any direct privileges, so i find it a bit unlikely. (however, there can be a bug - of many others)

I think you see the '888888' as a symptom of the cause, and I have also read about they have only seen 'local' and not '888888'.

I defiantly would suggest to kick all these out of any Internet access, no UPnP and defiantly _not_ start using P2P (!) - P2P opens other crap that you for sure don't want.

Use VPN (or simply SSH with port forwarding), that would help you a lot.

Another thing, their firmware are shit loaded with all kind of debugging code, I don't even think they leave out anything from R&D to delivery for customers.

I noted that too in my publishment, where I kindly asked Dahua to remove all this crap out.

We have now seen this hack on systems with no default passwords, no default ports and 2017 firmware.

Are you saying you have experienced the same issue w/ 2017 firmware or restating my incident?

Let me provide input from our experiences so far with this hack. We have over 300 DVRs our on the field, mainly TVT DVRs/NVRs (75%) and Dahua DVRs/NVRs 20%

We Only had about 10 Dahua DVRs affected some are older models and some have been recent models. Is very inconsistent, I looked at the system log and it shows the user 888888 logged in from the internet from different IP adresses.

187.87.189.91 (from Brasil)

209.27.51.78 (from USA)

im sure they are running some type of script through Tor or proxy server.

Hopefully this info can be useful.

What a shambles...can't believe that we now have 2 pages of this tread based on security flaws in kit manufactured by the second largest Chinese manufacturer and many are still openly stating that they will keep using this ****

What are your thoughts about wether Dahua should announce this puplicly or not, is it theirs to do or not, are they turning a blind eye to this? Does it benefit them to ignore this or do you think they have a solution in hand or are they struggling to come up with a solution?.. And is there one?:-)

A couple more points. I am told by my employee that the updated firmware was not hacked. Don't want to mislead anyone.

An interesting point I noticed after the most recent hack. Previous hacks had changed all channel names to "Hacked". The last dvr we upgraded had changed the names to hacked but also changed two channels to "upgrade firmware". The fact that they named those as such doesn't seem to me like these hacks have malicious intent but maybe another motive. "Upgrade firmware" Thoughts?

I feel the same way "no malicious intent" if they had malicious intent they wouldn't let you know DVR was hacked by changing IP, ch name, image color to black. Its more like a warning or informing us of this vulnerability that maybe Dahua ignored.

The worst aspect of it is the lost of trust and customer dissatisfaction because the system we install had poor security. This is my main short and long term concern.

At the same time if Equifax and other major government agencies get hack what can we expect for this DVRs/NVRs/IPCs.

BTW I haven't updated one firmware yet, had a couple of units that got hacked I changed the default network port from 37777 to ***** but got hacked a second time, changed the 888888 psswd and so far hasn't been hacked again.

I'll keep you guys posted and hopefully this can useful to all.

Did you have any other ports open on the firewall? I wonder how you got hit again with using a nonstandard port.

Making a trivial google search for the DVR login pages shows that quite a few of them are running on a non-standard port, but it doesn't really help in the end. If the attacker knows that there used to be a device behind some IP, they could just port scan it to find the new port.

Only http port which I always have change from default, I only use to leave default the 37777

Yes one of the units fixed in the morning which I only changed default 37777 to ***** was hacked a second time, I changed the 888888 password and so far so good.

The ones done in the afternoon we changed the ports and the 888888 user passwd and none have been hacked again so far.

We are eventually going to be updating the FW to all Dahua units that our clients have out there, but im waiting for 100% confirmation of vulnerability patched in new FWs. Which that will be another mission with all the different models and very poorly categorization of FW downloads

DVR5116H

/Firmware/DVR/DVR5x16/ General_DVR5x16_Eng_PN_V3.200.0001.24.R.20170929

DVR5x08

/Firmware/DVR/DVR5x08/ General_DVR5x08_Eng_PN_V3.200.0001.24.R.20170929

DVR5x04

/Firmware/DVR/DVR5x04/ General_DVR5x04_Eng_PN_V3.200.0001.24.R.20170929

HCVR5104H

/Firmware/DVR/HCVR5104H/ General_HCVR5104H_Eng_N_V3.200.0001.32.R.20170929

HCVR5108H

/Firmware/DVR/HCVR5108H/ General_HCVR5108H_Eng_N_V3.200.0001.32.R.20170929

URL?

Took some time, but I'm loaded up on firmware too now! If anyone needs anything I'm good at magically matching firmware to mystery Dahua models. Ask anyone who buys from me!

@Dahua: Why dont you just list all your firmwares of every single DVR you have made on your website? Why isnt this a no-brainer for you?

Your Dahua Wiki only shows newer model USA versions.

Why is stuff like this so hard for you to figure out how to do?

They have all the firmware's for past and present models on the international website http://www.dahuasecurity.com/firmware_111.html

To there credit they went way back to models selling 5+ years ago and applied patches to them (example being DVRxx04LF-A)

You will need there up to date firmware matrix sheet to match all the firmware types to the exact models....

Wow this is great. I swear when I posted this, that was not there. Did they just add this recently?

Where does one get the matrix sheet?

That link is to the Dahua international website, Dahua USA website as typical with Dahua is different in most ways and Dahua USA clearly don't care too much about legacy models.

If you go into the products on the international website you will see a firmware tab where you will also see the firmware type used for the product.

Dahua for some reason don't publish the firmware matrix sheets publicly. If you are looking for details on a particular model, just ask.

Anybody got firmware for Old School Dahua NVR3xxx ?

Our page has been updated.

http://www.flir.com/securityinfo/

FLIR has been pushing updates to Cloud Connected models and users or dealers can accept these updates locally at the machine or through the CMS software and App.

Please read the instructions carefully.

If for some reason you guys may be having trouble updating really old firmwares. Dont forget to change your file name to update.bin

Back in the day, a device wouldnt take the firmware unless it had this file name

We had a 16 channel Dahua NVR returned to us yesterday that had been hacked. It had the words hacked as the username under the PPPOE settings. We performed a factory reset and all came good and was working again. We will be recommending that the default username and password are removed once a new user has been created. I hope that more development time is spent on protection from the outside in future. This is detrimental to businesses that rely on security systems.

I will start out by disclosing that I am out of town and not physically on site to inspect my clients’ Dahua based recorders, but I have reason to believe they have been hacked again. My clients have been locked out and can not access their Dahua based recorders. They claim the first four cameras are black screens again, but this time they didn’t change the channel labels to HACKED.

Two of these specific units were IC Realtime units that I defaulted and upgraded just last week. I changed all account credentials as well as all port numbers. Only one port was open to the internet, the TCP mobile port (normally 37777 for Dahua). All other ports were closed on the firewall.

I will update this post more when I get back in town and do some more digging first hand.

  • Only one port was open to the internet

WHY? How can it be so hard to not ever do such things?

Just like how hard can it be to make a damn security product somewhat secure and not be victim to elementary attacks and then act clueless, as a manufacturer, to what’s going on.

The manufacturer should of course have a clue first and provide secure options out of the box, or recommend alternatives if those don't fit. But this is just one of ongoing threads here about the poor security of those devices. It should be obvious at this point that their security alone can't be trusted and simply resetting the device after a hack is not sufficient if it can still be poked over the internet. VPNs have been around for a couple of decades now, some cameras even have SSH but I'm not sure if it's used much in the industry.

The devices certainly have enough resources to run stuff like Tinc, but I think what's needed here is mostly effort from the manufacturer to turn secure remote access into a no-brainer, and stop giving poor advice to users.

As it's seemingly impossible for manufacturers to succeed in this, maybe someone should just make a 1-day PoC of a simple VPN-type device management appliance on a cheap, $10 embedded computer (or any available computer) that you could just plug in without complex configuring when installing the security gear. Hopefully some corporation would then steal that, make it a bit fancier and bake it into a mandatory step in the installation of their devices and of course provide it for free.

While all software has flaws, I'm much more comfortable having a public facing SSH server with key-only authentication than a seriously broken web interface riddled with holes.

Jon, if you care to disclose more information about the networking requirements of your client, perhaps we would have some suggestions to improve the security.

It isn’t hard. But it does cost money. This particular client is a penny pincher. At some point, if you add up my time dealing with these issues, it would have paid for a few VPN routers.

I understand. If money wasn't the issue, then time would be anyway. All this stuff should be made as simple and straightforward to use as possible by default, even for the end user.

OK, so these particular IC Realtime units did not get rehacked. They had a PSU die at one site, which they assumed was another hacking incident. False alarm.

I had couple of two year old 4216nvr's hacked two or three times, I upgraded one of them to see what would happen (was running old firmware since 2015). Just changed names of cameras from ""hacked" and network back to what it was before and it is still good. It has port 37777, 37778, 554, 443, 8080 forwarded still and same users and password as before (no not default of course).

The other nvr, same type with same old firmware I changed everything for third time on the same day as I upgraded the other one, well it got hacked very soon after as before but in this time changed the name of one or two cameras from the usuall "hacked" to "firmware"...

Unless you upgrade to the latest security patched firmware changing all the other things won't make any difference!

1st Generation 4 Series NVR's use NVR4xxx firmwware type, so download DH_NVR4xxx_Eng_P_V3.203.0000.0.R.20170612 from Dahua download page http://www.dahuasecurity.com/firmware_171.html

Or just contact with whomever you purchased it from.

This particular client purchased the IC Realtime DVRs from a local locksmith company. They couldn’t figure out how to unhack the DVR, so they called me in to do it.

I was contacted by Steve Reader from ICR last week when I made a post here. He was very helpful in getting the units firmware upgraded to his latest release (2015), but obviously that firmware is still vulnerable.

If that is the end of the line for these units, they will just need to get unplugged from the net or replaced with something newer that is more difficult to hack. Might be a good time to switch them out to DW Spectrum!

Even though some particular device was more difficult to hack directly (which would be great too), it wouldn't hurt to also have simple and efficient network security in place that needs to be hacked first.

They couldn’t figure out how to unhack the DVR, so they called me in to do it.

"If you're seeing things, running on your 'head'"
"Who ya gonna call? Jon Dillabaugh!"

but in this time changed the name of one or two cameras from the usuall "hacked" to "firmware"...

It's as if the hacker was trying to say something...

You think?

The cost of VPN's become negligible when I read stuff like this...

Bad news from my end. The DVRs/NVRs that i thought i fixed by changing the port and 888888 password were hacked again!!!

I have no choice but to upgrade the FW, the questions are, how do i know what FW to upgrade to? the versions are all over the place, there are units that the latest FW is from March, how do we know if that version patched the vulnerability? and how that hell do we match the units to the the right firmware when there is so many different models?

This is insane, luckily we don't have many Dahua units out there and after this there will not be any other. If it wasn't for this place we wouldn't know where to turn to. Dahua has handle this very poorly, they should of been contacting all distributors to get ahead of this. Instead of leaving us who deal with the end clients with egg on our face.

Call Dahua tech support or your rep directly and give them the unit serial number. They should be able to direct you to the correct firmware. Be warned, they will not give you FW without the serial number because if it is the wrong FW it could brick the unit. Hope this helps, and btw expect long wait times as they are surprisingly busy lol

and 888888 password

50% done

no choice but to upgrade the FW

50% left

how do we know if that version patched the vulnerability?

Very good question! Dahua?

how that hell do we match the units to the the right firmware when there is so many different models?

Another good question! Dahua?? o_O

Just out of curiosity, what port number did you change the recorder to and what ports were left open to the Internet?

Where did you buy the recorders from and are they Dahua branded?

Robert Shih is very helpful at tracking down and getting the firmware needed. At least Hikvision knows how to version firmware and it's relatively easy to find IF it's Hikvision branded. This is not the case with Dahua.

The latest firmware I installed for a CVI recorder that was recently hacked was R.20170417. I thought I only had one Dahua with HTTP opened. This was a second one. Only the mobile port is open after the firmware upgrade. This apparent hack didn't do anything but reset unit to default credentials so it essentially was left open on default to the world. All passwords on all accounts were not default on this recorder including 888888. It was an older firmware.

On another note, I did install two Ring Doorbell Pro cameras at a client's house. I found them to install easily and worked really well. I also did some searching on Ring hacks and it seems that at one point they could be hacked. However, the company had responded that the hack was already addressed with new firmware and those devices update automatically.

I understand the stance on automatic firmware updates and it seems to come down to how much one trusts a company to enable such a thing. While I like the idea of automatic updates, I am more inclined to trust Nest or Ring than I am to trust a Dahua and Hikvision because I can't even stand Dahua SmartPSS and Hikvision iVMS-4200. Knowing the history of exploits from both companies, I don't know that I can trust them with auto updates until it's widely known and proven that they are doing independent pen testing on all products.

Alex -

What is the model # of the unit? We can contact Dahua and help you find the right firmware.

we just found out that some of our really old units out in the field will require a TFTP upgrade to get them to the latest firmware and trying to update it the regular way is not working on certain specific models.

Sean - does that mean an on-site visit then?

unfortunately, with customers spread throughout the USA, that would be difficult to achieve. However, we are allowing the customers to send them back to us so we can TFTP them here, but unfortunately that means having no surveillance for a couple of days for the custy. TFTP'ing a Dahua DVR is much more difficult to do than a Hikvision. You have to have a special RS-232 cable for it, cant simply be done over a network connection.

Thank you so much for the response guys, greatly appreciated.

Im in the Dahua Wiki trying to make sense of the right FW.

I just been so reluctant to upgrading the FW because Dahua hasn't confirm that the newest FW has patched the vulnerability. I guess we just have to update to the latest and cross our fingers is patched?

I prefer not to disclose what ports I use, but I can tell you that they are far from the default, and i open both the HTTP and TCP to access them remotely.

I agree with you I wouldnt feel safe setting up automatic updates even if it was available. Specially with their track record and the disregard they have for they clients.

It seems to me that all this companies (Dahua and Hik) dont give much shit about their reputation with the attention and reactions to this and past hacks. They just care about selling selling selling "we got hacked" "who cares?" Lets sale more, is they attitude

Is this article relating to this Dahua hacking incident:

https://www.bleepingcomputer.com/news/security/a-gigantic-iot-botnet-has-grown-in-the-shadows-in-the-past-month/

Not directly related, but it is something we are actively watching/investigating.

Related Reports on Hacking

Winter 2019 IP Networking Course on Nov 05, 2018
This is the only networking course designed specifically for video surveillance professionals.  Lots of network training exists but none of it...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
Hikvision FIPS 140-2 Cybersecurity Certification Examined on Aug 27, 2018
A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US...
Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring (now US government banned) Dahua as a...
Debating Relevance of China Hacking US Navy Plans on Jun 11, 2018
"Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to...

Most Recent Industry Reports

Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact